I've been using Authy for TOTP in conjunction with Bitwarden Premium for passwords.
I considered using Bitwarden Premium for TOTP, but dislike having passwords and TOTP codes in a single-point-of-failure backup location.
I looked into Bitwarden Authenticator, but it didn't seem to support sync between devices, as you've now corroborated. This is the reason I gave up on Google Authenticator and switched to Authy — I don't want to have to deal with trying to get all my accounts unlocked if my phone gets lost, broken, or stolen.
I've set up Authy with a backup password so that I can recover it if necessary. I understand that this is less secure, and Twilio (the company behind Authy) seems to have a mixed reputation. However my reasoning is that maintaining two layers which are separate (Authy on phone and tablet, Bitwarden on laptop) is consistent with defense-in-depth theory — even if the layers have some weaknesses.
Maybe it's time to switch to Yubikey, because TOTP apps that don't sync between devices are too high of a risk for losing access, and TOTP apps that sync aren't quite "something you have". How do people prepare for the potential loss of Yubikeys? Is it reasonable to get a spare[1] and keep it in a safety deposit box?
Just beware of the lock-in with Authy because they make it impossible to export your TOTP secrets for "security" reasons. There was a method to do it by running some code but they patched up those API endpoints recently.
I've done another round of research into Authy and I see what you mean. I was aware that some people don't like Authy because they object in principle to multi-device sync altogether, which I understand but am not willing to live with; I also knew that Twilio had been hacked before. But I hadn't thought so much about the lock-in and the elevated risk for getting locked out if Twilio goes kaput.
So, features that I want in a TOTP app:
* Backup to cloud. If all my devices are lost/destroyed at the same time, I want recovery to be possible using information I store offsite.
* Backups not stored to my own iCloud or Google Drive, which are frequently accessed from my own devices.
* Export of codes possible from the installed app so that if the vendor goes away I can migrate.
* Not published by Bitwarden. I'm happy with Bitwarden, but I would prefer that the vendor I use for TOTP be distinct from my password manager vendor.
I migrated off Authy due to this lock-in behaviour on to Bitwarden Authenticator, then realised that there's no sync. There is a backup and export though. might have to give Ente Auth a try next.
I have a second yubikey which I keep in a safe and every time I set up the primary yubikey on an account I also make sure to enroll the backup one too. I'm not likely to have mine stolen so I don't keep the spare offsite, it's more insurance in case I lose it. I also have an airtag attached to the primary key for the same reason.
I was hoping that by enrolling the first key, the offsite backup would also be enrolled. Is that impossible? I don't want two distinct keys so much as I want two copies of the same key (akin to spare house keys).
If I'm unlucky enough to have a house fire (which has happened in my extended family), I would like it if my MFA access was not among the items irretrievably lost.
I got two Yubikeys but ended up never using them. I've also considered keeping the second one in a safety deposit box, but realized that that would defeat the purpose since you also need a key to access the safety deposit box.
I still have Google Authenticator on my phone, but I hadn't been using it. I see that you now must choose between using it "with an account", in which case your codes are saved "to your account", or using it without an account. I just installed Google Authenticator onto my tablet, selected that I would "continue as [Google Account]), and voila, there are all my codes.
I presume that if you use it "without an account", the codes are not backed up, although I'm not going to test that now.
I am curious what backed up "to your account" means. I'm often logged into Google on my laptop — is it possible to access the TOTP codes from there? If my laptop is hacked it would be a disaster, and I at least want to reduce the blast radius so that accounts requiring MFA are out of reach to the hacker unless they also hack my phone or tablet.
2. There's a strong possibility that if my laptop gets compromised my Google account will be compromised simultaneously.
3. I try (often in vain) to limit my Google exposure because if I lose access to my Google account, it will be hard to get it back due of Google's limited support offerings.
Please use 1Password, it syncs between everywhere you want and supports TOTP. When I log into LinkedIn, it only takes one click and it autofills and autosubmits everything, including TOTP.
I considered using Bitwarden Premium for TOTP, but dislike having passwords and TOTP codes in a single-point-of-failure backup location.
I looked into Bitwarden Authenticator, but it didn't seem to support sync between devices, as you've now corroborated. This is the reason I gave up on Google Authenticator and switched to Authy — I don't want to have to deal with trying to get all my accounts unlocked if my phone gets lost, broken, or stolen.
I've set up Authy with a backup password so that I can recover it if necessary. I understand that this is less secure, and Twilio (the company behind Authy) seems to have a mixed reputation. However my reasoning is that maintaining two layers which are separate (Authy on phone and tablet, Bitwarden on laptop) is consistent with defense-in-depth theory — even if the layers have some weaknesses.
Maybe it's time to switch to Yubikey, because TOTP apps that don't sync between devices are too high of a risk for losing access, and TOTP apps that sync aren't quite "something you have". How do people prepare for the potential loss of Yubikeys? Is it reasonable to get a spare[1] and keep it in a safety deposit box?
[1] https://www.yubico.com/products/spare/