Could we make it possible for the Provider Admin accounts to either:
- Have access to FIDO2 MFA via Yubico/Duo/WebAuthn, without requiring an additional subscription
- To be supported for SSO integration, thus leveraging external IDP MFA
For most MSP organisations, staff will have a standard user account and a separate admin account, to be used for non-privileged and privileged tasks, respectively.
With this config, staff managing MSP clients will have a standard user logon for Bitwarden, granting access to the company vault, and a separate administrative logon, used to manage and support clients through the Provider Portal.
Currently, accounts configured in the Bitwarden Provider Portal as Provider Admins cannot be integrated with an external IDP, and use of strong MFA is blocked due to subscription restrictions.
As these admin accounts have full access to all managed organisations, and by extension, access to all managed organisations shared secrets; best practise would have us secure these accounts behind phishing-resistant MFA.