I looked through the posted articles, and I think the answer is this can not be done.
I have a paid account, from the web portal/login/vault I want to set a policy that all clients are required to use MFA and not count on the setup of the local client/extension.
Anyone have a way to do this?
Thx!
Its does if you have the larger account, that is not an option under the personnel paid account
Are you requesting to have this same feature as described above within the Families Organization?
Or to ensure MFA for use with the Premium Individual account?
As far as I am aware, so long as you have not selected the Remember me option, if your account (free or premium) has 2FA setup, then this will require verification during Login, but not for Unlock.
My guess is that they are on the “Teams” plan, which does not have enterprise policies.
Sorry I was not clear, yes it is a premium individual membership. I have several devices connected to it, at wanted to setup MFA as a requirement in one place rather then setting it up each time. I have different vaults based on where I am accessing it from.
You only need to set up 2FA once for each vault, and this 2FA set-up will then apply to every device & client app used to access that vault.
Sorry, I am not seeing how. When I log into my webvault, there are no options to configure MFA which would be inherited by other connecting clients.
In the Web Vault, after you have set up a 2FA method (and saved the 2FA recovery code), use the option to Deauthorize Sessions (in the “Danger Zone” area). Then attempt to log in from one of your other clients. What happens — are you able to log in without 2FA?
Sadly that is not the behavior I am experiencing. MFA (Yubikey) is required to access my web vault, it is setup that way. It is not enforced ‘downstream’ to clients connecting, unless you manually configure the client itself.
Could you clarify this a bit more? As long as you have MFA setup on your Bitwarden Vault this should ask for your 2FA login for Yubikey (or whatever other 2FA methods are setup for your account) at every login.
The only cases this wouldn’t be prompted for 2FA would be if you are either Unlocking and not Logging in (as you already have your Vault data locally and only need to decrypt it, not authenticate yourself) or possibly if you have selected the Remember me option as described, which will not prompt you for 2FA for another 30 days
Were you able to try the steps outlined by @grb to Deauthorize sessions within your web-vault?