What will this feature do differently? It will increase the security of your account
What benefits will this feature bring? It will allow you to add a third step when logging in, which will further increase security
I propose to add the option to set up 3-step verification, it may look exactly the same as now with 2-step verification.
I would like to set a password + U2F key + code from email on my account
Or password + U2F key + code from a code generating app such as Authy / Google Authenticator
At bitwarden, I keep all my passwords and safe notes, I wish I could keep my account extra secure.
Another solution that could be added is a separate login password and a separate decryption password, as is the case with Proton mail login. First, bitwarden would ask for login details, ie email + login password + 2FA, and then a second password to decrypt the passwords. Of course, only as an option for those who are interested.
Maybe its an cool feature to create 3fa because I store as well, 2fa codes in there because I am kinda lazy, I have 2fa on my account now, but for extra security, 3fa maybe an good option like, an Authenticator app and Email code to get in.
You log in, not that often, just lock the Vault in the extension, or the Android app.
This could make sense if you are a high risk target. For example, Binance does this. But, it’s an unusual practice. For cloud-based password managers, the 2FA doesn’t secure the online vault. Its purpose is to give permission for your device to receive the vault - it’s really only device authentication, which is why you always see the “Remember Me” checkbox defaulted with a check on services because how many times do you need to authenticate your device? Your Master Password then decrypts the vault. So, multiple forms of 2FA have limited value. For example, how many times does someone need to authenticate their device to log into a single session? “First factor: Is this device authenticated to receive the vault? You: Yes. 2nd Factor: Are you sure? You: Yes again. Password: Okay, here’s your encrypted vault, now type your password and I may let you in your vault if you type it correctly.”
Someone who needs this level of security would typically already be using security keys. If you are using a security key, you can set a PIN of any length which will effectively act as your 3FA (PIN+tap key+type password). The PIN affords protection from local attacks; the tap affords protection from remote attacks. Alternatively, if your data needs such heightened security that you need 3FA, you may be a good candidate to be using a non-cloud password manager such as Keepass so you can secure the vault yourself in encrypted offline or local storage, away from a cloud-based blob of many accounts.
Hello, i’ve noticed that i can add 2fa with code generator and email 2fa. But when i try to log in, the email uses like a second option to log in, that makes it useless for me. I want to use both of types for login, as it realized in other password managers, like nordpass (input a master password, email code and after app generator code). Also you could use email for confirming logging in with a link, not a code, but it is not so important. It will be a great new feature for BW
I would like to see an actually simple extension for Bitwarden: Forcing 2 2FA authentications at login.
Let me explain it with a fictional scenario:
I have a Bitwarden account with all my passwords + 2FA via auth app and email.
But now someone hacks my email address, finds out that the account is registered with Bitwarden and cracks my password there too. Then you have to pick one thing to get through the 2FA. Since the hacker already has access to my email account, the 2FA is useless in this case.
If you had to go through 2 2FA authentications, the first one would go to the email the hacker has, but then you would still have to retrieve the code on my phone. And of course the hacker doesn’t have that.
You can also flip the whole example around so that the hacker has access to the phone [e.g., stolen?] but not the email.
I don’t think that’s strictly necessary, but it would be a simple step to allow users to make their account more secure.
As simple as in the title. The possibility to create an additional security layer, e.g where you have to enter e-mail+password, TOTP code AND a code per email to log in. Here the email would be the additional security layer.
That would be a simple step for much more security.
There is a standards document that describes three “levels” of authentication.
Multi-factor is the middle level (“AAL2”). The way to move to the highest level is not to use another “something you have”, but rather to require that one of the authentication components be hardware-based. In the case of Bitwarden’s master password the typical approach is to use a YubiKey, preferably one that does Webauthn.
@DenBesten … and here I can add again, that the “FIDO2 Webauthn” 2FA-option for the Bitwarden account also works with e.g. Windows Hello and at least Android devices*** - it does not have to (only) be a YubiKey. (though I use my YubiKeys for that as well)
*** I couldn’t test, whether other platforms like MacOS TouchID/FaceID and/or iOS devices work as well
@XHyperDEVX … and regarding the last posts - and I don’t want to critize your suggestion - but I would suggest, changing to “FIDO2 WebAuthn” as 2FA could be the better alternative to “TOTP + email”.
FIDO2 WebAuthn provides phishing resistance, which neither TOTP nor email provides. And as I tried to write above in the other post: you may already be able to use FIDO2 WebAuthn as Bitwarden-account-2FA… it’s not only for YubiKeys
yes, i mean in principle it’s not complicated (i don’t know from the programming side, because i don’t know how bitwarden authenticates the users). it’s just one more query.
yes, yubikeys are secure. let’s include that in my example:
i have a master password, totp code generator on my phone and a yubikey at home.
now i have lost my phone and someone finds it and finds out my master password through other ways.
now he would get into my bitwarden account without any problems (assuming he gets into my phone first)
with this extra layer of security he wouldn’t be able to get in, because he still needs my yubikey, which is at my house, safely stored.
And vice versa, if someone steals my Yubikey, they would need my phone to get into my Bitwarden.
-x-x-x-x-x-x-x-x-
Yes, the whole thing is rather unlikely. But it is one more level of security. And more security = better or not?
That would also be the case, when the YubiKeys would be your only activated 2FA.
Yes, one more layer… but more layers = better? I’m not so sure about that.
The more layers, also the more “attack surfaces”.
The more layers, the more probable it becomes, that you yourself lose access to Bitwarden, if one of the layers get’s lost, and all layers are needed to login. (and there are many people who say, that loosing access to your password manager may be more likely than getting the password manager hacked)
Yes, but now there is only one level of security at most. Then there are two, and even if one of them were to be hacked, the other would still exist.
Yes, the attack surface is larger, but there is also more protection, even if one is successfully hacked.
That’s right, that’s why it shouldn’t be mandatory, but an option. Option ≠Must.
You take a higher risk, but you have more security. For users who don’t want to take the risk, simply don’t use the feature.
PS: The risk of losing your account increases as soon as you set up the first 2FA level
Sorry, I don’t understand what you mean by that. What has the YubiKey directly to do with your phone?
As I see it, now you have already three layers of security for a Bitwarden account (not looking at specific devices):
choose a very private email address which “nobody knows” and is not leaked anyway → the email address works as a kind of “username” for Bitwarden and as I understand it, is even part of the encryption of the vault (PS: now that I think of that… it would be wise not to choose “remember email” on every device… I will think of that myself for some devices )
very strong master password + protect it as good as you can
set 2FA → FIDO2 WebAuthn for max. protection
How is this “only one level of security at most”?
Of course - but then you have the 2FA recovery code as well. In your suggestion, would there be a second recovery code then? Or does the “only” recovery code would “turn off” two “second factors” then?
To get the protection from the Yubikey, you need to disable TOTP as a 2FA method for your Bitwarden account. In your scenario above, the phone thief would not be able to log in to your vault, even if they find out your master password.
@XHyperDEVX, I think the general picture being conveyed to you here is that there are many more ways in which you can lose or be defrauded of access to critical things than will ever be covered by a marginal gain from multi-2FA.
I can lock keys in a safe within a safe each with multiple combination locks, and still lose in other ways whatever that safely-held key unlocks.
That is merely my view of the situation. The proposal is yours to make and to support to garner votes. The fact that each of us has (or for some, had) only 20 votes ever to give means that priorities tend to be assessed carefully for each person’s circumstances.
