Expand Inactive 2FA Report to include Fido2 etc

Feature name

  • Report on inactive 2FA
    Give users the option to set an Active 2FA Method, currently its only scanned for TOTP Support and an Input in the TOTP Field.

Feature function

  • What will this feature do differently?
    Let users Documentate their used 2FA Method and get notified when an Service implements a new 2FA method like Fido2 WebAuthn.

  • What benefits will this feature bring?
    More Security becuase User will get Informd what 2FA Methods are availible on their accounts and what methods their are currently using.

1 Like

Hey @itsdom thanks for the suggestion. Bitwarden currently uses 2FA Directory (Canada) for the Inactive 2FA Report, so you might also want to suggest it there: Issues · 2factorauth/twofactorauth · GitHub

Thanks for answering. I may haven’t explained it correctly. The 2FA report is great but, is currently only showing the users when they don’t have set TOTP in Bitwarden. My suggestion is that the user can tell his Bitwarden client if he’s using 2FA and what type so the 2FA report can suggest not only not used TOTP instead it can inform the user if he’s able to use another 2FA method.
Also it would be great when a feature like this comes when you have a dedicated page with all your accounts who use 2FA like now the TOTP Page in the app tells me.
Currently I am using a spreadsheet to track which 2FA method I use on wich account and what backup solution I have, like another yubikey or backup codes. To implement like a database for all this information would be great to see. Also if I saw it correctly in the future there is a plan to support passwordless login like WebAuthn so this can be the first step to this goal. Because all future features will profit of this. It’s really difficult to keep track now of all your 2FA methods not especially like the hardware keys more like what and where you use what. To implement all this information in Bitwarden, Bitwarden can give users more information about how to secure their accounts even more, like is there a better 2FA solution available then the one you’re currently using.
I know for now it seems very futuristic because the „standard“ is TOTP but some sites are still only supporting third party apps, sms or worse email. But the future will hopefully key based authentication be like the Fido2 Standard with WebAuthn or U2F.
For me as a teach loving person and security lover I would love to see a future where people can understand easily if their accounts are secure enough or if the can do something to improve it by adding 2FA or maybe something else.
These reports are great. But understand only on the Web App. Maybe also sending them like a newsletter once a month per mail or so would be cool.

Thanks for clarity, in the meantime, some community members add emojis to the vault item to indicate keys etc… :key:

UF2/FIDO2 MFA Report

  • A new report to help users increase security practices above and beyond TOTP.

Feature function

  • This will add a new report, or augment the existing Inactive 2FA Report to show vault items that can be secured with UF2 or FIDO2 devices.
  • The feature should also add a checkbox to Vault Items to mark items as FIDO2 or UF2 secured so that they won’t show up in the 2FA or this proposed report.
1 Like

+1 i like it! great suggestion

Yes if I could put a few checkmarks in boxes so that I know what I use for 2FA, not necessarily what bitwarden keeps track for me, that would be very powerful. For example if I use a yubikey, or a yubikey for TOTP, or if I printed my recovery codes, bitwarden doesn’t know that. But I’d love to see that summarized in a list so I’d know the 2FA status of all my accounts at a glance.
That, along with the last time I changed my password, would be great for keeping track of account security.

1 Like