In our organization we trying to setup 2FA wherever it is possible. In Bitwarden it is possible but we cannot force it, so every user can choose if he want to set it up or not.
There is also no possibility to see which user has 2FA activated that we can talk to them (Like in Github).
So if it´s not possible to force org members for 2FA we need to see which user haven´t it enabled.
We don’t have any plans for the other “normal” 2FA methods on the organization level since they are not well suited for managing at the organization level. For example, how would you expect to onboard a user to some 2FA method if they are required to have it by an organization and cannot get into their account?
I´m not sure how github or Microsoft handle this exactly but these organizations also offer 2FA with existent users.
So for the first step a simple warning( Your Org wants you to enable 2FA) would be nice, with this and the option to check over the admin center the 2FA status we would be a step forward,
In a second step it could be like github, you can create an account without 2FA but if you want join the organization which require 2FA you need first enable it.
When true, when adding a new member to an organization or collection in the org, check for 2FA, if disabled, send the invite, when the user visits the link, redirect to 2FA setup before the actual collection join. If they refuse to activate 2FA, throw and error and don’t let them join.
If a user in an org/collection with the flag disables 2FA, warn them they will be removed from the collection/org, and need to be re-invited. Then remove them from the org.
This is how github works. The only extra hoop is for the admin to have to reinvite you when you disable 2FA.
To help this, you could also make a new atomic 2FA update option. (aka, a screen that requires a backup code or 6 digit code from the current secret, Then it takes you to another screen that sets up a new secret. And if the new secret confirmation is not completed, the old secret stays active.) that way someone moving to a new device could do so atomically and not be removed from the org.
What about a new setting in the organization ? Force people to use 2FA : yes/no
If enabled, a user will see shared collections only if he has enabled one of the 2FA providers.
It he has not enabled a 2FA provider yet, or if he disabled it, he can’t see collections.
If he (re-)enables a 2FA provider, he can see collections.
Quite simple, convenient for users as they can choose their own 2FA provider, and improve organization security
We’re currently testing Self Hosted Bitwarden.
I totally agree with others, it can be a real dealbreaker if we can’t enforce 2FA for all organization’s users. (especially when you’re ISO27001 certified, with a lot of recurrent audit reviews)
2FA is not an option any more for organizations, they need to control and manage the way it is set up by users.
The problem with the (excellent) DUO possibility is that if you want to force and mostly manage 2FA, you have to subscribe to the 6$ per user per month payment.
That hugely increase the cost of the password management solution from 3$ for Bitwarden to an additional 6$ (twice more than Bitwarden), which makes a total of 9$ per user per month.
Three time more expansive is completely killing the concept of using bitwarden in enterprise, which is really a pity because it is such an excellent solution compares to other competitors (who even include the 2FA management)
Ideal solution would be to have the 2FA management included in bitwarden in the same ways other password management solution do, or having a special partnership competitive offer from Bitwarden+DUO. Beyond a total of 6$ per user per month, it’s completely dissuasive