Password Manager & TOTP generator

mawan

I really like the Vivaldi browser. But for TOTP, I have to install an additional extension such as Bitwarden. I hope that in the future, Vivaldi will provide a built-in TOTP Generator so we won’t need to install third-party extensions.

nayamashidesu

That would be great, but I think it's easier to negotiate with the Bitwarden developers the same way they did with Proton than to develop a password manager from scratch.

Evono

Dont put all the eggs in one basket , like passwords & totp should be VERY strictly in different programs.

the entire safety of TOTP is that its not part or connected to your password.

appsec

@Evono said in Password Manager & TOTP generator:

Dont put all the eggs in one basket , like passwords & totp should be VERY strictly in different programs.

the entire safety of TOTP is that its not part or connected to your password.

This @mawan - It's a bit cumbersome, but important from a security perspective. However, all depends on your threat model / risk appetite.

Evono

@appsec Yep , what kind of security does a password manager bring if its somehow breached if theres the TOTP also included ? , like everyone got full access now.

If the TOTP are lets say on ente auth and passwords in bitwarden , heck people could either breach ente , or breach my bitwarden and couldnt do much with it.

its very unlikely that both get breached.

appsec

@Evono said in Password Manager & TOTP generator:

@appsec Yep , what kind of security does a password manager bring if its somehow breached if theres the TOTP also included ? , like everyone got full access now.

If the TOTP are lets say on ente auth and passwords in bitwarden , heck people could either breach ente , or breach my bitwarden and couldnt do much with it.

its very unlikely that both get breached.

Well, it brings at least the fact that you need to breach the Password manager, which probably is protected with a 2MFA, but yes I understand what you allude to.
The best might be to have your TOTP or PwdKeys on physical YUBI's. However, it depends how "tinfoil" you plan to go for your private shopping, magazin, email accounts. I believe threat actors are looking towards bigger fish.

Evono

@appsec the Threat actors i would argue are after everyone , specially if its simply as easy to get your PC infected by cookie stealers and or rootkits or whatever , then they could get access to a logged in bitwarden no issue.

theres also phishing , scammers and more going after everyone.
i guess everyone got a bank account and or accounts at shopping sites to make false purchases on then.

a Totp on like your phone then kinda fixes that as android and ios devices usually are harder to infect specially if not rooted.

mawan

@Evono
Your opinion is valid from a technical standpoint.
However, nowadays many systems have moved away from using passwords. Passwords are remnants of the past, retained mostly for compatibility with systems that have not yet transitioned to stronger authentication methods. Relying solely on passwords is highly risky. That's why many systems now add extra layers of protection, such as:

• Passkey/WebAuthn (FIDO2)
• Push Notification Authentication
• OAuth 2.0 / OpenID Connect (Social Login)
• Magic Link (Email-based Login)
• One-Time Passwords (OTP) via SMS/Email
• QR Code Login (Cross-device Authentication)

You may recall the expert recommendations from a few decades ago, such as:

1. Passwords should be complex (including letters, numbers, and symbols).
2. Passwords should not be reused across different systems.
3. Passwords should be changed regularly.

However, those recommendations are rarely heard today. Instead, experts now suggest layering authentication with methods like OTPs, magic links, and so on.

In fact, for the strongest security, passwordless authentication methods are now being encouraged — no password required at all.

Because of this shift, password managers now often include a TOTP generator. Bitwarden and Proton Pass, for example, have implemented this. Acquiring a password can be relatively easy through phishing attacks. However, obtaining a TOTP (Time-Based One-Time Password) is much more difficult, as attackers need access to the secret key—something many phishing victims don’t even know how to view. Some TOTP generators even hide the secret key entirely, making it inaccessible not only to attackers but also to legitimate users.

In the future, passwords may no longer be used. We will rely on stronger authentication methods, such as FIDO2/WebAuthn, which is one of the most sophisticated implementations of passwordless authentication.

Evono

@mawan the thing is , i dont talk about professional work.
i talk about the everyday joe and customer space , the most "advanced" thing you can find there are passkeys , which often simply get managed by a password manager.
which should be protected by TOTP because without TOTP and a password manager being breached in some way a passkey is useless.

SMS is also fine , Email i would argue is unsafe , if it gets compromised in some way its easy game without TOTP like my Microsoft email gets random access trys PER DAY between 30-440 times from all sorts of countrys and atleast microsoft also claims israeli agencys and more.
they obviously fail ( got a giant password + totp )

mawan

@Evono
I understand your point, and you’re right — in the everyday user space, adoption of new technologies like passkeys or TOTP isn’t widespread yet. But that’s exactly why we need to start educating and encouraging the shift from traditional passwords to more secure alternatives.

Here are a few things to consider:

1. Passwordless doesn’t mean less secure. In fact, many passwordless systems (including passkeys) are built on strong public-key cryptography, which is far more secure than traditional passwords. Unlike passwords that can be guessed or stolen, a private key used in passkey authentication stays on your device and is never sent over the network.
2. Passkeys and password managers are not the same. While some people store their passkeys in managers like 1Password or iCloud Keychain, passkeys themselves cannot be phished or reused. The authentication is based on a challenge–response system using public/private key pairs, not shared secrets.
3. TOTP is useful, but not a complete solution. TOTP does add a layer of security, but it’s still vulnerable to phishing and time-sync issues. WebAuthn/FIDO2 is designed to be phishing-resistant because it only works with the correct origin (domain) and doesn’t transmit secrets that can be intercepted.
4. Email is risky precisely because it's still tied to passwords. That’s another reason why passwordless is important. If you protect email accounts using passkeys or security keys instead of just passwords + TOTP, they become far more secure.

The more complex a system (password + TOTP), the higher the chance of user error.
People forget to back up TOTP, lose their password, fall for phishing, or lock themselves out. Passwordless methods simplify access while actually reducing these points of failure — assuming the device is secure.

To use passwordless authentication methods, we don't need to buy expensive hardware security keys. We can take advantage of Apple ID, Windows Hello, or Bitwarden.

Back to the original idea: if Vivaldi only offers a password manager and doesn’t include a TOTP generator, that’s not really a problem. We can still use Bitwarden or Proton Pass, which can store usernames, passwords, TOTP generators, and even passkeys — all in one place.
Does that sound risky? Not really. As long as we keep our Bitwarden or Proton Pass account secure, we can enjoy entering passwords and TOTP codes from a single place with just a few clicks.
However, if a system already supports passwordless authentication (especially passkeys), I’d always choose that and disable password + TOTP login entirely.