Bitwarden Authy



  • Top Rated Authenticator App

    Simple to setup, secure cloud backup, multi device support.

  • Authy vs. Google Authenticator

    Want a better solution to Google’s Authenticator app?

  • Help

    Need help? We'd love to hear from you.

The free version of Bitwarden gets the basics right and doesn’t cost a thing, but it lacks a few features that make 1Password such a standout option, including password checkups, breach reports. Bitwarden is ranked 2nd while Myki: Offline Password Manager & Authenticator is ranked 11th. Offers 2FA with Authy, Google Authenticator or via email. Additionally, the Pro Version has Duo Security with Duo Push, SMS, phone call, and U2F security keys: YubiKey (any 4 series device or YubiKey NEO) and FIDO U2F (any FIDO U2F certified key).

Two-factor authentication (2FA) is the best way to protect yourself online.

Defeat cyber criminals & avoid account takeovers with stronger security, for free! Watch the video below to learn more about why you should enable 2FA for your accounts.

Why use Two-Factor Authentication

Relying on just usernames and passwords to secure your online accounts is no longer considered safe. Data breaches occur daily and hackers are always inventing new ways to take over your accounts. Protect yourself by enabling two-factor authentication (2FA). This blocks anyone using your stolen data by verifying your identity through your device. Enable 2FA now to protect your accounts online. Learn more about 2FA

Some feedback from our millions of users

First tweet from my new iPhone X! After finally getting it activated, moved 20ish accounts from Google Auth to @Authy - best decision today!

— David Ker (@snappy316) November 3, 2017

I've moved to @Authy for syncing my 2FA tokens between devices, using a backup file encryption password.

— 🦄 (@SwiftOnSecurity) August 2, 2016

I love @Authy

— Troy Hunt (@troyhunt) July 26, 2016

There is an increasing count of applications which use Authy for two-factor authentication. However many users who aren't using Authy, have their own authenticator setup up already and do not wish to use two applications for generating passwords.

Since I use 1Password for all of my password storing/generating needs, I was looking for a solution to use Authy passwords on that. I couldn't find any completely working solutions, however I stumbled upon a gist by Brian Hartvigsen. His post had a neat code with it to generate QR codes (beware, through Google) for you to use on your favorite authenticator.

His method is to extract the secret keys using Authy's Google Chrome app via Developer Tools. If this was not possible, I guess people would be reverse engineering the Android app or something like that. But when I tried that code, nothing appeared on the screen. My guess is that Brian used the code to extract the keys that weren't necessarily tied to Authy.

I had to adapt the code a little and you can see the result below, but here's what I discovered about Authy's method:

  • They use the exact same algorithm to generate passwords as Google Authenticator and similar (TOTP)
  • The passwords are one digit longer - 7 digits (usually they're 6, with exceptions), but if you've looked at one of the Authy generated passwords already, you probably noticed it too
  • The password validity period is 10 seconds (instead of usual 30). Authy shows 20 seconds, but that means a slightly different thing. Don't substitute this period longer in your Authenticator.
  • Authy's secret keys are in hex already, so they need to be turned back to base32 for working QR codes

So as long as you have an authenticator which can do longer passwords than 6 characters and do custom time periods, then congratulations, you can use the following method. If you are not sure, scan this code with your authenticator to test. Don't forget to delete it afterwards. The code should have 7 digits and should change every 10 seconds.

Known to work:

  • 1Password for OS X
  • 1Password for iOS
  • Google Authenticator

Known not to work:

  • 1Password for Windows (doesn't support other digit counts and timeouts yet)
  • Authy for iOS (doesn't support other timeouts than 30s, the irony!)

Ok, that's nice, but I want to get rid of Authy now

This method has only one gotcha - if you want add a new service that relies on Authy, you will need to run Authy again. I am assuming you know how to use Authy and have some services added already. You can probably get rid of Authy on your phone and log in to Authy on your Chrome app using SMS or keep it permanently disabled under your extensions once you have logged in. In that case set a master password for Authy, stay secure.

  1. Install Authy from Chrome Web Store
  2. Open Authy and log in, so you can see the codes being generated for you
  3. Go to Extensions page in your browser (chrome://extensions/ or Menu -> More tools -> Extensions)
  4. Tick developer mode in top right corner
  5. Find Authy from the list and then click on main.html
  6. Chrome developer tools with Console selected should open. If it didn't, go to Console tab.
  7. Paste following and press enter:
Bitwarden
  1. All your Authy tokens will be displayed in the Console; either copy-paste the TOTP URI, or click the QR code URLs to scan them.
  2. Close opened window and developer tools.
  3. Disable Authy app on Chrome or remove it
  4. Disable Developer mode

Bitwarden Totp Vs Authy

Resources used for getting correct codes

Bitwarden Authenticator Reddit

Other notes

  • I am not responsible for your actions.
  • I am sure someone has already discovered everything I wrote before, but I couldn't find anything written about it in detail, I didn't invent anything new here
  • The code is a horrible hack, it works for what it does and that's the important bit, improvements are welcome
  • If anyone from Authy reads this - security shouldn't rely on obfuscation or hiding of any sort and should take advantage of freedom of choice where possible. I love the idea of the keys being tied to ones phone number and making this system easy to use for everyone, but please make these URI-s exportable to other applications if users wish to do so - it's possible as demonstrated above and you probably know it. Transparency is what makes this system secure. If you don't wish to do that, then please don't break this method of acquiring keys.