TL;DR
Vaultwarden: an ultra-lightweight Rust implementation of the Bitwarden API (~150 MB of RAM, binary < 100 MB).
OTP Manager: a mobile app (Android/iOS) that synchronises your TOTP codes securely with a personal Nextcloud server.
The TOTP provider module in Nextcloud (from v25 onwards) is built in and can be enabled with one click.
By combining Vaultwarden and OTP Manager you spread the risks: passwords and authentication factors are stored separately.
As digital autonomy, regulatory compliance (PCI‑DSS 4.0, NIS 2, zero trust, Bill 25) and data security become ever more critical, separating your secrets (passwords) from your authentication codes (2FA) is essential. Here we introduce the Vaultwarden + OTP Manager strategy: a sovereign, resilient approach that is easy to adopt even for less technical users.
1. Why separate passwords and TOTP codes?
Compliance (PCI‑DSS, NIS 2, zero trust, Bill 25) requires strong encryption, MFA and audit logs.
Enhanced security: your authentication codes are not stored in the same system.
Resilience: if one tool is compromised, the other remains intact.
2. Introducing OTP Manager (for Nextcloud)
2.1 What is OTP Manager?
An app available on Android and iOS that syncs your TOTP/HOTP codes with a personal Nextcloud server.
It also allows you to automatically import Google Authenticator accounts via QR code: a smooth transition without re‑entering each secret manually.
2.2 Nextcloud integration
The Two‑Factor TOTP Provider is built into Nextcloud v25 and above, but must be enabled under Apps → Disabled then Personal settings → Security.
OTP Manager complements this as a mobile manager for your TOTP secrets, synchronised with your Nextcloud instance.
2.3 Simple uses and benefits
Multi‑device: TOTP codes accessible from several phones/tablets.
Automatic backup on your own Nextcloud infrastructure.
Security: your codes are encrypted and stored on your server, not on a public cloud.
Easy migration from Google Authenticator thanks to QR import.
Existing extension allowing you to access your 2FA codes easily.
3. Integrated architecture: Vaultwarden + OTP Manager
3.1 How it works
Your passwords are managed in self‑hosted Vaultwarden and end‑to‑end encrypted.
The TOTP provider in Nextcloud generates and verifies MFA codes.
OTP Manager (on your smartphone) syncs TOTP secrets with your personal Nextcloud, not an external server.
Each TOTP secret is stored in Vaultwarden as a secure note, separate from the OTP synchronisation secret.
3.2 Daily user workflow
You create a Vaultwarden account.
You enable TOTP MFA in Vaultwarden for certain services (in the Bitwarden app).
In Nextcloud you enable the TOTP provider, scan the QR code to configure each user.
Then, in OTP Manager on your phone, you sync with your Nextcloud instance to fetch all your TOTP secrets.
You store your QR codes or secrets in Vaultwarden (the “Identity” category).
You keep the Nextcloud backup codes encrypted in Vaultwarden.
3.3 Why this is smart
Separation of responsibilities: access secrets on one side, TOTP codes on the other.
No dependence on an external service: everything is self‑hosted.
Mobility: if you change phone, OTP Manager reconnects to your Nextcloud server without having to reconfigure everything.
4. Security & limitations
OTP Manager (AGPL‑v3+) offers secure sync over HTTPS to your Nextcloud.
Nextcloud’s TOTP module respects RFC 6238 and also generates recovery codes in case you lose your smartphone.
Limitations: OTP Manager is maintained by a small community (about 34 GitHub stars). There has not yet been a formal third‑party audit; the app relies on regular updates.
5. Implementation roadmap
5.1 Deploying Vaultwarden
Install Vaultwarden via Docker with a SQLite/PostgreSQL database.
Export your data from Bitwarden (JSON format) and import it into Vaultwarden.
Configure logins, secure via IP allowlists, Fail2Ban and disable public registration.
5.2 Enable TOTP in Nextcloud
Go to Apps, enable the Two‑Factor TOTP Provider (Nextcloud v25+).
In Settings → Security, each user scans their QR code.
Generate the recovery codes and store them in Vaultwarden.
5.3 Install OTP Manager on mobile
Download the app from Play Store or App Store.
Connect the app to your Nextcloud instance via URL + token.
Initial sync: import your existing secrets via QR code.
Use OTP Manager to manage all your TOTP codes (reset, add, delete).
6. Key benefits — made accessible
Total control: your passwords and codes never go through a third‑party cloud service.
Enhanced security: even if Vaultwarden were compromised, your TOTP codes would live only on your Nextcloud synced via OTP Manager.
Seamless mobility: changing phone is simple; the app syncs with Nextcloud.
Minimal cost: 100 % open source with no licences; only your VPS/energy expenses apply.
7. Concrete scenarios
Freelance/small team: password in Vaultwarden + OTP Manager; zero dependence on Google Auth or Authy.
GDPR‑compliant SME (EU): host in a local data centre, no data transfer outside the EU.
Security‑conscious individual user: two devices synced via OTP Manager and independent software.
Conclusion
Separating passwords (via Vaultwarden) from your MFA codes (via OTP Manager synced with Nextcloud) means adopting a more secure, resilient and sovereign architecture. Accessible even without advanced skills, this approach lets you retain full control of your credentials. Need help to deploy or support your migration? Blue Fox is at your service.