This seems like the best solution to me, and I would love to see something like this as an option for enterprises that don’t want Duo.
I’d like this. My company is not an “enterprise”, having only 20 users. dabura667’s suggestion would help me to enforce good practices.
It would be very fine, if we are able to enforce 2FA on organisation level for onpremise installations at least for email-verification.
We would also welcome such a function (without DUO). The user must activate 2FA, but is free to choose the type of 2FA (existing app like Google Authenticator, hardware key or even Mail).
We are thinking about switching from LastPass to Bitwarden - but without being able to enforce 2FA this is really a show stopper. Duo is not an option for us.
Yup, here we are in the same boat.
We would like to switch from Lastpass (enterprise) to Bitwarden organizations, but forcing us to use an external service like Duo for 2FA, and consequently paying for it, it’s not an option.
The two services together cost as much or more than a Lastpass Enterprise licence, in which you can use other types of 2FA (like Authenticators, SMS or hardware usb keys).
Just my 2cents, but I think that Bitwarden could gain a lot by allowing other 2FA methods in the Organizations mode.
Every other company I know of does it. You can enforce 2FA using any authenticator app. Let us worry about what we’d do if someone locks themselves out, this is why sysadmins exist. All you have to do is give the admin account the ability to disable 2FA, or have a grace period, etc. Google does this.
I second this feature request:
- One must be able to enforce 2FA
- It must work without DUO, but the other methods like TOPT, U2F,…
- It must be possible to define which 2FA methods are allowed and which not.
- In case of a policy change, the user must adjust his methods after the next login.
It should be possible to define this policy on a per-group-basis which could be an “organization” in a first step. Of course it would be nicer if you could define groups within an organization and set the policy per group…
I really would like to be able to use this feature with e.g. yubikeys, but any open standard like FIDO2
should be fine, so any org can chose their own second factor.
What’s the status of this?
This is a must have for our organization as well and using Duo is a non-starter.
Enforcing 2FA is an absolute, baseline requirement for the Organizations feature, even for the families tier!
I’m in the same boat
I deployed birtwarden for our organization because I prefer to self-host.
From my perspective, using 2fa email auh is not secure enough for a password manager. If someone has access to my email, then they have access to my password manager and could export all the data.
Also- the fact that I can’t force all saved passwords into a vault that the org can revoke is a big concern.
My fault I suppose - I should have looked more closely at these features before deploying and training users.
If these features aren’t already in development with BitWarden, I’ll most liley have to look at other options.