✅ Force 2FA for organizations

Tho you can see the usage of U2F in the /admin GUI, but thats not enough. It’s a must have for iso 27001.

What is “the /admin GUI”? I don’t see a link to such a thing anywhere on vault.bitwarden.com. How do I get to it?

@jik The admin GUI is only relevant for self hosted installations:
https://help.bitwarden.com/article/admin-portal/

I would also very much like to see which users have 2fa turned on, so that I can manage them.

Being able to force 2fa–without the considerable additional expense of duo–would also be a benefit. I understand there are tricky technical and UX issues to be resolved before that could be implemented.

Perhaps making 2fa status visible should be a separate feature request so that the two issues can be decoupled.

I don’t understand why the maintainers of Bitwarden seem to think this is an impossible problem to solve. LastPass solves it just fine. The lack of this functionality is literally the only thing that’s forcing me to choose between Keeper and Bitwarden for our company. I really, really want to use Bitwarden, but I don’t know if I can justify switching from LastPass to Bitwarden and throwing away the ability to enforce (or at least audit) 2fa.

1 Like

Adding my 2c to this, I think its a really important feature.

There are similar flows in many other apps, See GitLab for a great example, enforced at the server level.

Users that dont have 2fa are forced to set it up at login and cannot go further - so you can still login when its not enabled, and you can disable it and re setup with a new device.

I’m not sure if this is a newly added feature or something I missed earlier, but I can now see which users have and haven’t activated two factor authentication in the standard (non-self-hosted) administration UI.

Organization > Manage > People

That obviously does not resolve this feature request, but it significant mitigates the issue for me, as the administrator of a small organization who can afford to scold individual users.

I’m not sure if this is a newly added feature or something I missed earlier,

Newly added feature. Thanks Kyle!

Duo brings an entire suite of benefits to the table that go way beyond Bitwarden; what kind of enterprise are you running where $6/user for Duo “completely kills” the use of Bitwarden? It sounds like you’re just sensationalizing the issue for the sake of getting this feature into the core Bitwarden software.

I know of no real enterprise where the powers that be would balk at $6/mo for Duo given everything it can do, and the very low likelihood that Bitwarden is the one and only use case an ‘enterprise’ can find for Duo. The $6 level gives you the ability to not only use it with native integrations, such as Bitwarden, but endless other possibilities that nearly any ‘enterprise’ user would find valuable, even stupid things like Wordpress. You can also deploy their SAML2.0 Duo Access Gateway on-prem to provide SSO with forced 2fa on a massive number of cloud apps (Box, Google, Microsoft hosted apps, etc.), secure your own on-prem Exchange’s web interface, secure internal apps, block your own users from authenticating if their mobile device has gotten out of date, doesn’t have a screen password, or the auth attempt is coming from foreign countries, so on and so forth. Duo is infinitely valuable for $6/mo (hope Cisco doesn’t see this post and raise the price).

1 Like

It´s not only cause the 6$… it is also cause i don´t want to be forced use a special authenticator. f.e. we´re already foced to use the Microsoft Authenticator for Office365, which can handle totp but not in the otherway.
As an admin i have the same problem with other vendors which force me to use their totp solution and i hate this behaviour. I don´t want to use 5 different authenticator apps.

An of course 6$ is not killing anything but it is an agrument against BW and for an other solution.

3 Likes

Some of Duo’s functionality, our company doesn’t need. Other Duo functionality we already have in some form from another vendor. There’s no reason why we should need to pay for functionality we already have / don’t need just to obtain the basic functionality – which many other products have – of being able to enforce 2fa on our users. The deficiency here is in Bitwarden lacking that feature, not in people not wanting to waste money on a product they don’t need in order to obtain it.

scifire91’s point about not wanting to use yet another form of authentication is also on point. We are trying to standardize on U2F / FIDO2 everywhere. We want to go in the direction of everything using hardware 2fa keys, not in the direction of relying on vendors.

We also don’t want to introduce an unnecessary point of failure in our infrastructure. If we are dependent on Duo, then that’s one more thing that can break and keep our users from working.

We also don’t want the extra cost of administrating yet another service. The dollars-and-sense cost of Duo isn’t the only cost; ongoing administration is a different cost. If Bitwarden supported enforcing 2fa, then that would have no administrative overhead whatsoever – we would simply turn on enforcement and be done with it.

Finally, you can laugh all you want about people who don’t want to spend the money, but the fact of the matter is that if we have to pay $6/user/month for Duo just to be able to enforce 2fa in Bitwarden, then that literally triples the cost of Bitwarden Enterprise, from $3/user/month to $9/user/month. That’s ridiculous.

1 Like

You aren’t forced to use MS Authenticator; they’re just TOTP even though they give it a fancy name, so you can enroll the same TOTP key in any TOTP compatible app. Additionally, you can use Duo with MS, or even use Duo’s local SAML gateway to auth other apps while using MS’s own hosted active directory as the backing for the Duo gateway, keeping you entirely in control of the auth process.

If you’re running an enterprise, the value of Duo easily offsets the “extra cost of administrating yet another service,” by using the single sign on options to give your administrators a single pane of glass to enroll users with single sign on, monitor their activities, as well as immediately lock a terminated employee out of every app. A typical enterprise has countless apps, and if they all have independent 2fa implementations, internal logins, so on and so forth, the operational expense associated with normal hire/term options is quite high; oh let me log into 365 and kill their account, now i’ll log into Bitwarden and kill their account, now I’ll log into Box and kill their account, oh don’t forget about apps 1,2,3,4,5 too, and if you miss a single one that later gets compromised, you’re screwed. Duo is like an insurance policy; we kill an account, that employee can no longer log into anything. Yes they may be down rarely, but much better than the alternative.

Which part of “Other Duo functionality we already have in some form from another vendor” did you not understand?

Duo is not the only federation / SSO vendor. Lots of companies – “Enterprise” or not – are already paying another vendor for the functionality that Duo provides. No one is disputing the value of such functionality. What we’re saying is that it’s absurd to either lock companies that want to use Bitwarden into a single federation / SSO vendor, or make them pay a federation / SSO vendor whose services they aren’t going to use – because they’re already getting them from another vendor – just to enforce 2fa.

I do not understand why you seem so hell-bent on criticizing people just for wanting a perfectly reasonable feature that lots of other products have without having to pay triple the cost for it.

3 Likes

Why is it ‘absurd’? Because Kyle isn’t spending his time worrying about the 2fa you prefer to use over feature requests that have more votes? Or even the feature request that this entire thread is about, which is not non-Duo 2fa options. If everyone wants to complain about Bitwarden not having their preferred 2fa option, and he spends all the development time rolling those out, how will he ever have time to actually implement what the whole point of the thread is, which is forced 2fa for organizations?

The point of the thread is allowing for forced 2fa and then everyone started criticizing Bitwarden over things other than ‘forced 2fa for organizations’. If you don’t like Duo, go start a different thread. If the only Bitwarden-supported 2fa option that meets your needs has a cost associated with it, start a thread asking for a different one.

You are not discussing in good faith, and I will no longer waste my time replying to you.

The things you are saying are nonsense that do not actually have any relation to the things that the people engaging with you are saying, and you are ignoring the things we are actually saying.

Note that I have actually spoken with Kyle about the question of enforcing 2fa without Duo, and while I would not be so rude as to disclose the content of private discussions, I will say that he does not seem to think it is an unreasonable thing for his users to want.

2 Likes

Umm well yeah, that’s the whole point of this thread before you and others dragged it into a bash Bitwarden over its 2fa options. Good job.

@colohost Please stop posting stuff in this thread.
It looks like that you don´t know really what you talking about and you argument as told before in a bad way.
This thread is still open cause it seems that this one is something what users want. And that is exactly for what these forum is.

I’m in this thread because I would like to see forced 2fa for organizations; you may not be aware, but that was the purpose of this thread before everyone started bashing the product over its 2fa options, which has nothing to do with the topic. I voted for it, I run an enterprise, I have a self hosted enterprise Bitwarden instance with actual paid users.

I would also love to see this feature without having to use Duo. Apart from the price, forcing us to use another vendor doesn’t help to unify and simplify things.

3 Likes