Ability to skip 2FA during SSO
- Bitwarden’s native authentication via Master Password cannot be disabled when SSO is enabled so 2FA must be configured to achieve the desired security level since users can just skip SSO after the initial provisioning.
- Bitwarden currently prompts for 2FA after SSO is performed, which is redundant when the IdP already prompted for 2FA.
SSO is typically used to circumvent vendor-specific authentication mechanisms. The Identity Provider (IdP) should be expected to perform their own authentication and the Service Provider (SP) should accept what is given. As an example, I have ADFS configured with ADFS MFA to enable passwordless login via Security Key or TOTP/PIN for my users on other services. If I configure FIDO2 U2F in Bitwarden, I’ll be prompted for my key twice (once by the IdP and once afterward by Bitwarden). Skipping 2FA during SSO would avoid this problem and still allow the user to login natively with Master Password and 2FA.
Related topics + references
Other SSO implementations I’ve encountered (e.g. Nextcloud) do not force additional 2FA after the IdP has authenticated the user. Nextcloud enforces 2FA for native authentication and skips 2FA for SSO. This allows for an admin to enable native authentication if/when the IdP is unavailable.