We’ve employed Bitwarden within our company. However, I’ve found some obvious security concerns. From the main organization admin panel, as the account owner, I should be able to do several things.
-
Deauthorize a user session associated with my organization.
-
Enforce 2FA, and not allow the user to select their own 2FA, or limit which 2FA they can pick. (e.g. disallow email, but allow an authenticator).
-
Password rotation report. Being able to generate a report on passwords that are XX days old.
-
Enforce/Prompt password rotation. Through global policy, or collection policies. Create an alert for when an item is accessed alerting the user that password is XX days old and should be rotated in accordance with company policy.
-
Enforce master password complexity and rotation times for users associated with an organization.
-
Disallow users from exporting the contents of the organization vault.
This is not a complete list, just some items I’ve observed over the past couple days as we’ve rolled this out. This is a great product, and I’d love to see it become even greater. Having an “Enterprise” option is awesome, and I’d love to see it truly become Enterprise.