Option to customize the order of 2FA methods

Just added my YubiKey and another Security Key for authentication via WebAuthn. I intended to use the YubiKey as my daily driver. The security key (WebAuthn) should stay at home in the safe.

However, I quickly learned that WebAuthn is considered to be more secure and therefore will be the standard option for 2FA. As the Bitwarden support told me, there is a set priority of the 2FA methods, namely (source):

  1. Duo (organization)
  2. FIDO2 WebAuthn
  3. YubiKey
  4. Duo (private)
  5. Authenticator app
  6. Email

If WebAuthn, YubiKey and 2FA apps are all configured, WebAuthn is automatically set as the default. If it’s not configured, YubiKey would be the standard method, and so on.

While it’s possible to choose a different method, it’s also annoying as you need to cancel the whole process by clicking four times etc. Also, WebAuthn doesn’t work as smoothly on mobile devices as my YubiKey NFC.

Therefore, I’d like to be able to specify which 2FA method I want to use as a standard method. In my case, YubiKey, even though WebAuthn is available too.

Anyone else who would like to be able to change the priority of the 2FA methods?

To clarify your use-case, could you explain under what conditions you would pull the security key out of the safe to use it instead of the Yubikey OTP?

Basically, it’s a backup method should I lose the YubiKey, as I don’t have a backup YubiKey. Originally, I wanted to save some money. Therefore, I bought one of the expensive (€65) and one of the less expensive (€35) keys, to carry one with me and leave one at home.

But then when they arrived, I learned that the less expensive one only supports WebAuthn. My mistake, didn’t know that when I ordered. Thought about sending it back, but as WebAuthn is even more secure, and I just need a backup in case I lose the YubiKey, it wouldn’t really matter. Would there be an option to change the default 2FA method.^^

You can (and should) print out a 32-character recovery code and store that in your safe. Then, if you ever lose your Yubikey, you can use the recovery code to disable 2FA on your account.

With this method, you can remove the FIDO2 Webauthn 2FA option and directly use Yubikey OTP as your 2FA.

I’m not saying there may not be other use-cases for your Feature Request, but I can’t think of any (which is why I had asked in my previous response).

That is a great tip! I completely forgot that I could recover my vault by just using the recovery code (that I’ve already printed out weeks before) in case I lose the YubiKey.

I also can’t think of any good argument as to why that feature would be important to some users right now. Other websites I use allow choosing a preferred method, and perhaps there are users who want to use their YubiKey even though they’ve configured Duo 2FA for whatever reason.

But yes, for my use-case, I will get along with your suggestion. Thanks again!

1 Like

My guess is you have a YubiKey (possibly 5 series?) and a Yubico Security Key, the later of which only supports WebAuthn and not the Yubico OTP or others.

If that’s the case, why not simply have your main security key as WebAuthn for 2FA in your vault, as well as your backup Yubikey in the safe set with WebAuthn for 2FA login, as well as the 2FA recovery code as @grb recommends.

You can have up to 5 WebAuthn compatible devices set up for 2FA on your Bitwarden vault, along with the remaining following options as you specified Yubico OTP, Duo, TOTP authenticator app, and last email.
If you have your main security key with you, you could keep a 2FA backup method (either Yubikey or recovery code) in your safe, and another at a trusted contacts house so even in a catastrophic disaster such as fire you have an off-site recovery plan in place.

Kent, the main reason I didn’t suggest switching to WebAuthn was the fact that OP alluded to some problems using WebAuthn on his mobile devices. Either way, he’ll probably prefer carrying the Yubikey over the Security Key, since Yubikey OTP will be compatible with many more web services than FIDO2/U2F.

I agree that the Yubikey would be preferred as it has the broader functionality of the two, perhaps I misunderstood as the OP referenced WebAuthn along with the Yubikey NFC

You think so? I would imagine the opposite to be true, in my experience more sites have added support for FIDO2 WebAuthn over adding support for a proprietary Yubico OTP

Yes, the original statement is ambiguous. I interpreted “Yubikey NFC” in that context to be a shorthand for “Security Key NFC by Yubico”, but in any case he is having some issue with WebAuthn on the mobile devices.

You are correct, I was confusing YubiKey OTP with the OATH-TOTP protocol that is also supported by the YubiKey 5 series. If the OP is using the Yubico Authenticator with TOTP seeds stored on the YubiKey, then my previous point (that carrying the YubiKey will provide greater flexibility) still holds.

Thank you all for your comments.

That is indeed correct. (And by YubiKey NFC I meant YubiKey 5 series NFC (the Yubico security key is officially not called YubiKey, if I’m not mistaken.))

While that would be reasonable, there are a number of reasons why WebAuthn is not my preferred option, some of which @grb already mentioned.

The compatibility and convenience are the biggest reasons. For example, we use RoboForm at the office, where WebAuthn is not available.

Anyways, in the end, I should have just bought two YubiKeys series 5 to prevent all of this. For now, I will probably just return the security key.

Again, thank you all for your help!

1 Like

Yubico has had sales on Black Friday in the US, so you can save if you’re looking to pick up a spare series 5 key or two at a discount and can wait. Setup a trigger for when a slick deal pops up on any of the popular deal sites.

And it is possible to “clone” a key. It isn’t possible now with the current SDKs and provisioning toolkits, but the earlier versions of the Yubikey personalization manager GUI did allow you to view and inject the initial seed values for the key. Good thing I kept them around, although they do seem to have the archived versions still available.

The alternative and workaround was to force websites and authentication flows to support multiple, individual keys since they were unique (and thus, so are the challenge/response for each key). As should be obvious, not every website decided to support my planning ahead for failure with multiple keys. Hence I went with the cloning approach instead. One is my everyday driver, another is my “nearby” backup, a few are with relatives, and some more are SHTF backups in bunkers.

Thanks for the tip, I’m going to set up an alarm on a deal site I regularly use. I didn’t recognize any Black Friday deals where I’m located (Germany/Austria), but perhaps there will be a good deal over the course of the year 2023.

Was wondering about cloning keys. Interesting that it’s possible with the earlier versions of the YubiKey manager. Although it’s a potential security risk, isn’t it?

Luckily, I found that pretty much all websites I use that offer FIDO2 also allow setting up multiple keys.

This is really important, and personally (it’s a pain a know) I have 3 Yubikeys in play.
One on my person, one at home in a safe for backup, and the last off-site at a secure trusted location, it’s a bit of a process to every get them all together if I need to add a new service, but really only needed for the highest importance ones that can even support it.

Yubikeys are pretty resilient, and I haven’t broken one yet (knock on wood :fist::wood:), but it’s always good to have a backup for your services of some kind.
If you are like me you may also plan for disaster recovery too, what do you do if your house burns down, or gets robbed and all your devices are gone, etc.
Likely you’ll have much larger concerns if the time comes, but much of our life is digital and online now. Trying to figure out and have a game plan for your critical accounts is helpful should it ever happen.

For everything else less important, that will eventually support FIDO2 or those silly services that only allow you to add a single Yubikey for whatever reason the future holds Passkeys; but we still have to wait a bit for those to really take off :wink:

1 Like