Installation of either Yubikey or FIDO2 WebAuthn 2FA is done via bitwarden.com and seems to be without any reference to what device(s) will be affected. If I install Yubikey 2FA with the intention of using it with my desktop and continuing to use face ID on my iPhone, will my phone always require me to bypass Yubikey by touching “Use another two-step login method”?
Face ID is not relevant in this context. You only use 2FA (whether by Yubikey OTP or FIDO2/WebAuthn, or any other method) during the process of logging in to a Bitwarden client that has been logged out (or a new installation). Face ID (or other biometrics) can be used for unlocking a vault in a Bitwarden client that is already logged in, but you cannot use biometrics to log in to Bitwarden, whether you use a Yubikey or not.
1 Like
I notice that without 2FA logging in and unlocking are virtually identical for me on both desktop/MacOS browser extension and iOS. Logging in requires a user ID / email address, but that is pre-filled. Logging in takes a few seconds longer to get to the Vault display. I haven’t logged out on either for a long time, prior to today’s experiment. I guess I’d log out only on a laptop and maybe iPhone prior to travel?
If your local vault is locked using your master password, and if you local vault is sufficiently strong to be uncrackable, then you don’t need to log out — even if your device is stolen or confiscated, it will be impossible to unlock your vault.
The exception may be if you are concerned (depending on your circumstances) that some authority may confiscate your device and compel you to disclose your master password. If you anticipate such a risk, you should probably log out (and uninstall Bitwarden, or log in to a decoy vault) — for the purpose of achieving so-called “plausible deniability”.
Actually, I have seen a user reporting that he can use the iPhone itself as a FIDO2/WebAuthn device. If you can set this up, you can add your phone as an additional key that you can use to provide 2FA authentication via Face ID. Unfortunately, I don’t have the link how to set this up (and I don’t use iPhone). See the allusion to Touch ID in BW’s instruction (Two-step Login via FIDO2 WebAuthn | Bitwarden Help Center).
@Neuron5569, interesting! I infer from the results of my web search that the user you mention may be a developer. In any case it seems that for non-developer users iPhone as an authenticator for other devices won’t be long in coming.
Here are some reddit posts/comments that might be relevant:
1 Like