Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

KeePassXC[1] password manager supports TOTP and I use it for that purpose in addition to storing passwords. It never made sense to me to use an app like Authy.

I suspect most people make the assumption that an Authenticator app is something special that needs to talk to the service that issued the QR code/secret string.

It's nothing more than a SHA1 hash of a secret string and an adjusted current time.

[1] <https://keepassxc.org>



KeePassXC also has a cli interface suitably named keepassxc-cli, so for TOTP in the terminal its something like:

   keepassxc-cli show -q "$KEEPASS_DB_FILE" "$ENTRY_NAME" --totp
   <type password>
   <prints totp>
edit: doubly so specifically regarding Authy since theyre discontinuing it on the desktop in a few months.


The keepassxc CLI reopens the database separately; it's actually possible to use git-credential-keepassxc† to do the scripting instead because it acts more like a browser (so it interacts with the already running instance of KeepassXC).

https://github.com/frederick888/git-credential-keepassxc


They are discontinuing Authy Desktop in 3 weeks (March 19th), brought forward (!) from August. https://help.twilio.com/articles/19753631228315


For me it’s separation of secrets. If my vault is exposed they won’t be able to log in without the codes. Putting it all in one place is a bad idea, some may think.


1Password wrote a blog post stating something similar. Basically it comes down to if you're using TOTP as a true second factor. If you are it really shouldn't even be accessible from the same device.

https://blog.1password.com/totp-and-1password/


I suspect most people aren't though. Most people are just being forced or nudged to using it. The main purpose for platform providers to push TOTP is probably consumers reusing passwords leading to account compromise, but if you are using a password manager, you can generate high entropy single-use passwords which don't really have that problem.


A TOTP protects you against a replay of your password after it's typed into a compromised computer.


What if you lost or somehow broke the phone? You'll be locked out your stuff faster than you'd expect. If you back it up to a cloud service, are you sure you can recover it without the TOTP? If you are backing it up to your computer, then it's already on your computer and will probably be compromised when your vault is, so you might as well use your vault anyways.


I load my TOTP tokens into two phones, one that stays at home fully charged. If I lose them, I can easily reset my TOTP with any reasonable provider - I have the account login and password, and can authenticate with my email/provide proof of identity.


Yeah, that's why I also don't use the OTP features in Bitwarden (Premium), despite using the software as my password manager.

On my computer, I also use a distinct password to protect my pass-otp secrets.


The conflict between single point of authentication and single point of failure is intractable. Just pick a poison based on which is less likely to fuck you over.


You can have one database for passwords and another for OTP.


I only use KeePassXC for TOTPs now. Note it can work on Android too. There is often no good way to back up phone authentication apps without a cloud service, which is a problem if I ever lost or broke my phone, and it requires me to use a separate device when using my computer, which I'd rather not do.

Autofill can save you a lot of time if you prefer to usually stay logged out of websites (auto-deleting cookies, for example) but need to log in sometimes.


for anyone new keepassxc, do check out the auto-type feature. you can trigger it (through keyboard shortcut) to type TOTP digits.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: