It would be great if the browser extensions could emulate a U2F token, the way Krypton does. I could store the key in BitWarden and the extension could add as a provider so I could add the BitWarden “token” to sites and authenticate with it.
As I understand it, the advantages of U2F-in-hardware over TOTP are that (a) U2F-in-hardware is (nearly) impossible to compromise via remote software hacking, and (b) U2F can identity the remote website so the user doesn’t have to.
Advantage (a) does not apply to U2F-in-software.
Bitwarden automatically knows which TOTP code to use for each website so advantage (b) does not apply either.
The advantages of U2F over TOTP is that there’s no way to phish users, because the U2F signature contains is only valid for the given site’s domain. Soft U2F still retains that, but TOTP does not.
Bitwarden too recognizes the domain, and will not fill in any password or generate a TOTP code for the wrong domain.
That doesn’t mean it’s impossible to phish. Maybe the user will think BitWarden is broken and didn’t fill in the field and fills it in themselves. Maybe an enterprise is sniffing packets using a dummy CA. U2F is strictly better than TOTP, and the UX is much better as well. No more faffing with QR codes, you just press okay and you’re secure.
Let’s have a type of user and a threat model in mind. If a user is naive enough to ignore that Bitwarden doesn’t recognize the URL or the fields, and manually fills in fields without carefully inspecting the URL, that person will find other ways to hurt himself, and really ought be using hardware U2F. If the threat model includes a highly motivated attack such as network sniffing and a dummy CA, again, we should be using hardware U2F, because the attacker also likely has the ability to hack directly into our own machine.
I can see a very tiny segment of users who don’t need the security of hardware U2F but do need better security than TOTP. That would be, maybe nine or ten people worldwide. Everybody else either needs hardware U2F or is sufficiently protected with TOTP.
Ultimately, every additional feature in Bitwarden requires implementation resources. I don’t see much of a payback in software U2F. I see a much greater payback in nested vaults, full backups and larger field sizes.
I disagree, I think the improved UX alone is reason enough to prefer U2F over TOTP, and even more so with WebAuthn on the way.
Soft U2F does not retain the ability to resist malware/bug/exploit stealing your U2F key.
If you have malware that can get your BitWarden database, the game is over. I don’t know why everyone keeps attacking points I never made. I would like U2F as a feature because:
- It has much better UX (no need to scan barcodes or enter codes).
- It’s much more secure than TOTP (it uses actual ECC signatures) and much harder for the user to screw up (you can’t get phished even if you enter the credentials on the wrong page).
If anyone would like to argue against those two points, please do, otherwise you’re probably arguing although everyone already agrees with you.