Question about bitwarden addon

Hello, I have a question about the Bitwarden add-on/plugin on Firefox. I’d like to know and understand, in order to better protect my system, how does Firefox/Bitwarden store the authentication token in Windows 10? My account is protected by a physical yubi key and each time I restart my browser it will ask only for the master password. Could someone extract this info, should they gain access to my system remotely (or otherwise) and brute force it in order to extract the master key (and therefore log in locally without yubico auth)? Thanks

Only the master password is used to encrypt and decrypt your vault. A security key only works as a form of 2FA during authentication to validate who you are, nothing more.

When you sign in to Bitwarden two things need to happen, you need to Authenticate to verify who you are and validate you will have access to the correct encrypted “blob” of your data stored in your password vault. You will also need to decrypt the encrypted data with your decryption key, which is derived from your master password.

Now the question comes, how do you authenticate and decrypt with the same master password, while still maintaining a zero-knowledge architecture.
If you sign in to Bitwarden with your master password, you have just provided your master password to Bitwarden to verify your access to your password vault.

Basically it all comes down to how the underlying technology of Bitwarden works.
At a high level (as I understand it, anyone feel free to correct me) Bitwarden uses your master password + your email to authenticate, the master password is salted and hashed, the resulting password hash is sent to Bitwarden to Authenticate who you are and gain access to your encrypted vault. If you have 2FA, this is when you will be prompted.

After you enter your master password, and authenticate with 2FA Bitwarden will sync your encrypted vault. The master password is then used with additional fancy maths to give you an encryption key.
ONLY the encryption key can encrypt and decrypt your data, this is why having a long, strong, and unique master password is so important, and also why it is so important to never forget it.
The encryption key is only ever stored in memory on your computer, unless explicitly chosen by a user to never lock out. (Doing so comes with the risk of having the encryption key stored on disk, and even comes with an appropriate user warning. At a minimum one would want full disk encryption if choosing this option).

Further in depth details and specifics can be found here,

Have you perhaps set the browser to “remember me” your 2FA, if so this will not prompt you for it again until the 2FA session times out, or your browser cache is cleared.

Yubikeys are very resilient to remote attacks, even in the event you leave your yubikey plugged into your PC, and someone is able to somehow remotely read the data off of it, the Yubikey still requires a physical touch to complete authorization.
Though if someone has possible malware on your device and has been compromised the consensus is all bets are off. Depending on the type of malware it could possibly access login sessions, data in memory, etc. This is why safe browsing practices are so extremely important.

Hope that goes to answer some of your questions and concerns you may be having!
-Cheers :smiley:

1 Like

Sir, thanks for the exhaustive answer, this was interesting read. Best regards :+1: