Allow option to only require 2FA when not using Enterprise SSO

Thank you for your post!

Feature name

  • Allow policy to enforce 2fa policy only when not using Enterprise SSO

Feature function

  • Allow clients to bypass 2FA when using enterprise SSO. Many enterprise SSO/identity providers have their own 2FA, and requiring 2FA in bitwarden ontop of the enterprise 2FA results in a tedious and redundant login process. DUO is an example of an identity provider that has it’s own 2FA built in.
  • What benefits will this feature bring?
    This feature reduces login complexity and redundancy for accounts that either belong to multiple organizations (such as a work and family organization) or otherwise can’t enable Enterprise SSO only logins. As it stands today, if an organization uses Duo as their identity provider via SAML 2.0, and use Enterprise SSO in bitwarden, they are redirected to Duo’s SAML process, verify with Duo with their designated 2FA methods, then are redirected back to bitwarden and have to do 2FA again, potentially ALSO with Duo, and then subsequently have to enter their vault password. However, if 2FA isn’t required, then users in the org who do not use Enterprise SSO (because of multiple organization membership) are not required to enable to 2FA and are left with a less secure posture.

Having a policy that allows for requiring 2FA only when NOT using Enterprise SSO eliminates this complexity, redundancy, and ultimately, pain, enhancing the user experience and easing adoption/buy in.