Fully configurable MFA (and SFA)


I suggest to make authentication fully configurable, i.e. configure various authentication methods (password, pin, bio-metrics, U2F, OTP) separately and allow arbitrary number and combinations of authentication methods for log in and unlock.


Login: Master Password + (U2F or OTP) ← very secure
Unlock: Bio-metric + U2F ← convenient

Extended description

For this feature to make sense one should always be able to log out and back in again instead of unlocking to avoid nonsensical cases, e.g. my fingerprint reader is defective so I can’t unlock but could log in.
Also it should be possible to list multiple authentication methods as alternatives in a step as in the example above, e.g. U2F or OTP as 2nd factor.
An extension to more than three factors should be trivial.
And in addition everyone would be able to configure exactly for the security/convenience trade-off they want.
SFA with weak factors (PIN only or U2F only) should have a warning message associated.

Other feature requests like this: unlock-bitwarden-with-2fa-i-e-yubikey-instead-of-not-in-addition-to-password would be solved automatically.

Possible caveat

I’m aware that encryption is based on the master password so logging in might always need to include the master password.

I’m happy to receive some feedback on this.

Why is a two-step unlock necessary? If a device is already verified as trusted by two-step login, what is gained by the added steps and complexity every time you must unlock the vault to use it? You don’t actually say.

What I was trying to say is that the type as well as the number of authentication steps should be up to the user, i.e. configurable. (Of course with sensible defaults to not over-complicate things for the less tech savvy user.)

For example some working on a laptop in a public place will be happy to unlock not only with a PW or PIN that some could have seen but would like to use second factor (which is still more convenient then a full login), someone being very security conscious would like to add a third factor for log in, etc.

I’m personally only looking for direct unlock via YubiKey, but thinking about it I thought that this kind of generalization would provide full flexibility while being able to be encapsulated into a separate module, which would be nice from an architectural point of view. (I’m saying this not knowing if that is actually true for the specific architecture of bitwarden.)

P.S.: I rephrased the original description to make it clearer.