New guy questions continued

Okay, I’m back, stumped on a couple things, so…

1. Is there a way to require a passkey for logging into my Bitwarden vault both on my Android phone and desktop Mac, regardless of how I access the account (app, browser extension, no browser extension), AND allow the passkey to be bypassed in favor of the passphrase on recognized devices? Basically, I’m trying to make it so that any unauthorized person who tries to access the account on an unrecognized device will be asked for a passkey, but I don’t want the passkey to be MY only option.

2. On my Android, for one company (Chipotle), after autofilling my user name and password, I’m texted a security code. However, when I go to my text messages (e.g., minimize the Chipotle window), then try to return to the Chipotle sign in, I’m instead take to my Bitwarden vault for Chipotle, so I’ve nowhere to enter the code. The text message is the only two-step the company allows, but that’s beside the point, because I want to be able to check my text messages without leaving a given site and being taken back to my Bitwarden vault.
   Thanks.

One more question. It looks like you can’t customize passwords’ lengths, and other options, for individual accounts. So if you’ve already set up multiple accounts, and encounter one that doesn’t accept certain characters or has a shorter length cut-off than desired, etc., I guess you either have to tweak the password to said account every time you access it.

I’ve been using super long passwords, 32 characters, but encountered a company whose limit is 30. I know 32 is a lot, and wondering what’s the highest number of characters that is likely to be accepted…

I do have one victory to report, in that I successfully peppered a password. So, progress, ha!

Let me stop you right there. Passkey login (i.e., passwordless login) for Bitwarden is only possible when logging in to the Web Vault (vault.bitwarden.com). It is not (yet) possible to do passkey login to access your Bitwarden vault on a browser extension, desktop app, or mobile app.

If you are not asking about passkey login, but about two-step login (2FA) using a passkey as your second factor, then please make that clear (by wording your question so that it explicitly refers to the “2FA” part of the authentication process).

You can by pass the 2FA requirement on specific devices by checking the “Remember me” option when logging in, but I don’t know if that’s what you’re asking about.

I don’t understand what you mean. If this is something that is happening when you are using Bitwarden’s mobile app, then that is beyond my expertise. If you are using the browser extension, Web Vault, or desktop app, then I don’t see why you would need to “minimize the Chipotle window” to check your text messages,

As a tip, because Bitwarden works very differently when you are using the web vault, browser extension, desktop app, or mobile app, it is best if you specify which flavor of Bitwarden you are working with when you ask for help.

You can customize the password generator at will, but you cannot save your customizations so that they are remembered for specific login items in your vault. Normally, that would not be a big deal, because once you’ve created a strong randomized password for a website, there should be no need to change the password unless the website has a data breach or the website has some requirement for periodically changing your password.

That’s a little excessive, if we’re taking about a random character string with lower/uppercase letters, numbers, and special characters. A random-character password typically has sufficient strength when you get to a length of around 14–16 characters. Go beyond that, and you risk running into problems caused by websites’ poor handling of long passwords. Some websites even truncate long passwords without warning you, or have a length restriction on the login page that is different from the length restriction on the password change form (which could cause you to get locked out of your account!).

Sorry, I’m not being very clear. What I’m wanting is a second login requirement beyond my password for Bitwarden. And that my devices can bypass. I don’t care what it is, 2FA or passkey. But let’s stick with 2FA for now, since as you’ve indicated that will meet my requirements and passkeys are tricky. I wasn’t planing to use passkeys for now, but I thought, hey, why not make at least the Bitwarden site extra secure that way.

Re Chipolte, yes, I’m talking about the mobile app. So we can skip that as well, although I’m having another problem with it, in that when I launch Chipotle, it takes me to the proper site, but the prompt is for me to enter the username for Bitwarden Fourm.

Thank you for the advice concerning password length.

I wish I wasn’t struggling with this so much. A friend suggested I look at 1Password, but in watching some videos on it, I think I understood it less than Bitwarden. Anyway, thanks again.

For your Chipotle issues on mobile, please start a new thread, so that you can get help from someone familiar with Android.

OK, this is what we call “two-step login” or “two-factor authentication” (“2FA” for short). Set this up as follows:

Log in to the Bitwarden Web Vault (https://vault.bitwarden.com), and go to Settings > Security (using the left-hand navigation menu), then click the tab labeled “Two-Step Login”.

Before doing anything else, click View Recovery Code, enter your master password, and then carefully transcribe the displayed recovery code (32 characters) onto your Emergency Sheet. Close the pop-up when done. This recovery code can be used to disable all 2FA on your Bitwarden account in case something goes awry or you lose access to your 2FA.

I would also recommend creating a Password-Protected .Json export as a backup just before enabling 2FA, in case something goes wrong in the process of setting up 2FA.

Have your Yubikeys ready, but not yet plugged in. Next, click the Manage button for the “FIDO2 WebAuthn” option:

image781×66 5.69 KB

Enter your master password to proceed. Come up with a descriptive name to designate the first Yubikey (one that will let you know which of your Yubikeys to use), and enter this name into the “Name” field on the “Two-Step Login FIDO2 WebAuthn” form:

Next, plug in the designated key (the one that you just named) into your computer’s USB port, and click the Read Key button. This will trigger a number of prompts from the computer’s operating system; I forget if you have macOS or Windows or both, but in Windows 11, it will look something like the 6-step sequence shown below:

Click OK in the prompt above.

In the prompt above, set the selection to “Security key”, then click Next.

Click OK in the prompt above.

Enter your Yubikey PIN in the prompt above, then click OK. If you don’t have a Yubikey PIN, you may be prompted to create one (if you get stuck at this step, let me know). You should write your Yubikey PINs down on your Emergency Sheet.

image693×318 6.09 KB

When you see the prompt above, touch the Yubikey.

Click OK in the prompt above.

After working through the operating system’s prompts as shown above, you should now be back in the “Two-Step Login FIDO2 WebAuthn” form in the Bitwarden Web vault. Click the Save button in the bottom left corner of the form (as shown in the screenshot below).

You should now see the name that you had specified for this Yubikey shown in the list at the top of the form (replacing one of the placeholder names “WebAuthn Key 1”, etc.).

If you want to register additional Yubikeys, then pull out the previous Yubikey from the computer’s USB port, and start over from the step above where you specify the Yubikey “Name”.

When you are done registering (and saving) all of your Yubikeys, and verifying that their names are all listed at the top of the form, then click the Close button at the bottom of the form:

After double-checking that you have the Two-Step Login Recovery Code handy, log out of the Web Vault, and test logging back in.

You will now need to use your Yubikey as a second factor whenever you log in to your Bitwarden account using your username and master password (passphrase). If you want to exempt a device from this requirement, check the checkbox for the “Remember me” option before touching your Yubikey when you log in.

Thank you! I have done some of the steps you sent, but I will work through them all to see what I’ve missed. And will start a new thread for the Chipotle issue.

If you didn’t complete all of the steps, then you do not currently have any Yubikeys set up as a second login factor.

I checked, and my two-step login in is already turned on and active, with 4 Yubikeys registered. I must have checked Remember me, because I’m not being asked for the key for the .com site. However, I am for the extension, but that’s fine. Right now I’m wanting to see if the all the roadblocks in place are functioning. I’ve yet to address the Chipotle issues.

I believe that the “Remember me” 2FA waiver expires after 30 days. If you want to immediately undo your “Remember me” settings on all devices, you can do so by logging in to the Web Vault app, going to Settings > May Account in the left-hand navigation menu, and then clicking Deauthorize Sessions. This will also log you out of all apps and browser extensions on all devices.

Thank you, and yes, meant to mention that I’d seen that 30 day expiration. I have a new problem though, in that yesterday, one of the times I tried log in through my extension (for which the 2FA with passkey was working), my vault was empty, said there were no items to display. I tired All vaults, My vault, and one other vault I have which is empty. Accessing the account via .com showed my items. I logged out one or two times from the extension, and got the same empty results. I can’t remember everything I tried at that point, but eventually, my items showed up. However, this morning, the same thing happened as I’ve described occurred (extension vault initially empty, then items showing.) Also, this morning, initially, I was not required to use my passkey, even though I’d been careful not to select Remember me. But when I logged out, and went to log back in, I was asked for the passkey. I’m guessing I’m doing something that causes one’s vault to show up empty, but have no clue as to what that might be. I turned my computer off over night, but it did not turn it off during the problems of last night. Thanks.

A post was merged into an existing topic: Trouble entering BW TOTP on Android