I just implemented 2FA via Authy for my bitwarden account. It works, whenever I start bitwarden now I have to put in an Authy code after entering my master password.
But that’s actually not what I wanted.
I want 2FA only for specific folders, folders that contain critical information. I also have an organization shared with my wife. And I also want 2FA for a special folder in the organization.
So
Master Password should be enough to get into my vault
Master Password should be enough to get into the organizations vault
2FA only necessary to access passwords that lie in specific folders / or for specific entries
How can I implement that? Unfortunately I couldn’t find any information about this in the bitwarden docs.
This just isn’t possible (and I honestly don’t see why you want it to be). Surely every password you have is important and needs to be protected? At the moment your entire account is locked behind MFA and the only way to access your vault is through MFA. I honestly don’t know of a provider that works this way.
Also how are you using bitwarden? If you install the browser extension or the mobile app you have the ability to just lock the app. Locking the app doesn’t log you out and you would just be prompted for your master password again (or pin if you set that up instead) without the app asking for MFA again.If you want extra security you can prompt certain credentials to ask for your master password again before allowing you to access that credential. This is done per credentials though not per folder which would actually be a good feature.
I don’t consider every password I have to be equally critical. I have thousands of accounts only for simpel web forums etc. where no private or even payment data is connected to. For me, those aren’t as critical as others. Don’t you have different levels of criticality for your passwords?
Also I want this extra security step if I share passwords via the organization with my wife. The reason is simple: I’m afraid her master password is not as secure as mine is and it isn’t easy to get her to find a new one. It’s not a simpel password, but she only uses 16 characters or so (whilst I use more than 40 characters for my master password).
What would be a good solution for this?
How I use bitwarden? Well, I use the browser extension mainly plus the mobile app. I feel that face id for the mobile app offers quite good security, better than the master password, so I’m fine with the mobile app.
May I ask you again: Do you use 2FA for everything then? Even if you just log into some forum like this which is not very critical? I try to find the best compromise between security and comfort.
Of course I have accounts that are more important to me than others but I treat them all the same.
I see and trust me I know that pain both in my job and in my personal life. It’s something companies have been battling with for decades at this point and the best answer is to educate users on correct methods. Most users are receptive of the fact their practices aren’t the best and that they need to change. Good news is 16 characters should be long enough to protect from brute force attacks. Of course if it’s an easy to guess 16 character password then a password list such as Rocky You password list would crack it.I would try and strengthen her master password (after all it should be the only one she needs) just by using the same password she has right now but by adding another word or two to it. It’s a quick and easy change for people who are not the most technically literate.
Bottom line on that one is if you have genuine fears that there is a critical account that could be compromised due another person’s weaker practices then you shouldn’t give that person access to those credentials. It’s never easy but if it is that important it may be an option to consider.
Unfortunately the feature you are asking for doesn’t currently exist and the best alternative is to require you to type your master password for each and every credential inside of the organisation.
I understand you are trying to make it easier to use and there is a fine balance between convenience and security.
To answer your question yes everything that I see has the capability to enable MFA I enable it preferably through a phishing resistant option such as yubikey. I do understand it may be overboard but it works for me and the small inconvenience to me logging in is way more convenient than having to recover a compromised account however important it is.
I’ve written a lot and not sure I have addressed everything you said. Short one though unfortunately what you are asking for doesn’t currently exist and I am not sure of a product that works this way.
Only one more question since I’m really new to use 2FA generally. What exactly is the proceeding? I thought that I have to use 2FA every time I log into my vault. But that’s not the case. It doesn’t even force me to use 2FA after closing the browser or rebooting the laptop. It just asked the first time after configuring it and then that’s it.
Only when I emptied the browser cache I had to enter the code of 2FA again. Is that how it’s supposed to work?
@RogerDodger Well, I’m just about to configure everything so that we can share passwords there. I’m checking out the security options now before I share them. Of course she has to implement 2FA before I share them.
The way you have worded this suggests that you (and your wife) may be using nonsense character strings as your master passwords. These can be very difficult to memorize and type, so it is no wonder that your wife has one that is shorter than yours. On the other hand, if the characters were randomly chosen, 16 characters is much more than necessary (8 randomly generated characters should be sufficient, unless you are a high-value target). I suspect that your passwords may not be random, in which case 16 (or even 40) characters may not be sufficient to secure your vault.
I would highly recommend that you both switch your master passwords to a random passphrase (i.e., a combination of 4-5 words that have been selected at random — using a random number generator — from a long word list containing at least 5000 words). There are many tools available online to generate such passphrases; for example, you can use Bitwarden’s password generator by setting the “Type” option to “Passphrase” (and reducing the number of words to 4, if desired). Alternatively, you can create a secure three-word passphrase by using this special link (without changing any of the options on the page). When using these tools, it is important not to re-generate the random passphrase multiple times and cherry-pick one that you like (doing this more than 2-3 times can significantly weaken the strength of the resulting password, by reducing its randomness).