Why should non-paying users gain access to FIDO2 WebAuthn?
Currently, free users have access to two 2FA options, both of which being a form of TOTP that does not use a dedicated physical authentication device. Unfortunately this means free users are still susceptible to phishing attacks. While some may blame the user in this case, many can cooperate that even the best of us let our guard down from time-to-time. While I am a happy premium user, I understand first hand how difficult it can be to convince others to invest in the benefits of FIDO2 WebAuthn alongside Bitwarden Premium.
Furthermore, allowing free users to use FIDO2 WebAuthn would give entry level users a single physical device authentication option which would eliminate the possibility of phishing attacks.
FIDO2 WebAuthn can still be a premium feature
Currently paying users can add up to five FIDO2 WebAuthn devices to their Bitwarden account. Free users for example could be allowed only two. This would allow free users to access an important security feature however would still give people incentive to purchase Bitwarden at the same time.
Bitwarden and accessible security
Bitwarden is doing an amazing job at giving people the option for great security without going out of pocket when a user isn’t willing or is simple unable to. I personally recommend Bitwarden to all my family and friends for this and many other reasons.
Agreed, the thought of allowing only one or two WebAuthn devices for free users sounds great. It feels weird to me to lock account security features behind a paywall. Wouldn’t it make more sense for free users to be able to protect their accounts adequately and have a good enough experience to upgrade to premium?
I know several people who’s use case doesn’t require Bitwarden premium, or they haven’t used it long enough to decide whether they’re ready to purchase premium yet. These users shouldn’t be made to use the less secure Yubico OTP.
It seems reasonable to allow free users less security keys (in turn, less data stored) than paid users. And perhaps bump up the paid user limit to 10. With Cloudflare’s partnership last year with Yubico, people have more yubikeys than ever. Also, a lot of phones, Motorola U.S. versions in specific; do not have NFC. This causes people to need to purchase USB C security keys, which are more likely to be used for only phone as many PCs don’t have USB C ports.
Since you were asking for our opinions, here is mine:
Premium is $10 p.a. Bitwarden free is already insanely good and very secure, even without hardware authentication. I understand you’d like to get even more of the advanced stuff for free, but if it’s that important for you, why don’t you get yourself an upgrade for 10 bucks. It’s still a steal.
FIDO2 is a “pro” feature imo. Most people won’t even know what FIDO is. So, I don’t want to trivialize your point here, but again, it seems super dainty to complain about it. How’s Bitwarden going to make money if they give away every feature for free?
Again, just my thoughts, I don’t want to criticize your request.
People who have FIDO2 / WebAuthn or Yubico keys have proven that they are willing to pay for security, so the free option doesn’t seem applicable!
That said, one can end up with a lot of keys over time, so the limit of 5 should be doubled to 10, which is still manageable and needed for people with multiple phones, multiple laptops, multiple desktops, a keyring, and a safely-stored backup key.
I don’t know who would need 5 or 10 keys. Maybe three: 1 safety deposit box; 1 home; 1 key chain. But, the more you have, the easier it is for them to disappear and that’s a security risk. I don’t think providing WebAuthn for free to a couple of devices and then premium gets 5+ has a lot of practical value for most.
I agree with the comment above that people who use security keys already have a demonstrated need and have proven they are willing to pay for it so also paying $10 Premium level is going to be seen as fair and good value. Who would think they should be able to get a free service to use up to two $45-$85 keys?
$10 is great value! Plus, the Free Bitwarden account is robust, with 2FA, unlimited passwords, unlimited devices. The other major competitors don’t ever try to match that. I am happy to support Bitwarden corporate for $10 a year for this actively developed, open source product, even if it means I’m subsidizing millions of free accounts.
About the number of keys: for work and home each there is a desktop, a laptop and a phone (6 devices). Each device either has a nano-key living in one of the ports, or TPM-based FIDO2 built-in.
Then there’s two keychain keys, and Windows Hello seems to be addable on Microsoft-owned properties.
That’s already 9 WebAuthn factors. So yeah, 5 is not enough!
But, agreed if someone is to pay for even one key, they should be willing to pay $10/yr for bitwarden.
I’m torn on the free user part. I don’t like the idea of charging money for account security features. To my knowledge, Yubico OTP has no phishing resistance; unlike WebAuthn. Also, not everyone purchases their security keys at anywhere near $45. Microsoft and Cloudflare have had promotions with Yubico, making them only $10 per key. There’s also other cheaper security keys that support WebAuthn. However, I recognize that it’s very unlikely for Bitwarden to change this, since Advanced 2FA is listed as one of the premium features on the home page, and likely other areas.
I have upvoted the below thread. I have a few YubiKeys stored at my residence, and then a couple stored at various other residences of family members. It’s very easy to surpass the five key limit, especially if you’re using a phone that doesn’t have NFC (my immediate family all have > 2020 Motorola phones that don’t support NFC). Then you need to get multiple USB C security keys and multiple USB A security keys.
