I have noticed recently that when I login to bitwarden using the Chrome Extension, it no longer ask for my Yubikey. I have logout and clear the cache to the browser but it still never ask for the key.
If I login to the bitwarden website everything works as I would expect.
Has the extension saved something somewhere that tells it that it does not need the yubikey. If so where and how do you turn it off.
What version of the browser extension are you using (and what version of Chrome, for that matter)? Have you tried it in incognito mode (after authorizing the extension to run in incognito more)?
I just finished trying each idea. I cleared all data and cookies. I ran in Incognito mode. Despite being explicitly logout it still does not ask for the yubikey.
It is like the browser or the extension is holding on to the idea that it has already seen the key. Of course this should be cleared when you logout.
Chrome Extension Version 2023.2.0 Server 2023.2.0
A few more ideas:
Log in to the Web Vault, and select the option to deauthorize all sessions (this is in the “Danger Zone” under the Account Settings).
Is this an Android device by any chance? I’ve recently seen some Webauthn-related issues reported for Android devices, although not exactly like yours.
I finally removed the extension, closed the browser, then reinstalled the extension. It started to work properly.
I noticed this time on the Web-Auth tab, there is a check box that says “Remember Me”. If you check this box, it will never ask you for the key again, ever! The only way I know to uncheck it is by reinstalling the extension.
If you explicitly logout, it should clear this setting.
Actually, my suggestion above will also work (deauthorize sessions from the web vault).
You can think of the 2FA “remember me” option as a declaration that your device is to be trusted — i.e., having possession of the device is the second factor.
Logging in to your Bitwarden vault serves a different purpose. It establishes that both authentication factors are presented, which authorizes your device to store a local copy of the encrypted vault, and to send vault changes to the cloud database. Logging out purges the local vault cache and revokes the authorization to modify the cloud data. However, it does not automatically revoke the status of your device as a trusted second factor.
The solution is simple — avoid the “Remember Me” option.