Hello,
I would like a Option for the PIN to be used when logging into bitwarden with a hardware key.
the hardware key has a PIN. I seen this used only in a few websites I visit. I want to type in my master password and log in with my hardware key with it asking for the PIN to the hardware key.
I worry that if I am on a public computer and a stranger uses my yubikey they only have to press the button after I already type in the master password.
Thank you for reading my request.
I recommend that Bitwarden should have an option in the settings to require a PIN code from the hardware key every time a user tries to log in. Currently, when using the FIDO2 method, the PIN code is not requested; only the pressing of the hardware key is required. It’s essential for security that the Bitwarden web vault, browser add-on, and mobile apps prompt for the PIN code associated with the hardware key, rather than just requiring the pressing of the key button without any additional validation. This additional layer of security is important for preventing unauthorized access.
@otokoshiro I guess you mean the Bitwarden password manager - and not the Bitwarden 2FA-authenticator app?
I re-edited the whole post.
@otokoshiro I changed the tags of your request to “password manager” then (the “authenticator” tag is for the 2FA authenticator app of Bitwarden)
Your request was already discussed here, I guess:
When a hardware key is used for two-step login, it acts as a second factor (“something you have”). It complements the primary factor (username/password, which is “something you know”). This behavior is completely consistent with best practices for 2FA (and matches the behavior of many other websites).
If you want to use three-factor authentication, then you can use something like the YubiKey BIO.
If I use a YubiKey bio, there is another risk of someone forcing me to use my fingerprint to authorize my account opening. The whole point of this argument is that I want to keep some of this, like the password and the PIN code, in my head. So I am not forced to open anything. I do not want to open anything.
To me, my point of view is that the PIN code is presented here as an additional security measure, and I think that it should be used,
As a third authorization.
Serious question: Under what plausible scenario would an adversary acquire your master password, but not also acquire your hardware key PIN?
I can understand your concern.
I would probably never have this problem, but I do think of others, such as journalists.
I’m an American citizen, but that does not guarantee that if I visit some other Western country, they might have a different view of how things are and might not respect my rights.
To clarify, I view having the password and a PIN for the hardware key in my head as a security measure. They would also look for my PIN.
The same question still applies: What would be a plausible scenario under which an adversary (e.g., a repressive government or law enforcement agency) would be able to acquire the journalist’s master password, but at the same time be prevented from acquiring the hardware key’s PIN?
Even if one could somehow get the master password and the PIN code for the hardware key, layering one’s security will make it harder for others to access the data.
But my point is that an adversary who has the master password most likely also has the PIN, so there would be no added protection from the PIN (unless you or someone can point out a scenario under which an adversary could acquire your master password, but plausibly be prevented from acquiring your hardware key PIN).
I’m trying to say to you that if I commit to memory my password and Hardware key pin . they are less likely to use the hardware key, let alone my master password. I trying to clear up that misunderstanding. Sorry but I am done with this conversation.
No, it is not. In fact it is not recommended:
User verification is not recommended for 2FA because the user will have already entered a shared secret (password) sent to the server over the network. In this case, explicitly set
userVerificationtodiscouraged. Otherwise, a superfluous user verification step will be required for users that have set a PIN or enrolled a fingerprint on their security key, creating a bad user experience.
Asking for a second password/pin when logging in makes no sense. If you feel that your master password is not enough and a second hardware key pin should be required, just combine your current password and pin to form a stronger master password. There is no need to complicate the login process with multiple passwords.
If you want extra security for your hardware key, do what has been already recommended to you: use something like a YubiKey Bio, which already reinforces its security with biometrics (I do that myself, btw).
And… if you do not like the idea of User Verification via biometrics of the YubiKey Bio, you can get another hardware key that lets you turn on the Always Require User Verification setting.
Hey @otokoshiro are you using the Yubico authenticator app? You can already set up a pin for your hardware key before being able to decrypt your vault with the passkey stored there.
Sidenote: I merged two requests here. Though the used language somewhat “differs” between the posts, both threads were about optionally requiring a PIN when using the FIDO2-/“passkey”-2FA option…
I think they are referring to using the Yubikey for two-step login, which does not require UV.
“I get how it works now. I’m not confused. I want a setting to force my YubiKey PIN every login after my master password. Why? If I use a public PC and someone grabs my key right after I type my password, they can just press the button and get in. That’s it. Can we add this or not?”
But what if they grab your key right after you type your password and your PIN? How does the forced PIN protect you then?
Besides, the feature that you request is already available, if you just acquire a modern Yubikey (Firmware version 5.7 or higher), and enable the alwaysUV flag.