Option to force multiple login verification steps (force “multiple" 2FA / MFA)

Yes, both Master password and MFA each time you type in the Master Password.
This ensures there is no chance that there is a situation where you are typing just your Master Password, SSO pass or passkey only. Because all of those are fixed values that never change, if they are owned, they are compromised.

I will give you an example:
TikTok app has in their user agreement that they own all your devices if TikTok is installed on your phone. This means TikTok keylogs your PC if you have TikTok installed - without installing anything, by default. Coding a keylogger in TikTok is effortless and that is the workhorse entities like CCP (but not only) use to get most of the stuff there is in their database of compromised stuff.

MFA is the main defense against this.
If you are still confused, make an account on Binance or most bank apps.

Thanks for the additional context. Looking forward to any additional votes or community discussion on the topic.

Bitwarden Enterprise already has a policy option to require 2FA for all users.

Are you asking for a policy to disable the “Remember Me” feature (which disables 2FA for 30 days on a trusted device)?

Or, are you supporting OP’s feature request to have an option to require two independent forms of 2FA (i.e., three-factor authentication) each time that a user logs in?

I believe the OP is asking for having the functionality to do MFA during login: ie verify first by master password, then by device auth (2nd FA), then by email OTP (3rd FA). That is, utilize all FA methods during login at the same time.

I believe this is what @George_Savlovschi is asking for, as well.

@cosmos OP here, you’re right

Short notice: to prevent further misunderstandings, i.e. to make it more clear, I changed the title of this request from “Force multiple 2FA authentications” to “Option to force multiple login verification steps (1, 2, 3, 4,… steps - “multiple” 2FA / MFA)”.

PS:

I guess, you also mean a “forced three-step-verification” (?!) - because literally, “utilize all 2FA methods”, would mean e.g. 5 verification steps, if I had activated FIDO2-/“passkey”-2FA, email OTP-2FA, TOTP/“authenticator app” and Yubico OTP (besides the master password) as 2FA-methods…

Correct (if I understand correctly OP’s question). IOW, do MFA instead of 2FA.

I think it would be best to give the user the choice of 1, 2, 3, 4, … -FA to use. This would allow each user to decide for themselves whether they want 2FA, 3FA, …, 5FA.
I think the best solution is to be able to optionally set for each configurable variant (email code, TOTP code via mobile authenticator, YubiKey, etc.) that this method must be confirmed at each login. For example, if you now set up email and TOTP code in your account and activate this new option for both, you have to verify with BOTH methods every time you log in instead of being able to select one of them, as it is now.

That statement is a bit problematic, since MFA is the “umbrella term” and anything above “1FA” is MFA… so, 2FA is also one form of MFA.

As you can see, I changed the title again to represent that better.

In general, I think for this request, we should be clear about factors and steps in this context. The number of real factors is quite limited here - the three main factors are: know, have, be.

Fictitious example: you could have 3 steps of verification, but only 1 factor (so 1FA, if you will), if all three steps were knowledge-based.

The factors and steps are often used as if they meant the same, but they don’t… That’s why I wrote of “verification steps” in the title now, because I think you really mean that you want to have the option, how many and/or which concrete steps you want to “force”…

You are correct.

This is not possible because there are (only) three factors:

• Something you know (e.g. a password, even if stored in a vault)
• Something you have (e.g. TOTP or yubikey)
• Something you are (e.g. Biometrics)

Two factor authentication means using two distinct factors.

What is being discussed here is 3 (or more) login steps… 3SA, not 3FA.

Or, upgrade your second factor to be hardware-based (e.g. a Yubikey). That is how the standard differentiates “better” (AAL2) from “best” (AAL3).

updating title in an attempt to simplify/clarify.

Was: Option to force multiple login verification steps (1, 2, 3, 4,… steps - “multiple” 2FA / MFA)

Now: Optionally require 3 or more login steps

Feel free to suggest something “better”.

Sounds like what you are requesting can be accomplished by
setting >> account security >> vault timeout to:

image361×220 5.45 KB

The idea being that MFA is required to login, but not to unlock. So, keep your vault logged out instead of locked.

And then do not check “remember me” on the MFA screen.

Careful about allowing “perfect to become the enemy of good”. Too much “forcing” tends to cause revolt, even if contrary to the user’s best interest. The better goal is strengthening the security posture while easing the user experience.

I have found that convenient authentications (e.g. biometric unlock) allows one to decrease the vault timeout. By auto-filling websites, one becomes much more willing to have a unique random password per site. And, by putting TOTP in the vault, along with “paste the token code” nearly eliminates the resistance to turning on TOTP.

Perhaps the best example of this is passkeys. The vision is “no need to type a username or password”, yet us security-propeller heads get public-key encryption protecting the authentication ceremony.

Blockquote
Careful about allowing “perfect to become the enemy of good”. Too much “forcing” tends to cause revolt, even if contrary to the user’s best interest. The better goal is strengthening the security posture while easing the user experience.

Yes you are correct, this proposed feature should only be available via a Settings on/off button because indeed as you explained it may be tedious for the user. It should not be on by default.

But I think it will be popular because people like me want security first and foremost from BitWarden, not ease of use. If you just store passwords to your random fun sites and don’t care too much if they get stolen, then you won’t be using this feature.

But if you want to store credentials for work, banking, things that must remain secure at all costs, this feature should be there for such people.

I will remind you that when it comes to static passwords, it takes one failure to compromise a password, while the bad actor can keep trying. This feature would make that failure not matter as much as the Master Password is not enough to authenticate.
It also eliminates the most successful ways to own someone’s password which is social engineering and phishing. Clicking on some random link in your email or chat wouldn’t matter as much.

Furthermore with state level actor capability, it ads a significant level of difficulty to their efforts to own your creds because they have to now own another device where you have authenticators, with multiple security features and that works in different ways (not the case today, but it would assure future situations).

Also with API paid access to quantum computing and Google selling quantum computing chips, passwords and general encryption are increasingly risking to become obsolete (that’s my assumption as to why today we have features such as passkeys, which are harder to break encryption on, but not impossible). I wouldn’t be surprised if in the near future password creation will require at least 20 or even 30 characters on a password.

The best example on how this feature works is Binance.com
I stole this idea from them (and my work apps).

Let me try this, but last I checked it didn’t work correctly. But perhaps I didn’t make all the right settings choices.

@George_Savlovschi Almost all of what you are describing, can probably be attained, if you used passkeys for the Bitwarden account/vault…

The usage of “login-with-passkey”-passkeys works hopefully in the foreseeable future not only for the web vault but with the other Bitwarden apps as well (browser extension, desktop app, mobile app…).

Actually, I think this “factors thing” is an interesting topic…

The need for 2FA / MFA arose historically, as I understand it, as the first factor - usually a password of whatever kind - has many weaknesses… just to name a few:

• users tend to choose weak/bad passwords
• users tend to re-use their passwords
• passwords are phishable
• passwords (or their hashes) can get leaked or stolen when databases of services get “hacked” (problem of all “shared secrets”, that they are stored by the services… in whatever form)
• etc.

Of course, the FIDO alliance, as they “created” FIDO, FIDO2 and “passkeys”, are strong proponents of passkeys… and last year I first recognized a shift from proposing “applying more factors” to “passkeys eliminated the main weaknesses of our (previous) first factor (i.e. passwords)… so we have to think anew about factors”…

And as passkeys

• are phishing-resistant
• can’t be reused (in the sense you could re-use a password…)
• are inherently “not weak” (in the sense of: no human creates the key pairs - so in theory long, random, “strong” … key pairs…)
• and because of the public/private key pairs, a database breach of a service doesn’t reveal the private key of the passkey, but only the public key, which is not a problem…

… so most or all (?!) of the main weaknesses of our “former first factor passwords” are mitigated or solved…

So, as I see it, especially the FIDO alliance - but also some of their “members” and eventually also NIST ?! - shifts from “let’s use many factors” to “how about using maybe even only one credential, but that credential is now strong enough in the first place”.

Here an interesting and recent video (YouTube) about that shift: “Stop Counting Factors… Start Describing Authentication Events” – FIDO Alliance

Hi, @Nail1684 great points.

I have started the comments in this thread with the assumption that BitWarden is a tool used by power users.
I don’t assume regular users use BitWarden and I don’t know any who do.
Thus I think the point of passwords issues that passkeys chiefly fixes do not apply to users like you and me.
If you think about it, the whole idea of BitWarden is to keep unique passwords for multiple places and have a repository which keeps them safe so we don’t have to remember and use them by typing them which eliminates some attack vectors.

I have asked ChatGPT to come up with a deep search analysis on this matter to get into the details. I think it captured the issues well:

Summary and my opinions:

• Passkey sounds good but in practice you end up with password fallback mechanisms which are extremely weak and invalidates the whole architecture (Ex: PINs).
• Passkeys put a lot of the work on the server owner (for example: Google) some of which have had laughable security records (ex: Google) and have leaked passwords continuously for years. What’s to say they won’t leak passkey keys?
• Passkeys are without a doubt awesome for people with “Password1” type of passwords and should be kept for these and convenient people.
• MFA via authenticators (MFA via SMS or email link is weak and should not be discussed), especially those typed in, put all the control in your hands, they are hard to break because the codes are generated independently and compared on the server (that’s why your Google/MS/Etc authenticator works without internet on your phone). Unless the way the authenticator code gets leaked, it’s impossible to figure out how to generate codes.
• MFA remain vulnerable to your device being owned, copying sessions and other types of attacks that are listed, however a lot of them can be mitigated by a careful and knowledgeable power user.

I suggest that this feature nonetheless get coded and remain optional, right next to the passkey option.

I would question that assumption, as probably all kinds of users use Bitwarden…

What is your definition of a “regular user”? My impression is, even in this forum there are many (mostly?) regular/normal users…

And why would that be the case? – Many of the weaknesses of passwords apply to their nature itself, regardless of who uses them.

E.g. the Bitwarden master password remains essentially phishable, regardless of how strong it is or who uses it.

And TOTP codes – e.g. if you use TOTP codes as 2FA for the Bitwarden account/vault – are also essentially phishable. (–> everything you enter somewhere, can be intercepted)

True, but as explained above, some weaknesses remain there with passwords… and now, you changed the topic somehow from “login to the Bitwarden account/vault with 1FA/2FA/3FA” to the security of “passwords, stored in Bitwarden”…

1. Passkeys are far from perfect at the moment - or rather, passkeys for itself are designed well, I guess, but how services implement them (if at all) is problematic - and the fallback / account recovery mechanisms are one problem…

2. … but, even if there is a “fallback” problem - passkeys are also more safe, when you use them, as a passkey is not phishable, but passwords are… so it’s simply not true that the “fallback problem” invalidates the whole architecture…

3. What do you mean by PINs in this context? – If you e.g. mean a FIDO2 PIN of a YubiKey, that also doesn’t invalidate the whole security… you can only try that PIN 8 times wrong and then the FIDO2 credentials get deleted on the YubiKey, so of course don’t choose a very weak PIN, but the PIN is not comparable to a password here…

That wouldn’t be a problem. The servers only store the public key part of a passkey. That part of the key pair is “public” - and can be public. No attacker can do anything meaningful with it.

As stated above, weak/bad passwords and password-reuse is one problem, passkeys “solved”… but even for people with long, random, “strong” passwords, passkeys are “superior”, as even the strongest passwords are still phishable, whereas passkeys are practically not…

As stated above, e.g. TOTP codes can phished. Enter your master password and current 30-second-TOTP code on a fake Bitwarden website once, and the hacker could login immediately and deactivate 2FA directly (just an example - please don’t do that! ). It doesn’t need a complicated “hack” to “figure out how to generate codes”. (BTW, Roger Grimes has some good videos where he talks about “hacking” / bypassing 2FA/MFA, though most videos are a bit older and are somewhat pre-FIDO2/passkeys… that one is about 2 years old: https://www.youtube.com/watch?v=8c0ZIvYAVoE)

Of course, one has to be “reasonable” as a user as well - and e.g. keep the system up-to-date, don’t click on links in emails etc. … but I’m personally more with those “security experts” who “confess”, they wouldn’t trust themselves never becoming victims to sophisticated phishing / hacking attacks etc. – That power user who thinks it can’t happen to them… scares me.

So, apart from all their flaws in implementation etc. - passkeys / FIDO2 still have the advantage of mitigating many weaknesses of passwords and “questionable user behaviour” as well (setting up weak password, re-using them, be prone to phishing attacks etc.).

I don’t know, maybe it’s me but I work with non-technical people who have a hard time finding what their email address is, having those people use BitWarden is hard. I guess what I am saying is that there’s a lot more technical people that use BitWarden than non-technical people. And although non-technical people may benefit the most from it, it is not yet user friendly enough to compete with the likes of ATMs.

I guess what I am saying is, at least we know what phishing is and more likely than not we won’t fall for it, and even if we do, we know what to do about it.

No point of contention from me here.

No no, sorry if I sound like I am derailing this thread it’s okay to put me back on track, I was merely giving a general explanation. Despite the weaknesses I think we both agree that more security of any kind is better with the condition that it it’s designed well.

I disagree as even an average attacker will go for the weak point instead of anything else. The attacker won’t try to phish your passkey or do anything other than trying to phish your PIN → add his device as a backup → authenticate himself with it. That’s what I meant in this comment.

State actors such as China and TikTok have background services collecting keystrokes. If the PIN is input on a phone that isn’t secure, or the app is not secure, the input can be copied.

Yep, I am wrong there.

I noticed that Microsoft have a more robust system now, which eliminates the need for typing in stuff, by having a button choice for the right answer.

I think this is a case of falling for one’s joke. Sure you can be phished, but you also can likely change your password faster than the bad guys can get you.
Believe in yourself!!!

To conclude though, although passkeys seem stronger, they just seem to shift attack vectors, but not really be stronger. My chief problem remains with the unknown architecture, which can literally be systems without a password.

Yeah, that’s probably true in general!

I may (still) not fully understand about which PIN(s) you are talking, so maybe explain that a bit more.

If I think about Bitwarden-login-passkeys on my YubiKeys again (or other hardware security keys or devices)… That FIDO2-PIN of the YubiKey I need to enter, works only for/with the YubiKey then. Even if that PIN would get stolen - as long as they don’t have my YubiKey, then they don’t have my part of the passkey, and can’t do anything with that PIN.

Yeah, that may make it a bit better… but then we have the next problem of MFA-fatigue attacks, accidentally tipping the right choice etc. (what also counts as a form of “phishing”, I guess)

Hm, of course, the whole “chain” is only as strong as its weakest link. But that doesn’t make the “strong parts of the chain” also weak themselves. (PS: and those “weakest links” - like fallback/account recovery - were already weak before an account began to offer/use passkeys for authentication… That did not suddenly become weak, only because passkeys were introduced. )

About the “unknown architecture” – true, and I’m no expert myself in that area. There is a great video I can recomment and that explains the technology/mechanisms behind it: “PASSKEYS - What they are, why we want them and how to use them!” by John Savill (YouTube).

Circling back to the login to our Bitwarden accounts/vaults, there is another “great news”: Bitwarden doesn’t have those fallback/recovery mechanisms you (validly) mentioned. (PS: Neither for the master password nor for any of the 2FA methods or the 2FA recovery code – nor another way around those)

So, you could set up an insanely strong master password, only write it on your emergency sheet(s)… and only use login-passkeys now. – As long as you don’t use your master password now, it truly can’t be phished or obtained in any other way. And (repetition ), there really is no fallback/account recovery for your BW account then, which could be the “weakest link”.

Two caveats:

• only true for individual / families accounts… (as far as I know, when you use an enterprise account with SSO you can’t use login-passkeys… and enterprise accounts have an account recovery mechanism)
• and - as mentioned above - login-passkeys are still in Beta, and what I suggested would only be fully usable, when you could use the login-passkeys not only with the web vault, but also with the other Bitwarden apps (desktop app, browser extension, mobile app…)

PS: To my suggestion before the two caveats: of course I would also set up 2FA for the Bitwarden account - and also store the 2FA recovery code on the emergency sheet. – With the login-passkeys though, you wouldn’t need that extra 2FA for the Bitwarden-login then.

Note: I changed the title again (before, it was “Optionally require 3 or more login steps”), as already 3 login steps are required (usually), and I think the new title reflects the original requests better.