I would like to use my Yubikey using OTP or U2F exclusively to access my vault. However, I didn’t find out how I can set it up like this. I would like my vault (especially on my mobile phone) to be locked most of the time. When I need it I would like to login using my Yubikey and maybe a weak short PIN code in order to access my vault. How can I set it up like this? Currently, I login using my strong master password in addition to 2FA (either Yubikey U2F (web) or OTP (mobile)). It appears to me to add the masterpassword is a bit overkill and especially time consuming.
What you are asking for is a passwordless login using something like Fido2. There is no way to do this. I don’t think there is any password manager in existent that works with passwordless login (except with biometrics).
The only consumer vendor I know that uses passwordless login is Microsoft. It allows you to setup a passwordless login on Microsoft Live account and Windows Hello. However, neither is truely passwordless. There is still a password underneath that you can use to bypass the key and you can use sms or email to bypass the yubikey with a recovery.
It sounds to me like you might want to take a look at using a PIN for your unlock code on the Android. 2FA of any kind will only be asked for when you log in NOT when you unlock! If you decide to use PIN unlock you can use an 8-9 digit PIN. Pick a unique number and set the PIN accordingly. Safety comes from the fact that 5 incorrect PIN attempts will automatically log your Android out. Now its full Master Password and 2FA/U2F again. My Android is BW locked almost 100% of the time, but I rest easy knowing my long PIN is not going to be guessed. Plus my Android is bio locked anyway. Many will argue that it is safer to always be fully logged out, and they have some points to their argument. However; those points are cancelled for me because logging in often is too much of a hassle with a long Master Password and U2F using NFC.
1 Like
@palasiu Thanks for the resposne! Why would there be no way to do this (passwordless bitwarden login using FIDO2). Doesn’t i.e. Google allow to protect the login using FIDO2? Is it really possible to bypass the bitwarden masterkey with access to the e-mail? I was under the impression that either the masterkey or the backup key are needed to login. Is there a way that I can disable resetting the master key using the email?
@OpSec Thanks for the response! I’m using iOS. Wont an attacker with physical access to my unlocked device be able to extract the vault in the unlocked state and try to bruteforce the PIN? I’m thinking about setting a weak masterpassword and requiring OTP or FIDO2 for the 2FA and configuring my vaults that they are always logged out. Would this solution be more secure in you opinion than having a strong masterpassword and OTP / FIDO2 as 2FA but having all the vaults logged in all the time and then using a PIN for unlocking? What are your thoughts on using Biometrics instead of a PIN for unlocking?
I don’t speak for Staff here. I see this as the classic “convenience vs security” paradigm. Obviously it is more secure to have your BW vault 100% logged out. No brainer. Day to day use can dictate a compromise of sorts to make always using BW for password mgmt your go to app.
One thing not discussed in this thread is what IF someone grabbed your phone and FIDO2 stick (if that option existed here)? Now they simply use both and they are immediately IN your vault? For me I see that as less secure in my real life situation. FIDO2 strengthens remote security maybe, but it destroys all physical access security completely.
e.g. - you are walking around with your Android and in your use case the FIDO2 stick is in your pocket. Someone “phone jacks” you taking everything on you, wallet, phone, stick, keys, etc… You are toast in the sense that they can immediately copy out your vault and they have it all! Not just in the movies, this crap actually happens.
Silas,
The application has to be written to support Fido2. Fido2 standard has been around for a few years and Yubikey 5 support it, but there is very limited support for it out in the real world. Support has to come on several different level.
I don’t think Google even supports Fido2 except in a very little basis. If you click on the security part of the key, there is an option to use yubikey as a 2FA using U2F/FIdo, but there isn’t a way to get rid of password in the setting that I know of.
If you check out Microsoft Live account, you can notice that Microsoft live account do not allow you to use Yubikey as a 2fa. You can only use it for passwordless login. The big problem is that you can remove the other options, so you are not afforded the true protection of a Yubikey.
As for Bitwarden password reset, what gave you the impression that you can reset the master password through email? The most you can get is a master password hint or erase your entire vault and start over. Once you forget your master password, there is no recovery at all.
Opsec,
Most fido2 implementation will require a pin. The idea is that you must have 2nd factor.
If you are using yubkey as a 2FA, you have to login first to get to the 2fa. If someone steals your phone, they will have to unlock your phone, unlock your password manager, and then press the button on the Yubkey.
If you are using Yubikey as a passwordless login to a site (I only got this to work in windows), apps will required you to have a fido2 pin. To login, you have to press your yubikey button and then enter the pin. If you enter the pin too many times, the key locks and you have to reset the pin. Resetting the pin wipes out all stored credentials.
@paulsiu, according to the Yubico link that you shared the Yubikey would support fido2 + pin (at least for the platforms that I most often use) but as you mentioned it appears that Bitwarden does not support protecting the login with fido2 + pin, only with the masterpassword and fido2 as 2fa. I’ll probably go for a masterpassword that acts as a pin plus fido2 as 2fa until they implement fido2 plus pin as login method.
As for the Bitwarden password reset your first comment made me think that this might be possible. I’m relieved that this is not the case now that you clarified it.
Blockquote
There is still a password underneath that you can use to bypass the key and you can use sms or email to bypass the yubikey with a recovery.
Silas,
You may have to wait for a while for passwordless login. Despite introduction of Fido2 some years ago, it’s still not being adopted widely. No password manager support Fido2 passwordless login.