Option always on request for pin code hardware keys

I recommend that Bitwarden should have an option in the settings to require a PIN code from the hardware key every time a user tries to log in. Currently, when using the FIDO2 method, the PIN code is not requested; only the pressing of the hardware key is required. It’s essential for security that the Bitwarden web vault, browser add-on, and mobile apps prompt for the PIN code associated with the hardware key, rather than just requiring the pressing of the key button without any additional validation. This additional layer of security is important for preventing unauthorized access.

@otokoshiro I guess you mean the Bitwarden password manager - and not the Bitwarden 2FA-authenticator app?

I re-edited the whole post.

@otokoshiro I changed the tags of your request to “password manager” then (the “authenticator” tag is for the 2FA authenticator app of Bitwarden)

Your request was already discussed here, I guess:

When a hardware key is used for two-step login, it acts as a second factor (“something you have”). It complements the primary factor (username/password, which is “something you know”). This behavior is completely consistent with best practices for 2FA (and matches the behavior of many other websites).

If you want to use three-factor authentication, then you can use something like the YubiKey BIO.

If I use a YubiKey bio, there is another risk of someone forcing me to use my fingerprint to authorize my account opening. The whole point of this argument is that I want to keep some of this, like the password and the PIN code, in my head. So I am not forced to open anything. I do not want to open anything.
To me, my point of view is that the PIN code is presented here as an additional security measure, and I think that it should be used,
As a third authorization.

Serious question: Under what plausible scenario would an adversary acquire your master password, but not also acquire your hardware key PIN?

I can understand your concern.
I would probably never have this problem, but I do think of others, such as journalists.
I’m an American citizen, but that does not guarantee that if I visit some other Western country, they might have a different view of how things are and might not respect my rights.
To clarify, I view having the password and a PIN for the hardware key in my head as a security measure. They would also look for my PIN.

The same question still applies: What would be a plausible scenario under which an adversary (e.g., a repressive government or law enforcement agency) would be able to acquire the journalist’s master password, but at the same time be prevented from acquiring the hardware key’s PIN?

Even if one could somehow get the master password and the PIN code for the hardware key, layering one’s security will make it harder for others to access the data.

But my point is that an adversary who has the master password most likely also has the PIN, so there would be no added protection from the PIN (unless you or someone can point out a scenario under which an adversary could acquire your master password, but plausibly be prevented from acquiring your hardware key PIN).

I’m trying to say to you that if I commit to memory my password and Hardware key pin . they are less likely to use the hardware key, let alone my master password. I trying to clear up that misunderstanding. Sorry but I am done with this conversation.

1 Like

No, it is not. In fact it is not recommended:

User verification is not recommended for 2FA because the user will have already entered a shared secret (password) sent to the server over the network. In this case, explicitly set userVerification to discouraged. Otherwise, a superfluous user verification step will be required for users that have set a PIN or enrolled a fingerprint on their security key, creating a bad user experience.

Asking for a second password/pin when logging in makes no sense. If you feel that your master password is not enough and a second hardware key pin should be required, just combine your current password and pin to form a stronger master password. There is no need to complicate the login process with multiple passwords.

If you want extra security for your hardware key, do what has been already recommended to you: use something like a YubiKey Bio, which already reinforces its security with biometrics (I do that myself, btw).

1 Like

And… if you do not like the idea of User Verification via biometrics of the YubiKey Bio, you can get another hardware key that lets you turn on the Always Require User Verification setting.

1 Like