I’ve started using U2F as a second factor to authenticate for various websites where I store the password for the site in Bitwarden. It would be useful if I could check a box in the site’s entry in Bitwarden to indicate that I’m using U2F for the site and to log which U2F tokens I’ve enrolled for the site, possibly one checkbox per U2F token identifier. Bitwarden wouldn’t have to be using U2F itself to authenticate me and Bitwarden wouldn’t need to have ever enrolled my U2F tokens for this to be useful.
The use case here is that if I lose one of my U2F tokens I would be able to quickly and easily log into Bitwarden and find out which sites I need to un-enroll the stolen token from.
I believe I could use a custom field (or three) in Bitwarden to make this work for myself but as U2F adoption increases I think others could benefit from it being a standard integrated feature of Bitwarden.
I think this is a good idea, and additionally, a checkbox like “2nd factor in use” can be connected to Tools (vault.bitwarden.com Premium) > Inactive 2FA Report > remove items where this checkbox is active. The report currently gives me 5 sites where 2nd factor is maybe inactive, but its active on all of them (totp with separate app or similar)
As a workaround, I am adding the word “2ndfactor” to any note beyond the entry to find all my 2nd factor logins quickly.
Agree with this completely, a checkbox for “2FA in use” will prevent my SMS 2FA and other third party apps from showing results in the inactive 2FA reports, so this is much needed.
Every report is perfectly clean except that one and it drives my OCD a bit nuts
I think even a “2FA Active” box with a “Note” section next to it would allow users to enter what type of 2FA they have, e.g. SMS, U2F, multiple methods, etc. Instead of a check box for each type, but either way would work good here I think!
The inactive 2FA report seems to list all the saved accounts which have the possibilty of enabling 2FA without the TOTP code saved in Bitwarden. I prefer to use a seperate authenticator app for my 2FA accounts rather than Bitwarden, therefore the list is mostly made up of accounts I have already set 2FA up for. It would be helpful if I could manually mark these accounts as ‘enabled’ or similar, so that they don’t show up in this report anymore.
twofactorauth.org says that Steam offers 2FA… Which is true, but not using TOTP but from their own app. Same goes for twitch.tv which use Authy (which is spyware but that’s another discussion)
Another exemple for another issue, I have 2FA enabled on my GitHub account, with a physical U2F token (but not configured inside Bitwarden)
This can be completed by saving any bit of information in the 2FA field for the password. It’s crude but it works wonders. I did this for stuff I use Authy for. Or my google/windows logins which use a Notification.
I have many important accounts secured only by a security key, or a hardware authenticator like Yubico Authenticator. There is no “default” way to store this information for convenience in Bitwarden.
Currently, the “Inactive 2FA” section will mark these important accounts as “2FA Inactive” because the TOTP field is blank, making the feature useless for me.
I can use a custom boolean field to store that the account is indeed 2FA secured, but it won’t be used by Bitwarden for the security reports. So it would be nice to have a field by default.
We now have the “Inactive 2FA Report”, but it only informs us about the unfilled TOTP codes in the safe. This feature proposal would bring information about the hardware 2FA not used.
Note that I use “hardware 2FA” to refer to standards such as FIDO2/U2F/WebAuthn.
What benefits will this feature bring?
This would allow all Premium users with a YubiKey to know exactly which additional accounts they might want to protect with their key.
How to set this up?
This feature requires between 2 and 3 different implementations :
Add support for detecting sites that support hardware 2FA, which is easy with sites like 2fa.directory.
Add a button in the entries of type “Login” to be checked in case we have the hardware 2FA activated for this site/these sites.
Eventually, propose a button in the settings to indicate that you do not have YubiKey, which will not propose this type of 2FA in the report .
Report on inactive 2FA
Give users the option to set an Active 2FA Method, currently its only scanned for TOTP Support and an Input in the TOTP Field.
Feature function
What will this feature do differently?
Let users Documentate their used 2FA Method and get notified when an Service implements a new 2FA method like Fido2 WebAuthn.
What benefits will this feature bring?
More Security becuase User will get Informd what 2FA Methods are availible on their accounts and what methods their are currently using.
Thanks for answering. I may haven’t explained it correctly. The 2FA report is great but, is currently only showing the users when they don’t have set TOTP in Bitwarden. My suggestion is that the user can tell his Bitwarden client if he’s using 2FA and what type so the 2FA report can suggest not only not used TOTP instead it can inform the user if he’s able to use another 2FA method.
Also it would be great when a feature like this comes when you have a dedicated page with all your accounts who use 2FA like now the TOTP Page in the app tells me.
Currently I am using a spreadsheet to track which 2FA method I use on wich account and what backup solution I have, like another yubikey or backup codes. To implement like a database for all this information would be great to see. Also if I saw it correctly in the future there is a plan to support passwordless login like WebAuthn so this can be the first step to this goal. Because all future features will profit of this. It’s really difficult to keep track now of all your 2FA methods not especially like the hardware keys more like what and where you use what. To implement all this information in Bitwarden, Bitwarden can give users more information about how to secure their accounts even more, like is there a better 2FA solution available then the one you’re currently using.
I know for now it seems very futuristic because the „standard“ is TOTP but some sites are still only supporting third party apps, sms or worse email. But the future will hopefully key based authentication be like the Fido2 Standard with WebAuthn or U2F.
For me as a teach loving person and security lover I would love to see a future where people can understand easily if their accounts are secure enough or if the can do something to improve it by adding 2FA or maybe something else.
These reports are great. But understand only on the Web App. Maybe also sending them like a newsletter once a month per mail or so would be cool.
A new report to help users increase security practices above and beyond TOTP.
Feature function
This will add a new report, or augment the existing Inactive 2FA Report to show vault items that can be secured with UF2 or FIDO2 devices.
The feature should also add a checkbox to Vault Items to mark items as FIDO2 or UF2 secured so that they won’t show up in the 2FA or this proposed report.
Yes if I could put a few checkmarks in boxes so that I know what I use for 2FA, not necessarily what bitwarden keeps track for me, that would be very powerful. For example if I use a yubikey, or a yubikey for TOTP, or if I printed my recovery codes, bitwarden doesn’t know that. But I’d love to see that summarized in a list so I’d know the 2FA status of all my accounts at a glance.
That, along with the last time I changed my password, would be great for keeping track of account security.
A Flag that can be set in an entry if the entry got secured with a hardware token as 2FA. Currently there is no searchable flag for this scenario. I can either use a TOTP token or a custom field that is not searchable (mobile app).
The Vault Item Labels could be used for it too if searchable.
Example: I want to search for all entries which use a YubiKey for authentication.
