# Sync Verification Codes

Connect Authenticator with Password Manager to sync your verification codes. Once activated, the Bitwarden apps stay synchronized with any codes you add or edit (except local codes). This helps you find and use TOTPs quickly from either app:

![Sync between Password Manager (Left) and Authenticator (Right)](https://bitwarden.com/assets/1DcAOWrPp1qDkIILFUu1f9/59504e02563a5a6faac1635b7e2b843f/2025-05-21_10-33-42.png)

If you have multiple Password Manager accounts, you can choose which account(s) sync with Authenticator. Conversely, local codes stored in Authenticator can remain separate or move them to Password Manager for access from both apps.

> [!NOTE] How to keep TOTPs separate between Password Manager and Authenticator
> If you prefer to save your verification codes in only one Bitwarden app, do not sync your accounts. Instead, there are two options:
> 
> - **O****nly access codes from your Bitwarden vault**: Save the TOTPs with the [Password Manger's integrated authenticator](https://bitwarden.com/sv-se/help/integrated-authenticator/) and do not turn on your Bitwarden account's **Allow authenticator syncing** app setting. This means that none of the codes saved within that specific Bitwarden account will be visible in Authenticator.
> - **O****nly access codes from the Authenticator app**: When first adding the code to Authenticator, select **Save here**to add it as a local code. These codes are not connected to your Bitwarden account, so they cannot be found anywhere in your Bitwarden vault.

## Set up sync

Codes already saved in your Bitwarden vault as a login item can be [synced with Authenticator](https://bitwarden.com/sv-se/help/totp-sync/#sync-codes-saved-in-your-bitwarden-vault/). If you have local codes, meaning TOTPs that are only saved on your device and accessed via Authenticator, first [copy the codes to your vault](https://bitwarden.com/sv-se/help/totp-sync/#move-and-sync-local-codes-to-your-bitwarden-vault/). Once the codes are located in your vault, they will sync like the other TOTPs.

### Sync codes saved in your Bitwarden vault

To use this feature, you must have iOS or Android 12+. To sync TOTPs between both Bitwarden apps:

1. Ensure that [Bitwarden Authenticator](https://bitwarden.com/sv-se/download/#bitwarden-authenticator/) and [Bitwarden Password Manager](https://bitwarden.com/sv-se/download/#mobile-applications/) are installed on your device.
2. In Password Manager, log in to the account you want to sync with Authenticator.
3. Tap the ⚙️ **Settings** **icon**.
4. Tap **Account security**.
5. Toggle on **Allow authenticator syncing**.
6. (Optional) To sync additional Password Manager accounts, repeat steps 2-5 per account. You need to toggle the setting separately for each account, which allows you to choose exactly which ones are synced with Authenticator.
7. Authenticator organizes codes into two groups: local codes and synced codes from Password Manager. Verify that your Password Manager TOTP codes appear under your account email heading in Authenticator.

### Move and sync local codes to your Bitwarden vault

You can manually copy a local code to your Bitwarden vault for access from both apps. To copy and move a local code to Password Manager:

1. In Bitwarden Authenticator, long press the code.
2. Tap **Copy to Bitwarden vault**.
3. This will open Password Manager and search for a matching login item.

 - If a matching login item is found, tap the login item. Edit or enter any additional details and tap the ✓ **Check icon** when done.
 - If no matching login item is found, tap + **New item**. Edit or enter any additional details and tap the ✓ **Check icon** when done.

[Embedded content]## How syncing works

Though the core key exchange workflows are the same from platform-to-platform, the secure storage and communication methods that facilitate sync between Password Manager and Authenticator are specific to Android and iOS:

### Android

When **Allow authenticator sync** is activated in Password Manager:

1. A **global symmetric key** is generated by the Password Manager client and shared with Authenticator through the Android Interface Definition Language (AIDL).

> [!NOTE] What is AIDL
> The AIDL is an interprocess communication (IPC) abstraction that allows Authenticator and Password Manager to securely exchange data without granting access to any other component of your device.
2. Your preexisting **account encryption key** is locally persisted.

When you open Authenticator and **Allow authenticator sync** is activated:

1. A request is made to Password Manager through AIDL.
2. Responding to the request, Password Manager temporarily decrypts your item data with the persisted **account encryption key** and re-encrypts that data with the **global symmetric key**.
3. Using AIDL, Password Manager sends re-encrypted authenticator keys, display names, and usernames to Authenticator. No sensitive data is passed unencrypted through AIDL.
4. Authenticator receives your re-encrypted authenticator keys, display names, and usernames and decrypts that data with the shared **global symmetric key**.

### iOS

When **Allow authenticator sync** is activated in Password Manager:

1. A **global symmetric key** is generated by the Password Manager client and written to a keychain shared by Password Manager and Authenticator.
2. Authenticator keys, display names, and usernames saved within your vault items are encrypted using the **global symmetric key** and stored in the App Group's shared container.

> [!NOTE] KeyChain & App Groups
> **Keychain** uses access groups to allow secure local sharing of cryptographic keys or other data between apps made by the same developer.
> 
> **App Groups** use secure local storage locations called shared containers to allow apps made by the same developer to access shared data and some inter-process communication (IPC).

When you open Authenticator and **Allow authenticator sync** is activated:

1. Authenticator retrieves the **global symmetric key** from the shared keychain.
2. Authenticator retrieves encrypted authenticator keys, display names, and usernames from the App Group.
3. Authenticator locally decrypts your authenticator keys, display names, and usernames with the **global symmetric key**.

When you turn off **Allow authenticator sync**or fully log out of Bitwarden Password Manager, the encrypted data stored in an App Group (authenticator keys, display names, and usernames) are deleted. If all associated Bitwarden accounts deactivate **Allow authenticator sync** or logout, the **global symmetric key** is also deleted.