I am trying to figure out the best practice for setting up a Yubikey series 5 on Bitwarden. Initially, I saw the Yubikey option in settings so just selected that. Easy and done and what I do for my other services like Google (is Google using Yubikey OTP or WebAuthn?). I then realized you can set up the Yubikey via WebAuthn which I did, as well, as an experiment. I didn’t erase the Yubikey OTP options, to be safe.
Yubi via WebAuthn works on Brave via web. Works on Brave Bitwarden extension. Seems to automatically revert to Yubikey OTP when signing into the Mac desktop app, which tells me I can’t disable the Yubikey OTP option. Works on iOS app via Yubikey NFC.
I can still get in on all my devices but I would welcome some best practice guidance and better understanding of the risk in using one method over the other or in combination. Thanks.
A recent discussion on Reddit indicates that Yubikey OTP sometimes causes trouble when logging in to Bitwarden, suggesting that the Yubikey OTP option should not be enabled for Bitwarden; on the other hand, another contribution to the same discussion states that Yubikey OTP is required to get NFC to work on iOS. The whole thread is worth a read. I’ve also read in a comment on a different Reddit thread that Yubikey OTP makes the Yubikey act as a USB keyboard, which is “vulnerable to on-path attacks”. In addition, the number of services that support Yubikey OTP is small.
You can use this tool to find which Yubikey protocols work on which websites/apps.
I am playing with both Yubikey OTP and WebAuthn for Bitwarden. Neither require a pin unless you set it.
Bitwarden intentionally pushes you toward Yubikey OTP with the 2FA Yubikey branding. I assume maybe because it’s the broader implemented standard right now? There is nothing which indicates that you can also set your Yubikey up under WebAuthn. I just tried it and it worked and began to experiment.
Google Accounts is Yubikey OTP, I believe, unless you are enrolled in Advanced Protection. This is what the link to the directory noted by the poster above indicates. But there is nothing which clearly indicates this within Google settings and the workflows look basically the same. So you are left wondering which one was utilized. At least in Bitwarden it’s easy to tell as the pop-ups are different when you tap the key.
I would like to disable Yubikey OTP in Bitwarden settings but the Bitwarden desktop app seems to fall back to it and bypass WebAuthn so I need either both enabled or to stick with OTP. Having both enabled doesn’t seem to present any issues.
WebAuthn definitely authenticates faster than OTP. It’s fast.
Distinguishing between the two is all very opaque across services and in documentation.
WebAuthn (aka. FIDO2) is more secure than Yubico OTP (FIDO protocol protects you against mitm and phishing attacks, OTP does not).
If your key supports both protocols (which Yubikey 5 does), the only valid reason I see for adding Yubico OTP as second factor in Bitwarden is that you will need to login to your vault on a client that does not support WebAuthn (like CLI or Linux desktop, for example).
Google supports FIDO2, I use my YubiKey 5 like that. I’m not sure if it supports Yubico OTP (I do not need it having WebAuthn).
As for FIDO2 PIN settings on Yubikeys, AFAICT, if you set a pin for FIDO2, it will not always ask for it when used as second factor, It should ask for it when using discoverable credentials stored in the key (aka. resident keys, that’s for passwordless logins).
If you are concerned about someone else gaining access to your YubiKey and using it, I suggest getting a YubiKey Bio (the problem with it is that it only supports WebAuthn via USB -it does not have NFC-).
This is the issue with Bitwarden’s Mac desktop app. You need to keep Yubikey OTP enabled so it can fallback to after WebAuthn fails. WebAuthn works on Bitwarden browser extensions and iOS mobile app.
Google’s documentation on it is inconsistent, as is Yubikey’s. This tool under Security Protocol Supported suggests only U2F is supported for Google Accounts but Advanced Protection also has FIDO2 listed as supported. However, when I tested this now on two accounts (one Advanced Protection, one not), the pop ups appeared the same on both and there was no visible auto-population of a OTP when I tapped the security key, so I have to assume both are now FIDO2. Everyone is really blurring the lines between Yubikey OTP and WebAuthn.
Bitwarden’s 2FA set-up under settings could be clearer in directing Yubikey owners to attempt to register WebAuthn first and then OTP. I suspect they don’t because they don’t want customers to only set up WebAuthn and then get locked out of Bitwarden when they try to access it via an app which doesn’t support WebAuthn and the customer becomes confused about why their security key is working inconsistently across Bitwarden apps.
Same here, I use the CLI client on Linux. If that client supported WebAuthn I would even disable Yubico OTP on my YubiKey (I don’t need it anywhere else).
Google was one of the first online services to support U2F (from the FIDO alliance, back then FIDO2 didn’t even exist, FIDO2 was an evolution of U2F).
I guess they support both versions (the older one -U2F- and the newer one -FIDO2-, for backwards compatibility, with older security keys).
100% agreed. I was also confused with this when I first set up my YubiKey as 2FA on Bitwarden a year ago (I even didn’t know what WebAuthn was then).
If a service (be it Bitwarden or any other one) supports WebAuthn and Yubico OTP it always be a little more secure to use the first one when loggin in; but there shouldn’t be any problem in adding both protocols as 2FA if you happen to need the lesser secure one (Yubico OTP) on certain clients.
Most services will ask first for the most secure of your configured second factors which is available where you are trying to login (giving you the option to fall back to a less secure one; Bitwarden certainly does that, so does Google).
When using Yubico OTP on Bitwarden, the validation of the OTP is done by Yubico servers (Bitwarden servers have to query Yubico servers to validate it). Most online services supporting Yubico OTP work this way (although not all of them, CISCO DUO beeing one which does not rely on Yubico servers to validate the OTP’s).
@222 Hi just wanted to chime in my thoughts. In my experience, webauthn yubikey works on web vault, phone and browser extensions. Mac os desktop only works with yubikey otp - however on mac os you can setup webauthn using touch id so this may satisfy some users.
This is exactly how I have it set up. Once Bitwarden introduces WebAuthn for its desktop app, I will disable OTP.
By the way, when you say webauthn using Touch ID you mean for the browser extension, right? Or, do you mean the Touch ID with the desktop app? I never understood that to be WebAuthn, just ios biometric stored on its Secure Enclave.
Exactly. Touch ID on the desktop app uses ios biometric on secure enclave. To clarify, I meant that while you can’t use WebAuthn on the desktop app, if you use Yubikey OTP or another form of 2FA susceptible to phishing (in theory), you are still very low risk as you not using it often as Touch ID can be used to access the app after initial sign in.
As far as WebAuthn on Android (someone had mentioned this further up in the conversation), mine works fine. I’m using my Yubikey with NFC, I tap the key to the NFC reader on the back of the phone, a WebAuthn page loads (I’m using Brave as my default browser) and I’m authenticated to the Bitwarden mobile app.