My Yubikey works and is setup. But Bitwarden says:
This account has two-step login enabled. However, none of the configured two-step providers are supported by this device. Please add additional providers that are better supported across devices (such as an authenticator app).
Yubikey FIDO U2F is supported on Linux. But Bitwarden doesn’t recognize any U2F implementation on the OS. This issue is difficult for me to fix because it combines 3 quite niche products - Yubikey, Bitwarden and Arch. I have asked this same question in an Arch community and I’m waiting for a response.
Understood. The only other workaround I can think of is to run the browser extension as an SSB app in a dedicated browser. That would be secure, and you would still have the functionality of the desktop app. I use WebCatalog for such purposes, but I think both Chrome and Firefox can create SSB apps natively, as well.
Could you elaborate a little on your post above this one? I use the BW FF extension on my Linux box and it works well. I don’t worry much about being hacked on a linux box, but it can and does happen. I am trying to assess whether or not the gain in security using an SSB app would be worth the “learning curve”. I already use FF profiles when using BW, as opposed to generic surfing FF instances. Thoughts or links to give me a steer?
If you are comfortable using the Bitwarden browser extension already, I wouldn’t bother with an SSB app. But if you have security concerns (e.g., the extension has full access to every site you visit), you could isolate the extension in an SSB app using a dedicated browser. That way, it would be entirely independent of your activity on your main browser, in theory anyways.
In my mind, the most secure way to access Bitwarden would be in a native desktop app, in Linux (QubesOS VM even better). The second best option is to use the web app. The extension has even more flaws than the web app and there are privacy concerns as well as security concerns. Also, I only use Bitwarden as an online backup for my keepass database, therefore the extension is completely useless for me.
Site Specific Browser app. It essentially encapsulates a single website within an app-like interface, complete with a menu bar.
I like WebCatalog, although there are lots of other solutions. ICE - SSB is apparently popular with Linux users, especially those running Ubuntu-based distros (it is available for other flavours of Linux too).
@k2ttulr3fxuz Would you mind elaborating on your claims about security and privacy issue with the browser extension (especially security concerns that may exist in the extension but not in the web vault)?
@dh024 So an SSB appears to be a stripped-down browser, but how can you add a Bitwarden browser extension to it? Which of the 8 available browser extensions would work with, say, WebCatalog? I’m confused because if an SSB is restricted so that it can only interact with a single website, how will it also be able to interact with Bitwarden’s servers through a browser extension?
You can load the extension in a browser window with a URI. There was a recent thread that provided the URLs for many different browsers, but I can’t seem to put my finger on it right now.
But the easy way to determine the BW extension URI in your own browser is to lock your vault, then go to any login page, push CNTRL/CMD+Shift+L to fill, and the extension will open in a Tab prompting you to unlock. Just grab the URI there.
For example, the Firefox extension on my MacBook is:
OK, I think the post you are referring to is this one:
But this method will basically open the extension within the body of the browser, not in the form of an “extension”. So would there be any benefit of launching the browser extension in an SSB as opposed to launching the web vault in an SSB?
What I thought you meant when you said to use the extension in an SSB was something like setting up an SSB to access, say, my online banking website, but be able to use the browser extension to autofill to login credentials.
I don’t have enough technical knowledge to do that. Don’t take my word for it, look it up. I remember hearing about security flaws in password manager web extensions several years ago when I was using them.
Sorry I didn’t post back sooner. So in my setup I am using the BW extension in a dedicated FF instance/profile opened ONLY while accessing BW vault accounts. 90% of my workspace activity happens on other browser instances/profiles and the VAST majority of those are on the TBB. I forgot to mention that ALL workspace is locked inside of a VM created for the purpose.
dh024, I do concur that it is likely my gain would be very nominal by adding SSB. I did some reading/homework since I posted above and it doesn’t seem to add much from my perspective. If I used one soft generic FF profile, a Windows OS (no thanks), no VPN, no TOR, and no VM, then maybe.