I use a Yubikey as 2FA on websites that support it. However once Bitwarden autofills my username and password when these sites prompt me to use my Yubikey as 2FA bitwarden pops up saying I have no passkeys for this site and I have to click “Use your device or hardware key” and I am getting tired of having to do that on every single site individually. Is there a setting to just disable Bitwarden’s passkey management and always use my device/hardware key on every single site, I do not use (and have no desire to use) passkeys I just want to keep my password + Yubikey 2FA, call me crazy but 2 factors is better than 1.
You probably want to un-check this option in the browser extension:
Settings → Notifications → Ask to save and use passkeys
2 Likes
This is a side comment. You can keep passkeys on your YubiKey, which is considered two factors (the Yubikey that you have and the PIN that you know). Since such passkeys don’t sync to other devices, you’ll need to have backup login methods, possibly including backup YubiKeys.
1 Like
I would have never though to look in Notifications, thanks.
1 Like
You can keep passkeys on your YubiKey, which is considered two factors (the Yubikey that you have and the PIN that you know).
That’s is interesting. And I do have 2 Yubikeys, one I always have with me attached to my keys, and a backup one I keep locked in a safe. I still feel a 50-ish character password (yes I really do like my long passwords if the site doesn’t arbitrarily limit the length) + Yubikey is still better than a Yubikey + short PIN code but hey I’m not a security expert, I could be wrong, maybe the fact that the password is stored (hopefully hashed) by the site makes it technically less secure idk.
Me neither… but just two things:
- Here the perspective of the FIDO Alliance on that (though as the “passkey creators”, they might not be 100% objective on that):
- The FIDO2-PIN on your YubiKey doesn’t necessarily have to be short:
(source: https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs)
And don’t forget, that after 8 failed tries in a row, the FIDO2 function gets blocked and IIRC, FIDO2 has to be resetted on that YubiKey. (PS: Though, that’s one reason why the FIDO2-PIN probably doesn’t have to be as strong as a 50-character “password”…)
Three mitigating factors:
- Yubikeys limit the number of PIN attempts to a small number before requiring a more substantial credential to reenable the PIN. This is a defense against brute-force.
- A physical presence requirement (e.g. tap the button on the yubikey) greatly reduces the population that can attack the authentication. This reduces the attack surface.
- “Unlocking” a Passkey happens completely locally, and then two-way encryption (mTLS) is used to communicate the identity to the server. This significantly mitigates replay attacks.
Not an expert, but “I know a thing or two”.
You may be interested in the quantitative analysis that I performed in the following thread:
That’s good to know, when I think of a PIN I think of a numeric value of maybe 4-6 digits. The length and that is can be alphanumeric is good.
I’m curious though is that PIN per physical Yubikey or can you have a different PIN for each Passkey stored on it? Granted arguably 1 PIN is good enough if there is a single password that can grant access to my password manager for example, but I would still prefer unique PIN per site, stored in the password manager. Because one of the things I am doing with Bitwarden (the reason I am making the switch from 1Password) is to self host it inside a firewall so that physical access to my home or a VPN must be used to access the vault, so I would like to keep that layer of security where I keep a site specific PIN in Bitwarden.
It is the so-called FIDO2-PIN that is defined for that YubiKey (so, no different PIN for each stored passkey). – You should be able to set such a PIN via the Yubico authenticator app. (I think the YubiKey manager is deprecated)
The GUI version of the YubiKey Manager will reach End-of-Life and become unsupported on Feb. 19, 2026. The CLI version (ykman) will remain supported.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.