Was wondering anyone has been able to setup multiple yubikeys on a self hosted install. I was able to setup all three on the bitwarden site, but when I read the doc on adding it to a self hosted install, it SEEMS like I can only add 1?
Not a definitive answer here and I have no idea if this will work but perhaps you may try to see if this works with storing the additional variables in a CVS format similar to how emails are configured in the admin panel.
Before making this change I would make sure you have a backup of your system config, as well as ensure you have another possible method of 2FA in the case this causes issues with your Yubikey 2FA and need to revert.
Hopefully that does work, please report back any findings.
Ooooooooo, I will try this tonight!
Also checked elsewhere, again this is a different product but otherwise should function similarly.
You may try to set this with one Yubikey using environment variables in
global.override.env, and then attempt to enroll both Yubikeys in your user’s password vault of your self-hosted instance and test functionality of both.
Ok! So I got it working (however, its not prompting on my Pixel 6 Pro, but I have confirmed my desktop with ‘Key 1’ and laptop with ‘Key 2’ both unlock my vault via the desktop app.
Here is how I got it work, is this the correct way? Maybe not, but this is what worked for me.
- Per the instructions in this post
use one of your keys and go to Yubico API key signup and generate your ClientID and Key.
Update the globalSettings__yubico__clientId= and the globalSettings__yubico__key= variables in your global.override.env file with the information from step 1
Stop, rebuild, and start Bitwarden
Login to Your Vault. (Not vault.bitwarden . com, but whatever domain you are using for your server, such as, bitwarden.CUSTOMDOMAIN . com
Browse to Settings - Two-step Login-Yubico
From here, you will be able to add up to 5 keys to your account. I tried to do this without steps 1 and 2, but kept getting an error. After adding my keys I did repeat step 3, but not sure if it was needed.