We all use closed source every day, but when it comes to an app that literally handles your secrets, like your password manager or a TOTP app, this is a bridge too far. The public source requirement is full stop essential. If you choose to use an external TOTP app for whatever reason, I have two requirements for suitability: it needs to be open source (well, at least public, like Bitwarden), and it needs to let you export and import your TOTP keys.
Which approach do you feel will minimize your overall risk?
Everyone has a risk profile, which is a subjective unquantifiable assessment of their risk, which changes over time. And if you have your TOTP keys in a separate app on the same device, you have done very little to mitigate that risk: if someone has compromised your device, putting the secrets in a different app is nothing more than empty theater. Others point out that the only risk there is from poor opsec, including malware.
Some are adamant that it is safer not to have their TOTP keys in the same place as the rest of their secrets. There is no consensus on the suitability of Bitwarden Authenticator.
0 kommentar(er)
