Option to force multiple login verification steps (force “multiple" 2FA / MFA)

George_Savlovschi · May 19, 2025, 5:13am

Hi sorry for the late reply, I have little free time these days.
I mean the PIN option available on your BW mobile (Android):

It may be anecdotal but I can foresee Apple users (but not only) used to this feature avoiding other stronger locking mechanisms for convenience.

Well, unfortunately, there’s no chance of both convenience and security, at least I don’t see a product that does both well (but that may be more ignorance than lack of such products).

However, the reason I suggested this feature as optional is for the people who care less about convenience and more about security. I for one have easy to type passwords which are made in a way where they are decryption unfriendly (full sentences, huge length, excessive use of space) and human friendly (sentences that make sense, instead of short passwords with random characters or symbols) so I have no issues typing in passwords all the time. Indeed, because of very restrictive work practices I have to remember my passwords. I mainly use BW for passwords that are not important (for example Steam account which I just use for browsing random stuff and not buying anything).

I think your logic is incorrect here.
As a thief would you go for the 100kg main entrance door with 5 locks or the backwall window that you can just lift up with one arm?
The security system is as strong as it’s weakest component, not as strong as its strongest. (weakest-link).
That’s why generally in robust enterprise networks there is such thing as “defense-in-depth” where all possible security measures are applied, regardless of their strength.

For example, you may have a Linux server with SSH support which has a strong non-root user as its main user, and the root user has its password set as well, or even renamed or deleted.
Adding more layers there to achieve “defense-in-depth” for example would be to add a firewall that blocks all ports including SSH port as well as moving that SSH port to another port (for ex from 22 to 3022).
By themselves these are weak security features, but together they make the system very strong.
In general to be more secure you want “defense-in-depth”.

When faced with strong security, attackers have less easy choices:

break everything step-by-step, which may end up failing at any step
look for easier targets (usually preferred by most attackers - that’s why most spam and scam victims are old retired people while almost nobody above 30 would fall for that).

That is great, but in practice it did happen once that I mistyped a password and I was locked out. Luckily I keep trying and found out the typo eventually. But that is a horribly close call, this imho isn’t a good feature. We are water bags with feeble mush brains, we need backups!
I think my answer to that would be to eventually buy a BW subscription so I can unlock my account or host locally a BW server.

Perhaps then that the MFA options would be usable to unlock the account?
For example you lose your master password, but you can use your authenticator’s MFA code/slide/choice, a email code and some other stuff like passkey as a 3 step process (or minimum 2 step process) to unlock your account.

I tried passkeys from google, just to see what happens and I did have a good experience to unlock things faster. However you can still fallback to weaker methods like passwords and SMS as an attacker.
Also the passkey becomes useless if whatever phone you set it up becomes unusable (gonna register one on my other phone too haha, so I don’t get screwed).

But just to not lose track of the point, the issue remains where we don’t know how Google manages passkeys and what is their security is like, and we will never know unfortunately.
In which case, a very strong master password (30+ characters) may be preferable and more secure than a passkey (If one can remember it lmao )

George_Savlovschi · May 20, 2025, 4:46am

@Nail1684 Please let me know what’s confusing, I typed that up quickly.

Nail1684 · July 8, 2025, 9:54am

Sorry for that long delay… one reason for that (and the “confused” smiley) was, I had the impression we are going in circles here now, at least in some regards… I’ll try to comment on some things (not all), and probably only where I don’t agree.

Yeah, well, though passkeys are not very easy/convenient in some (!) aspects, they have at least some potential to be both convenient and secure (at least in a happy place in the future).

Well, I think I literally wrote also that “a chain is only as secure as it’s weakest link”. So no argument to that and I agree to that. But nonetheless, some change has to be introduced somewhere first. – And I think I wrote before, that account recovery is something on the “radar” of e.g. the FIDO Alliance, and they think of how that can be made also more secure.

And, even if account recovery may be the weakest link - you still don’t choose “passsword123” as your password. But why, when you still have So you try to make your passwords “strong” - even if there is a weaker link. So, if passkeys make one part of the chain stronger, there is nothing wrong with that. (or put in other words: because one link is weak, it also makes no sense, to make all other links also more weak)

As written before: change naturally comes bit by bit. – Of course, it would be nicer, if the whole chain could be made stronger at once. Unfortunately, doesn’t happen.

I don’t really understand your answer here, or rather I would say your concerns here can be remedied with an emergency sheet for your Bitwarden account/vault – and with having some “login-with-passkeys”-passkeys for Bitwarden, that can log you in to the web vault (but unfortunately, those can’t replace the Bitwarden master password for now – see e.g. this feature request: Options to allow PRF Passkeys to authorize actions and account/security changes protected by Master Password).

Unlock (!) with passkeys is not available at the moment - see this feature request: Unlock with FIDO2/“passkeys”

Well, but you can store passkeys in Bitwarden… I personally also trust my Bitwarden account more than my Google account. And with passkeys in the Bitwarden vault, e.g. changing phones becomes less of a problem - you can access the passkeys as soon as you login to your BW mobile app again…

And regarding “login-with-passkeys”-passkeys for Bitwarden, I wouldn’t store them in my Google account either (but on security keys and maybe via Windows Hello in my case…).

Well, in principle any password - that you enter somewhere - remains phishable. So there are not few who regard a phishing-resistant passkey on e.g. a YubiKey far more secure than a “strong password”.

But I would like to conclude with: I’m not really against this feature request! I think our discussion just began with my opinion/suggestion “this request would probably be implemented, if we could use “login-with-passkeys”-passkeys in all BW apps to login”. And I still think, that “login-with-passkeys”-passkeys would be as secure as master password + 2FA + another 2FA (= “multiple 2FA”), or probably even more secure.

(to the last sentence: e.g. master password + TOTP + email verification would IMHO be not as secure as a “login-with-passkeys”-passkey – it depends on how you define 2FA/MFA, or rather as a real second factor, or if you view it as “only” 2SV = two step verification, and not necessarily making use of all three factors know / have / be

PS: And to this feature request here: it remains the question if using the same factor (e.g. the knowledge factor) “twice” would even be more secure – and on the other hand, using a 2FA-“passkey” for Bitwarden is already the strongest form of 2FA for Bitwarden, and it remains questionable whether adding “another 2FA” to that would make the BW login stronger at all)

George_Savlovschi · July 14, 2025, 4:26am

Thanks for the reply.
It’s been a long time.

Can you explain why you think passkeys may be more secure than a MFA (2 or more factors) in your opinion?

I have explained that the passkey only requires access to one single device (for example your phone) which may have laughable security like Apple Face ID or even multi-number PIN codes like I have mentioned. On top of that I don’t think you mentioned anything about how the usual suspects like Google, who have lost several password databases to hackers, handle the security of passkey keys (I assume they have some sort of keys).
In short I see no reason to use passkeys except for convenience and novelty.

Meanwhile a 3 factor authentication like for example one I have experienced for Binance, requires access to your password (which is phishable - but you can also store it in a PM), it requires an authenticator app code or push notification code check, which is usually not allowed to be accessed on your phone without a strong encryption which may be another strong password or fingerprint ID. And lastly you get the 3rd factor which is an email code that with the nifty email identificator feature that Binance has can never be hijacked (but can be phished).

Phishing becomes less of a concern with very short authentication windows for 2nd and 3rd factor methods.

Nail1684 · July 14, 2025, 9:33am

First, I think it is a false dichotomy, you declare here, as passkeys can also be used by some services as a second factor itself (or the “first factor” and you can set up another “second one”).

Then, you now compared it with a passkey in Google or iCloud KeyChain… That can be debatable how much “MFA” that is… But a passkey on a hardware security key (like a YubiKey) is indeed pretty much “MFA”: you need to HAVE the passkey/YubiKey, and you need to KNOW the FIDO2-PIN of the hardware key. (I exclude biometric hardware keys for now)

And that’s how the FIDO Alliance sees it:

(–> Passkeys: Passwordless Authentication | FIDO Alliance (in the Passkey FAQs there))

Phishing becomes less of a concern with passkeys:

(–> Passkey Security | Passkey Central)