How to use YubiKey for unlocking - solution

Hi all. I read a bunch of threads and no one mentioned this before, so I thought I’d post it here.

**How to use your Yubikey to unlock BW (desktop) **
My situation is that I have and use Yubikey as a 2FA to login to BW (OTP or FIDO2) along with a long, complex master pwd. But once logged in, I want it to lock fairly soon (5 min) without the pain of re-typing the master password, and without an easily-observed short pin, when I unlock it.

First, I acknowledge there are many different threat models and situations, so my situation may not really fit what you want. But I want to be able to not have people easily watch me type in a short pin to unlock my BW when I need to use it 20 minutes after I last used it. I’d prefer to use “what I have” to gain access.

So my simple solution is to use the 2nd slot on the YubiKey (“long press”) to store a substantial/long/complex/random STATIC password. Then when I log into BW at the start of the day, I can set the PIN to this password by using the long-press. I can set a short timeout-to-lock on the extension. If it’s locked next time I want to use BW, I just insert key, long press, and I’m in.

If the laptop gets stolen while BW is locked, it’s not a simple 4-digit pin to break. Looking over my shoulder won’t help you break in. I keep my YK on my person except when I actually am using it for a moment or two.

Comments? Pros or Cons?

7 Likes

Clever! I think this is a great solution. Thanks for posting, @stevel.

And I see this is your first post - welcome to the community forums!

4 Likes

Hi @stevel,

Thank you for joining the Bitwarden community and for sharing your thoughts and workflow with us.

I wanted to reply here in order to emphasize that this setup means that both your Bitwarden master password and 2FA are stored together on the same security key (YubiKey); If a person gains access to your YubiKey, they would have access to your Bitwarden account and vault, which is not the case if your YubiKey was not also storing your master password and only acted as your 2FA. This can be more convenient in some situations, but it’s important that you, and anyone else that is reading this, be aware that this can arguably be significantly less secure than keeping your master password and 2FA separate.

You are more than welcome to use this setup if you see that it fits your threat model, I just wanted to make sure that anyone else that would read this would be aware of this setup’s potential downsides.

All the best,

OP is storing his PIN – not his actual master password – on the YubiKey. Thus, unless I have misunderstood how BW works, the person who gains access to the YubiKey would also have to gain physical access to the laptop while OP is still logged in to his BW account. So, an attacker would either have to strong-arm OP while he is logged in, or pick-pocket the YubiKey and then wait for OP to leave his laptop unattended and locked but still logged in.

3 Likes

I think your idea has merit for some scenarios. Thanks for sharing it.

A lot of people have been requesting a touch Yubikey to unlock feature… this is sort of a work-around to accomplish the same thing.

For additional context, I just wanted to mention one thing about the PIN security: Bitwarden will log out after 5 incorrect PIN unlock attempts. IF the attacker is guessing randomly (*), then with 4 digit PIN, they have 5/10,000 = 0.05% chance of success. With 6 digit PIN, 0.0005% chance of success.

(*) I realize you mentioned shoulder surfing as a concern, in that scenario the 5-incorrect-PIN-attempt-logout feature would not help,

OP here. Yes grb has it right. Not storing master key on Yubi. So what grb describes is correct and adequate for my threat model.

cheers.

1 Like

This is a decent workaround. Still not as safe as actually using the Yubikey OTP feature.

Since it’s a static password and not a OTP, a keylogger would be able to capture it for further use.

I would also like this feature to be implemented