Description
With the upcoming NIS2 directive, the implementation of multi-factor authentication (MFA) for accessing critical systems and sensitive data will become mandatory. While Bitwarden already supports various MFA methods, there is currently no centralized company policy that allows administrators to define which MFA methods are permitted or required.
Problem:
- Users often choose the simplest, but not necessarily the most secure method, even when stronger options are available.
- Companies that want to enforce the use of Passkeys and/or Yubico security keys cannot currently do so at a system-wide level.
- Compliance with security standards such as NIS2, ISO 27001, or NIST 800-63B is more difficult without a unified MFA policy.
Proposed Solution
A Bitwarden Enterprise administrative policy that enables companies to enforce or restrict specific MFA methods.
Possible Features:
- Whitelist or blacklist for MFA methods (e.g., only allowing Passkeys and Yubico security keys).
- Mandatory MFA enforcement for all users before login.
- Detailed reporting options to track which MFA methods users have enabled.
Benefits for Companies
- Increased security by ensuring only strong MFA methods are used.
- Regulatory compliance (e.g., NIS2, ISO 27001).
- Prevention of insecure authentication methods through company-wide enforcement.
We would appreciate it if this feature could be considered for future Bitwarden releases.