As I’ve learned from a request at support the vault data stored in the cloud is secured be the master password but not by a potential additional 2FA hardware key.
2FA on the other hand additionally secures the login process via the interfaces (web, add-on, app).
So, my guess is the following would be a good tradeoff for security and convenience, but I would like to hear others opinions about that:
- Have a strong master password to protect the vault data in the cloud.
- Have 2FA and a weak (easier / faster to type) or even no ‘login password’ (different to the master password) to login via the interfaces (web, add-on, app)
That way users could easily log out at a timeout and login again fast and convenient (hardware key attached at PC and NFC at mobile).
And by choosing no password or any ‘login password’ strength each user can align to the individual thread model.
I’m referring to a hardware token with 2FA in my considerations.
PIN or fingerprint lock at the app have no additional 2FA (or I didn’t found it).
For now I only see no timeout at all for convenience or having to use the strong master password but nothing in between.
2FA is for authorization only, not for encryption. It’s not possible to use 2FA for encryption because the information that is transmitted changes. The fact that it changes is what makes it something else besides a password and thus why it’s the second factor.
A solution you might be looking for is to use the PIN and then use the static key in a Yubikey to fill that in.
@dangostylver Thanks for the reply and the clarification on 2FA/encryption.
I don’t want to change the encryption. That’s done with the master password and should stay that way.
As far as I understand Bitwarden till now that could mean my thoughts would only apply to lock and not to log out. But that would already be an option for me.
PIN by static key in a Yubikey is a good proposal for a workaround I haven’t thought about yet. But that would mean to use the second slot (looong press) or to have that key only set to that single static key and therefore not being usable for other logins.
Also one could add an individual short password afterwards to have both hardware and knowledge, but again that seems even more like an external workaround to me.
In additon PIN was not very attractive to me because as I understand it’ll be gone when logged out once and then would need to be re-set manually.
I’m thinking more towards solutions implemented within Bitwarden and less external workarounds. Main reason for that is to motivate less tech-savvi family members to use a password safe.
‘Press the Yubikey looong, not short otheriwse it won’t work, and then try to select the end of an input line with touchscreen of mobile phone system and type your additional password’ probably would scare them away
So would your concerns also apply when that ‘login password’+2FA would be used for lock (so not affecting the encryption as I understand)?
It’s best to keep things simple especially if they’re less tech-savvy.
I notice that people, especially people new to password managers, can get carried away with security. Adding and changing so many things that don’t need to be changed and end up hurting themselves in the end.
This is not to knock your idea, it could be useful, but I feel it’s better to keep things simple especially if you’re less tech-savvy. If you’re using a password manager you’re doing better than the majority of people so don’t overthink it too much.
Oh, I use KeePass for many years now.
Bitwarden usage for me was to be able to explain that to my family as I try to convince them to use a password safe.
As I understand right now I can provide / recommend my family:
- Get a BW family account to take the premium costs from them - done
- Recommend them to use a strong master password (explaining passphrases) - done
- Provide and setup Yubikeys to them - done
- Set timeout to never and lock at the PC browser add-on as otherwise you actually have to type the strong masterpassword 2 times when using Yubikeys in addition (reference thread) - seriously you can’t explain the 2*repeated strong password input to someone you want to convince using a software.
- Set timeout to ~5 minutes and lock + user fingerprint to unlock at the mobile app.
However I’m not comfortable with the latter two items.
And the Yubikeys could be used better in my opinion without sacrificing convenience too much.