Is the Yubikey the best choice for a 2FA device with Bitwarden Premium?

I’m highly tempted to upgrade to Premium and get a Yubikey NEO at the same time for even more protection. Is this the best device to go with or is there something else out there that Bitwarden supports that offers better security? I need Windows 10, Linux and Android support.

1 Like

My personal opinion? They Yubikey is the BEST value for MFA. It is a cryptographic hardware token that supports multiple MFA protocols. You can use it with U2F/FIDO2 services like Google, Facebook, Dropbox, etc. You can also use the Yubico OTP function for services that support it. And you can use it as a direct replacement for HOTP/TOTP solutions like RSA tokens and Google Authenticator. It also stores PGP and SSH keys. Having all these tools on an external hardware token provides an excellent security solution.

I highly recommend getting at least two Yubikeys. One for your main use, and one as a backup. I personally have three: one main, one backup in my desk at home, and a second backup in my safe deposit box at my bank.

Af $40 list, they are relatively inexpensive.

Just my two cents worth…


Thank you for the reply.

I’ll order the Yubikey NEO today then. Sounds exactly like the kind of thing that I want.

I see the option of using “Yubico” or “Fido U2F”. I supposed with a Yubikey (4 or Neo), one can enable with either method? Is there an advantage of using one method over the other? Thanks.

The Yubikey 4 series supports both Yubico OTP and Fido U2F.

Yubico OTP is a symmetric or “shared secret” One time password function. A lot like RSA tokens or Google Authenticator. Not a bad solution, just not the most secure.

U2F is a newer, asymmetric encryption protocol. It is Public Private Key encryption. The Private key is stored on the Yubikey and the Public key is stored by the service (Bitwarden, Google, Facebook, etc). The key pair is DIFFERENT for each service. If Google exposes your public key, it will NOT affect any other services you have registered your key with. Much more secure that shared secret options.

Go with U2F when possible.

1 Like

Thank you for the suggestion. It took me some effort to use U2F in firefox, turned out it was disabled by default. After changing the settings in firefox it worked as expected.

Now that I have my Yubikey NEO on its way (due tomorrow) I have to find a way to change the 2FA for all the websites I use from SMS or Authy to using the Yubikey NEO.

This might not be an easy process. I’ve just started reading the manual now and I’m not entirely sure what the process is. Does Bitwarden support using the Yubikey for all websites or just a few?

Sorry for the stupid newbie questions.

For websites that support U2f, you login using your existing Uid/Password and your SMS. Then register the Yubikey as a U2F key. Depending on the site, you might need to disable the SMS. Google has this well documented. Others, not so much…

Bitwarden does not enable websites to support the Yubikey, it just allows the Yubikey to be an second factor for accessing your Bitwarden data.

Sorry, forgot the mention that. Firefox 60 has Webauthn enabled by default so the Yubikey will work fine. Lower versions, you need to enable Webauthn as you did.

Thanks for the reply. I’m going to have to work out how to do this because I’m a complete newbie with devices like this. The Yubikey NEO arrived in the post this morning so I better start reading the manual to see what I can do with it.

I guess I’ll start with my Android device as that will probably be the easiest thing to secure. Then I’ll move onto websites.