Authy Bitwarden

Whenever there is a security breach, everyone likes to point to “Have I Been Pwned.”

🔑 Bitwarden two-factor authentication options. Bitwarden offers a variety of two-factor authentication methods, though not all of them are available for free. You can use multiple methods according to your needs: Authenticator app like Google Authenticator, Authy, etc. Email; Duo Security. YubiKey. FIDO U2F (including the $20 YubiKey. Log in to your Bitwarden Vault on any app and enter your Email Address and Master Password. You will be prompted to Enter the 6 digit verification code from your authenticator app. Open your authenticator app and find the 6 digit verification code for your Bitwarden Vault.

It’s for a good reason.

The guy who runs it is a “Rock Star” in the internet security world. But that doesn’t mean much to most people so let me show you why you should trust Have I Been Pwned(HIBP).

Authenticator Key Totp Bitwarden

Disclosure: I’m NOT being paid to write this. I don’t know the owner of HIBP and never met him. This is just the research I’ve done to find out if this site is trustworthy.

Who Owns HaveIBeenPwned?

Troy Hunt owns HaveIBeenPwned.

Personal site: https://www.troyhunt.com/

Twitter: https://twitter.com/troyhunt

YouTube: https://www.youtube.com/user/troyhuntdotcom

Who Is Troy Hunt?

Troy Hunt is an Australian web security expert. To learn more check out his Wikipedia page.

Most notable is that Microsoft awarded him “Microsoft Most Valuable Professional” in 2011.

HaveIBeenPwned History

Bitwarden Microsoft Authenticator

HaveIBeenPwned was created in 2013. The thing that pushed HaveIBeenPwned to life was the Adobe breach in 2013. The Adobe breach had 153 million accounts compromised.

Authy vs bitwarden

As Troy does, he was analyzing data breaches for patterns. He realized this data was easy for him to get ahold of, but for the average person, it was unfeasible. Troy wanted the everyday person to be able to check if their data was in a breach, so he created HaveIBeenPwned.

HaveIBeenPwned allowed anyone to check if their email address was ever in any breaches. If it was, they could take actions to secure their accounts again. Troy also added a way to check your passwords to see if they were in any breaches too.

HaveIBeenPwned Controversy

There was a bit of controversy for HaveIBeenPwned during the Ashely Maddison Breach.

There were sites created overnight to check to see if your email was in this breach. Since Ashely Madison was for cheating spouses, it provided an easy way to check if your partner was using the site.

HaveIBeenPwned got wrapped up in this but did all the right things. The borrower pdf free download. You had to verify you owned the email address before it would reveal if that email address was in the breach.

Other sites did not do this and outed many people.

Due to the media wanting a fast headline HaveIBeenPwned got wrapped up in this. To be clear, HaveIBeenPwned did the right thing by not exposing sensitive data of this breach.

Who Uses HaveIBeenPwned

I feel it’s important to point out what companies use HaveIBeenPwned. Many of these companies have a lot to lose if HaveIBeenPwned was not trustworthy.

HaveIBeenPwned has a way for other companies to use their database to check if customers login data was compromised. This is very useful for password managers and sign-up pages.

1Password – https://blog.1password.com/finding-pwned-passwords-with–1password/

Bitwarden – https://blog.bitwarden.com/have-you-been-pwned–7051d64e685b

FireFox Web Browser – https://www.infosecurity-magazine.com/news/mozilla-pwned-function-firefox/

U.K. and Australian governments – https://techcrunch.com/2018/03/02/uk-and-australian-governments-now-use-have-i-been-pwned/

What Real People Are Saying

Being able to see what real people say about HaveIBeenPwned is worth a look at if you ask me. I’ve listed off a few Reddit post that helps to back up the claim that HaveIBeenPwned is safe to use.

Have I been pwned? Check if your email has been compromised in a data breach –

What Other Sites Are Saying

Let’s not forget what other sites say about HaveIBeenPwned. Spoiler: It’s all good things!

Digitaltrends – https://www.digitaltrends.com/computing/best-websites-for-finding-out-if-youve-been-hacked/

CNET – https://www.cnet.com/how-to/find-out-if-your-passwords-been-hacked/

dailymail.co.uk – https://www.dailymail.co.uk/sciencetech/article–4767562/Have-PWNED-Site-reveals-password-safe.html

makeuseof – https://www.makeuseof.com/tag/hacked-email-account-checking-tools-genuine-scam/

Bitwarden

Forbes – https://www.forbes.com/sites/adamtanner/2014/04/14/these-sites-tell-which-of-your-accounts-have-been-hacked/#50d20e403763

PCWorld – https://www.pcworld.com/article/2070080/new-website-lets-users-check-if-their-online-credentials-were-exposed-in-large-data-leaks.html

How Does HaveIBeenPwned Make Money?

The old saying goes, “if you’re not paying for it, then you’re the product.” So how does HaveIBeenPwned make money?

The first way HaveIBeenPwned makes money is from donations. If you used his service in the past, please consider donating as it does help.

HaveIBeenPwned also has a partnership with 1Password.

1Password is a password manager, and it makes perfect sense to partner with HaveIBeenPwned. Troy Hunt says he used 1Password years before they ever became a partner.

It’s smart to partner with a password manager because it’s the next step to take after finding out you’ve been in a breach.

I’m not aware of any other ways HaveIBeenPwned makes money. I know many people may be thinking that they’ll sell the information inside the database. While at first, that would seem like a great idea it’s not. The data that HaveIBeenPwned gets is already in the public domain anyway so anyone can grab it and do whatever they want with it. No need to sell data if you can get it free somewhere else.

There is an increasing count of applications which use Authy for two-factor authentication. However many users who aren't using Authy, have their own authenticator setup up already and do not wish to use two applications for generating passwords.

Since I use 1Password for all of my password storing/generating needs, I was looking for a solution to use Authy passwords on that. I couldn't find any completely working solutions, however I stumbled upon a gist by Brian Hartvigsen. His post had a neat code with it to generate QR codes (beware, through Google) for you to use on your favorite authenticator.

His method is to extract the secret keys using Authy's Google Chrome app via Developer Tools. If this was not possible, I guess people would be reverse engineering the Android app or something like that. But when I tried that code, nothing appeared on the screen. My guess is that Brian used the code to extract the keys that weren't necessarily tied to Authy.

I had to adapt the code a little and you can see the result below, but here's what I discovered about Authy's method:

  • They use the exact same algorithm to generate passwords as Google Authenticator and similar (TOTP)
  • The passwords are one digit longer - 7 digits (usually they're 6, with exceptions), but if you've looked at one of the Authy generated passwords already, you probably noticed it too
  • The password validity period is 10 seconds (instead of usual 30). Authy shows 20 seconds, but that means a slightly different thing. Don't substitute this period longer in your Authenticator.
  • Authy's secret keys are in hex already, so they need to be turned back to base32 for working QR codes

Authy Vs Bitwarden

So as long as you have an authenticator which can do longer passwords than 6 characters and do custom time periods, then congratulations, you can use the following method. If you are not sure, scan this code with your authenticator to test. Don't forget to delete it afterwards. The code should have 7 digits and should change every 10 seconds.

Known to work:

Bitwarden 2 Factor

  • 1Password for OS X
  • 1Password for iOS
  • Google Authenticator

Known not to work:

  • 1Password for Windows (doesn't support other digit counts and timeouts yet)
  • Authy for iOS (doesn't support other timeouts than 30s, the irony!)

Ok, that's nice, but I want to get rid of Authy now

This method has only one gotcha - if you want add a new service that relies on Authy, you will need to run Authy again. I am assuming you know how to use Authy and have some services added already. You can probably get rid of Authy on your phone and log in to Authy on your Chrome app using SMS or keep it permanently disabled under your extensions once you have logged in. In that case set a master password for Authy, stay secure.

  1. Install Authy from Chrome Web Store
  2. Open Authy and log in, so you can see the codes being generated for you
  3. Go to Extensions page in your browser (chrome://extensions/ or Menu -> More tools -> Extensions)
  4. Tick developer mode in top right corner
  5. Find Authy from the list and then click on main.html
  6. Chrome developer tools with Console selected should open. If it didn't, go to Console tab.
  7. Paste following and press enter:
  1. All your Authy tokens will be displayed in the Console; either copy-paste the TOTP URI, or click the QR code URLs to scan them.
  2. Close opened window and developer tools.
  3. Disable Authy app on Chrome or remove it
  4. Disable Developer mode

Resources used for getting correct codes

Other notes

Authy To Bitwarden Twitch

  • I am not responsible for your actions.
  • I am sure someone has already discovered everything I wrote before, but I couldn't find anything written about it in detail, I didn't invent anything new here
  • The code is a horrible hack, it works for what it does and that's the important bit, improvements are welcome
  • If anyone from Authy reads this - security shouldn't rely on obfuscation or hiding of any sort and should take advantage of freedom of choice where possible. I love the idea of the keys being tied to ones phone number and making this system easy to use for everyone, but please make these URI-s exportable to other applications if users wish to do so - it's possible as demonstrated above and you probably know it. Transparency is what makes this system secure. If you don't wish to do that, then please don't break this method of acquiring keys.
Comments are closed.