I want the ability to selectively require 2FA when unlocking, in the exact same way that would be required when logging in. The method chosen would contact the same servers or perform the same operations that would have otherwise been performed when logging in. The only difference whatsoever is the fact that the vault has already been downloaded and unlocked in memory in the case of a logged in but locked scenario, versus a not logged in yet scenario.
This choice could be selectively turned on and off.
Without such a feature, someone who has stored their (strong and hard to type) pass phrase on a phone via FaceID/TouchID (not sure if there’s an android equivalent but probably is), could have their Bitwarden data compromised by someone who is in a position to just touch the owner’s finger to their phone (touch id) or get them to look at their phone (face id), perhaps either of which could occur without their consent / intent. Auto logout would provide some level of safety there, if they were lucky enough to have had the logout occur before the attempt, as a new login would require 2fa again, but any user who travels or works in data centers / buildings where internet is not possible, would never use auto logout because it may occur at a time which would cause substantial problems from not being able to log back in.
So, the solution to any of those scenarios is allowing 2fa to be set on/off on the device side, and not only that, perhaps even require 2fa to switch it from on to off. Then, when you’re online, your locked Bitwarden data is nearly as safe as a not logged in Bitwarden. When you’re anticipating going offline but will need your data, you 2fa to turn 2fa unlock off. When you’re back online, you simply set it back to on.
Or hey, yet another feature suggestion, allow for a turn off for X minutes feature. Then, if I’m boarding a plane, I’ll set 2fa unlock off for five hours, still have my data while on the plane, and not even have to think about turning 2fa unlock back on when I land.
I would love to have the 2fa every time that i unlock my Firefox extension in particular. As a High School and College student I am forced to use public computers. My high school cyber security class is the worst because everyone is trying to hack into each other accounts and a physical attack is the easiest attack that everyone can do. The school also has a keylogger installed (lanschool) and adding a 2fa to every time I unlock my vault would be fantastic. I love how this project focuses so much on external security and adding this feature would strengthen the physical security.
If your adversary is a competent hacker with physical access to the device, 2FA won’t help. They will capture your encrypted vault on the way down from your browser, and the decryption key is just your master password, hashed a lot.
2FA is just a barrier between someone who knows your password and downloading your encrypted vault.
If you open your vault once, your pc downloads the encrypted vault, and the attacker has it too.
Currently no password manager besides Trezor Password Manager has protection against physical attacks… but tbh, any password you use will be capured by the attacker once you insert it into the DOM.
Thankfully the hackers in that class are not competent. There is no good way to stop physical attacks especially like the one described above. The 2fa to unlock just slows everyone down to hopefully discourage the physical attack in the first place. It would be interesting to see if someone could find a practical way to encrypt the vault and use the 2fa number algorithm as salt. I cant think of any way to add a rotating number or the algorithm for that number into the encryption algorithm but this is an extremely intelligent community and I am sure someone will figure it out eventually. None the less I like bitwarden a lot more than lastpass but bitwarden can always be better.
Just switched from Lastpass, and this is the main thing I really miss
Having to type in my full master password to unlock seems unnecessarily tedious as a single factor unlock when I have a hardware 2FA key available. Being able to select 2FA only or 2FA + Master on unlock would be fantastic.
I think this feature would also address the concerns leading to Mobile: fingerprint AND pin to log in. As stated above, the use case is that the strong password is necessary for good protection of the vault - but is a pain especially on mobile devices. Thus the local lock/unlock really helps, but currently has no 2FA options. In my head 2FA can be using what you have/who you are/what you know - and it might be a burden for requiring extra “what you have”, but a 2FA for who you are/what you know should provide extra security.
Here is one possible 4-step implementation (note that this would be completely separate from the initial vault decrypt via master password, it would only apply to the local client):
In the settings, provide the user with check boxes for allowable unlock methods with supported methods for their platform. So maybe there’d be a “unlock methods >” entry in the settings which opens to checkboxes next to “pin”, “password”, “biometric”, “yubi”, etc (which would be updated based on the hardware and whats available)
In the settings, provide the user with a counter called number of unlock factors, which would be restricted to greater than or equal to 1 and less than the number of selected options in unlock methods
Create a method with the following inputs and outputs:
/* An Enum which defines allowable methods for user authentication */
import AuthMethod;
/**
* Make the user authenticate, using one of the supplied methods.
* @param allowedMethods list of allowed methods
* @return the method of authentication used by the user to successfully authenticate
* @throws AuthenticationFailure if the user fails to authenticate via any of the allowed methods
* @throws AuthenticationFailure if the user fails to authenticate before a tim of MAX_WAIT has passed
*/
public AuthMethod performAuthenticationStep(List<AuthMethod> allowedMethods);
Use the following logic for unlocking the device:
/**
* Unlock the local bitwarden vault.
* @throws Exception if the vault has not previously been decrypted.
* @throws AuthenticationFailure if the user fails to authenticate
*/
public void unlockLocalVault() {
List<AuthMethod> allowableMethods = getUnlockMethodsFromSettings().copy();
for (int succAuth=0; succAuth < getNumberUnlockFactorsFromSettings(); succAuth++) {
AuthMethod used = performAuthenticationStep(allowableMethods);
allowableMethods.remove(used);
}
// Unlock the vault. Note that authentication has succeeded at this point because if authentication
// fails the performAuthenticationStep() will throw an exception so the code will never get here
}
Please note that I am not a web/mobile developer - so have no idea if the API’s will support the above type of logic. And its written in a pseudo-Java because I don’t know javascript - sorry.
This is exactly what I am trying to get to. I want to use a Yubikey NFC and a PIN code (or thumb print on iphone) to unlock Bitwarden web, desktop, and mobile apps. I am setting it up for me and my wife to use and I can get by with typing in the master pass, but I need it more simple for the wife. So far, the web version asks for my DUO phone app 2FA after putting in my master password and I can’t even get the iphone to prompt for 2FA and the desktop app doesn’t either. And, they all still require the complex master password.
For both the apps and browser I would also like to see a 2nd factor prompt when unlocking the vault. Using just the password feels relatively insecure. In our company everyone owns a Yubikey and the use-case for requiring the Yubikey next to the password would be a great extra mechanism for securing the vault in case the password leaks.
So accessing/unlocking vault = Entering master password + some 2nd factor authentication
Auto logout as an option for my Chrome/FireFox linux desktop browsers would be something I would immediately enable on my Premium account. I leave a FIDO key inserted in my laptops at home while I am online. Simply touching the element key would add virtually nothing to my “task” of signing in. Since unlock after closing the browser requires my master password anyway, how hard is touching a U2F element? Answer not at all. At the current time I attempt to remember to logout before closing the browser but candidly its a pain in the butt.
I would not use this feature on my Androids. I feel that using a PIN where you get 5 tries and then you are logged out automatically is secure enough. Plus Android is much better at securing passwords. There are times I log out anyway because I carry a Yubi and validate the login with NFC as desired. On my Android Pie you can’t even get to my Bitwarden app unless you have my finger to open the phone first.
One thing I would recommend to BW users on desktop apps is to run a separate instance of Chrome or FF that will help to keep internet activities you perform outside of BW use away from the BW private instances. Also, something like click and clean can be used to one click all activity from cache, cookies, etc… so when you go from one website to the next the browser is CLEAN and no previous stuff is available to the next site. Just an opinon, but once setup it is one click between sites to always keep a fresh browser instance.
Another vote for implementing this feature. New Premium subscriber and was sad to learn the differentiation between unlock and login. I use a YubiKey so it is a true second factor not on the same device.
I’d like to have the protection of 2FA regardless if the attacker is remote or has physical access to my logged in device. I can’t be around all my devices at the same time but I can keep my YubiKey secured on me at all times.
Hi gang,
I too would love to see a 2FA option to be available at every unlock.
Can anyone help me understand how Yubikey works in this scenario?
Comparing Keepass master password + keyfile to Bitwarden master password + yubikey, wouldn’t yubikey serve as the offline key 2FA or internet access is still required?
Apparently Keepassxc achieves this by using HMAC-SHA1. I am not knowledgeable to know whether it is good/secure approach. source
Having a 2FA app on the same phone to unlock Bitwarden makes little sense so it HAS to be a Yubikey.
YubiKey would be the offline key, but the 2nd factor (YubiKey) is only required to download the database, not to unlock it AFAIK. This means if you don’t physically log out of your device each time, the database stays stored on device in an encrypted state, and only requires the master password to unlock it.
I agree this is insufficient security in the eyes of many and there should at least be an option to require 2FA on BOTH unlock AND login.
I think there is an interesting misunderstanding going on here. I am on the side of wishing that my Yubikey was required even when Face-ID is enabled to “unlock” my password database locally. That being said, I also recognize that the developers have chosen a solution that is exceptionally user friendly, in that the master password is really the only thing blocking recovery of passwords (so if someone loses their Yubikey, they can still request account recovery from Bitwarden by proving their identity or using a 2FA Recovery Code).
HOWEVER - what I really want is a solution where my Yubikey “second factor” key was added to my master password to create the database encryption key. So the only way to decrypt my password vault is to input my master password along with my Yubikey.
I completely agree that this is not the way all users will want to utilize 2FA, but for me, this would be a level of security that would make me feel significantly more confident in a solution that stores my passwords on a remote server. If that server is ever compromised, I know that my vault itself will never be cracked unless the attacker also finds me, and through some nefarious means, manages to acquire my Yubikey.
I can agree with keeping Bitwarden locked without needing the Yubikey every 15 minutes but I think it is absolutely necessay that users are logged out when closing their webbrowser. I can even imagine a protoocol where a user is locked after x minutes and automatically logged out after xx minutes.
And, if some users don’t want that kind of security they can always disable it. Now users that need the security cannot enable it. So for me that makes the discussion even more simple.
Our organization has just moved from Lastpass to Bitwarden but if this is not addressed we will be moving to another solution very soon.
Agreed that the ability to require 2FA, whether through auto-logout or 2FA for unlock (requiring the user to be online, as the unlock would then need to validate with the server) would be a welcome feature.
I would like my secrets protected by my second factor. Virtually all the passwords I use are for online services.
