My Yubikey works and is setup. But Bitwarden says:
This account has two-step login enabled. However, none of the configured two-step providers are supported by this device. Please add additional providers that are better supported across devices (such as an authenticator app).
Yubikey FIDO U2F is supported on Linux. But Bitwarden doesn’t recognize any U2F implementation on the OS. This issue is difficult for me to fix because it combines 3 quite niche products - Yubikey, Bitwarden and Arch. I have asked this same question in an Arch community and I’m waiting for a response.
Hello @k2ttulr3fxuz - welcome to the Bitwarden community.
Does the Yubikey work for authentication using the browser itself? For example, will it work to authenticate to your web vault at https://vault.bitwarden.com?
Or are you trying to use this to authenticate to the Bitwarden desktop app? If so, that’s not supported yet, unfortunately.
FIDO2 WebAuthn cannot be used on all Bitwarden applications. Enable another two-step login method in order to access your vault on unsupported applications. Supported applications include:
Definitely add your vote to the feature request! I want to see this, too. In the meantime, I just use the Bitwarden extension in the browser, which can pretty much do anything the desktop app can do.
Yeah I’ve been using Bitwarden on browser for years. When I first started using it I was using the extension very briefly but I don’t trust the extension due to security concerns (the web app also has its security flaws, eg. Javascript, but at the moment it seems like the only option apart from using it on Windows which I don’t want to do).
Understood. The only other workaround I can think of is to run the browser extension as an SSB app in a dedicated browser. That would be secure, and you would still have the functionality of the desktop app. I use WebCatalog for such purposes, but I think both Chrome and Firefox can create SSB apps natively, as well.
Could you elaborate a little on your post above this one? I use the BW FF extension on my Linux box and it works well. I don’t worry much about being hacked on a linux box, but it can and does happen. I am trying to assess whether or not the gain in security using an SSB app would be worth the “learning curve”. I already use FF profiles when using BW, as opposed to generic surfing FF instances. Thoughts or links to give me a steer?
If you are comfortable using the Bitwarden browser extension already, I wouldn’t bother with an SSB app. But if you have security concerns (e.g., the extension has full access to every site you visit), you could isolate the extension in an SSB app using a dedicated browser. That way, it would be entirely independent of your activity on your main browser, in theory anyways.
In my mind, the most secure way to access Bitwarden would be in a native desktop app, in Linux (QubesOS VM even better). The second best option is to use the web app. The extension has even more flaws than the web app and there are privacy concerns as well as security concerns. Also, I only use Bitwarden as an online backup for my keepass database, therefore the extension is completely useless for me.
Site Specific Browser app. It essentially encapsulates a single website within an app-like interface, complete with a menu bar.
I like WebCatalog, although there are lots of other solutions. ICE - SSB is apparently popular with Linux users, especially those running Ubuntu-based distros (it is available for other flavours of Linux too).
@k2ttulr3fxuz Would you mind elaborating on your claims about security and privacy issue with the browser extension (especially security concerns that may exist in the extension but not in the web vault)?
@dh024 So an SSB appears to be a stripped-down browser, but how can you add a Bitwarden browser extension to it? Which of the 8 available browser extensions would work with, say, WebCatalog? I’m confused because if an SSB is restricted so that it can only interact with a single website, how will it also be able to interact with Bitwarden’s servers through a browser extension?
You can load the extension in a browser window with a URI. There was a recent thread that provided the URLs for many different browsers, but I can’t seem to put my finger on it right now.
But the easy way to determine the BW extension URI in your own browser is to lock your vault, then go to any login page, push CNTRL/CMD+Shift+L to fill, and the extension will open in a Tab prompting you to unlock. Just grab the URI there.
For example, the Firefox extension on my MacBook is:
moz-extension://a4e39f31-de7e-45fe-92d3-a5d8c56e28a9/popup/index.html
OK, I think the post you are referring to is this one:
But this method will basically open the extension within the body of the browser, not in the form of an “extension”. So would there be any benefit of launching the browser extension in an SSB as opposed to launching the web vault in an SSB?
What I thought you meant when you said to use the extension in an SSB was something like setting up an SSB to access, say, my online banking website, but be able to use the browser extension to autofill to login credentials.
No, you wouldn’t get autofill. But the extension behaves most like the desktop app, which was the context of this thread and my suggestion for @k2ttulr3fxuz
I don’t have enough technical knowledge to do that. Don’t take my word for it, look it up. I remember hearing about security flaws in password manager web extensions several years ago when I was using them.
Sorry I didn’t post back sooner. So in my setup I am using the BW extension in a dedicated FF instance/profile opened ONLY while accessing BW vault accounts. 90% of my workspace activity happens on other browser instances/profiles and the VAST majority of those are on the TBB. I forgot to mention that ALL workspace is locked inside of a VM created for the purpose.
dh024, I do concur that it is likely my gain would be very nominal by adding SSB. I did some reading/homework since I posted above and it doesn’t seem to add much from my perspective. If I used one soft generic FF profile, a Windows OS (no thanks), no VPN, no TOR, and no VM, then maybe.