Re-prompt by 2FA methods (alternative to master password re-prompt for individual item protection)

I request the option to set 2FA on specific items. So after master-password and 2FA entrance into the vault, there is an option to add additional (and perhaps different) 2FA to access certain items.

Example:
The majority of my logins/secure-notes can be accessed via master-passowrd and 2FA from an authenticator app—this way I can get my daily use (and less sensitive) passwords/data on all devices. However, for certain sensitive items, I wish to require additional 2FA from, say, a yubikey. This also makes sense when computer manufacturers start including built-in (hardware) 2FA . In that case, certain items would only be accessible on certain machines.

In essence, this request is similar to the request to support multiple U2F keys, with the addition of being able to require any of the multiple keys to access specific items in the vault.

I hope that makes sense, thanks!

Partly duplicate of this post Require master password "re-prompt" for some items, though I saw no mention of 2FA (only password and fingerprint)

Hello,

I got this idea last night:

If 2FA is configured, since account security is already reduced when using the browser extension with a master password (2FA only required while setting up the extension initially), not to mention the reduced security when using a numerical pin.

Why not have the option, to require a yubikey tap (if configured), in order to autofill or view a password, when the vault is unlocked?

In a sense this would serve as an additional layer of protection.

Also, if the browser extension files are compromised by a malicious actor, and even if that actor gets a hold of the master password/pin, they wouldn’t be able to use the data without the physical Yubikey.

Let me know what you folks think!

This is not accurate. No matter whether using a browser extension or any other Bitwarden client app, 2FA must be provided on every login when 2FA is enabled for the account (unless you have checked the “Remember me” option when logging in previously on a specific app, which designates that particular app as trusted).

Ah understood.

But still, do you agree how it would add to security and convenience, in the case where most users wouldn’t need to type their complicated master password and also tap the Yubikey every time, compared to just entering a single pin, but requiring a Yubikey tap for each autofill, while maintaining a high level of security.

Personally, I am happy with the way things work presently (since I don’t allow other people to access my devices), but I would like to clarify your Feature Request and determine if you are requesting something that has not previously been requested.

There are two or three relevant existing Feature Requests:

 

Please let me know if one of the above Feature Requests would address your needs (in which case you can add your support to the Feature Request in question, and I will close this thread).

Alternatively, if you feel that your request is sufficiently different from the others that it should stand on its own, please clarify if you want the Yubikey protection to apply to every vault item when enabled, or whether it should be a modification of the Master Password Re-Prompt feature (which applies only to individual items for which this extra protection has been enabled).

(since I don’t allow other people to access my devices)

Of course, me neither. I’m talking about hypothetical scenarios where a bitwarden device (high probability for desktop, lesser for mobile), is compromised using malware or 0-Day exploits.

Out of the 3 feature requests, mine is most similar to the 3rd one, except with a slight modification.

It does seem convenient to unlock the browser extension vault with a Yubikey, but also having the option to require a Yubikey tap in order to autofill is a “more secure” option, which is what I am proposing, in addition to the features of the 3rd feature request.

So perhaps my post can be linked over there or something similar?

EDIT: Actually, when I think about it, unlocking the vault with ONLY a Yubikey tap, makes the vault easily compromisable, physically.

My final proposal for potential new features:

  • Option to require Yubikey tap (or biometric 2FA) ALONGSIDE master password or pin, when unlocking a previously registered browser extension
  • Option to require Yubikey tap (or biometric 2FA) in order to view or autofill vault entries from browser extensions. This makes the vault more secure in the case of browser extension file compromise + master password/pin compromise (Additional layer of encryption basically)

There is little or nothing that can be used to protect your secrets if this happens.

The above is identical to another existing feature request (Require 2FA during unlocking process ), you can just vote for that request.

This would be essentially equivalent to the another of the previously mentioned feature requests (Adding Biometric/PIN authentication with Master password re-prompt ), except that you are esking for additional encryption (whereas the Master Password Re-Prompt feature is just an access control function and does not add extra encryption).

So what you’re asking for is to encrypt sensitive information (what exactly — only the passwords and custom hidden fields, or the entire contents of every vault item?) using a Yubikey or biometrics before encrypting a second time with the account encryption key. Thus, after unlocking the vault (which deciphers the contents using the account encryption key), the protected contents would still be encrypted until decrypted using the Yubikey or biometrics.

Perhaps you can flesh out the proposal a bit, and add an update to your top post. I would also suggest changing the feature request topic title to something like “Second Encryption Layer for Passwords Using Yubikey/Biometrics” (to distinguish it from the other, existing feature requests).

What do you mean by “browser extension file”?

That “little”, is my proposed feature. If the extension vault data is compromised, and even the pin, the attack would be fruitless without the physical yubikey.

Voted, thank you.

In a way, yes, the request is similar, though my request is leaning towards having an option to require both pin, and biometric/hardware 2FA.

The actual implementation, be it double encryption, isn’t within my field of expertise, and I’m sure someone could make a proper recommendation.

I was referring to the vault data from the browser extension: /home/user/.mozilla/firefox/....

It seems I cannot modify the original post, nor the title.

“Double encryption” is not some standard technical term, it just refers to the fact that Bitwarden already encrypts your vault data using an encryption key that is obtained from your master password, and now you want to additionally encrypt some or all data a second time, using the Yubikey — thus, “doubly” encrypted.

:point_right: Let me know how you would like to word your revised title and the updated text to your top post, and I can make the revisions for you.

Enable 2FA per item and allow multiple emails to receive 2FA code

Feature function

Feature: Instead of toggling 2FA per account globally allow to toggle 2FA per item in the vault
Use Case:
I use bitwarden to store all the credentials I may have to enter in a browser (including low security items like some random web shops etc and high security items like admin to my NAS and bank accounts etc). Also I want one or more other trusted persons to be available to access my credentials in case of emergency without them needing to know my master password, details see below.

In addition, I setup my wife to be able to access the same bitwarden account in case she needs access to things and I am unable to do so (accident or what ever).

Currently, the only way to partition credentials into high security (with 2FA) and low security (without 2FA) is to have two separate bitwarden accounts. This is cumbersome during daily usage (all my browsers on desktop and mobile are logged into one bitwarden account and switching accounts back and forth is a pain). Also, things get much more complicated for my wife in case she needs to access things (now she is setup to access one account and will find all credentials there (using bio unlock on her mobile, so she does not even need to know the master pwd) , no need to know/handle a second account).

To make this use case complete, it would be even better if I could set multiple emails for 2FA (so myself and my wife) so that she would also get the 2FA code without additional effort when she needs to address something, just use her fingerprint and then the 2FA code form the mail when accessing the more secured credentials.

Having 2FA for everything seems also cumbersome and over the top for low security credentials (user account to post comments on some random web page etc)

1 Like

I just saw that you have Log In With Emergency Access | Bitwarden ,so the wife part here is handled. Still configuring 2FA per credential would be appreciated.

I agree, this is a natural extension to using the Master Password re-prompt to protect individual login items. But based on that webpage’s warning message, this re-prompt is not an encryption mechanism, just an interface-guard rail. I think the underlying vault encryption seems to be tied deeply to the entire vault itself and adding another layer 2FA for handpicked high-security logins may not be straightforward (not a Bitwarden dev, so just a guess).

But the suggestion is fantastic. It’s so awkward to use 2FA when I’m on the bus or train, just to login to some casual website.

  • this.
    This is one of the few things my management wants to be implemented.
    Thanks for the request, you have my vote!
1 Like

I like the idea of a High Security option for eg. bank info. Because I don’t trust the bitwarden addon in firefox (on Linux) I have a second bitwarden account without the bank stuff in it. Its a real pain when needing to add a new login to a website as I need to add it to both vaults.

But I’m not sure about using an authenticator to do this as it doesn’t solve the security problem is the phone is stolen, AND I live in a area where mobile is NOT always available. May be FACE ID would be a nice quick way to get to the HIGH SECURITY folders.

I am currently not a premium subscriber, BUT if you added the functionality of being able to choose which credentials are 2FA protected, I WOULD PAY FOR PREMIUM.

Don’t leave that revenue on the table. Make it happen folks.

Feature name

  • Selectively require an extra MFA/2FA step for viewing and copying secrets from an unlocked password manager.

Feature function

I would like to keep my accounts in a central location with my tokens, but require one of my configured (Duo, Yubikey, ie a TOTP on a separate device/service) MFA/2FA methods to access secrets of an already unlocked password manager.

Using BW to store TOTP codes and passwords is great, obviously, it’s a password manager. However, info stealer malware are focusing on stealing credentials from password manager extensions more and more.

When using a password manager, the convenience of storing username, password, and now more commonly a TOTP code is convenient. However, a security versus convenience shift is happening away from security. Having an unlocked password manager is becoming a risk and using a master password to continually unlock is annoying if not a risk. I’d rather not move all my TOTP tokens to Microsoft Authenticator or Google Auth to mitigate my concerns of losing 2FA/MFA on my stored account secrets.

It would be nice to utilize a master password sparingly and for important changes, then utilize a configured account MFA/2FA regularly for secrets or TOTP tokens before the token can be accessed on the password manager. If these tokens are sniffed they are short lived and not as easily replay-able.

If malware attacks on password managers becomes more common, utilizing a store of TOTP tokens is less and less safe.

Related topics + references

I would like to second this proposal. Especially when accessing a secret in public (eg on my phone while on the subway), having to confirm my password in plain view of cameras or other people is a security risk. Being able to simply tap my Yubikey to my phone as a confirmation option would be a huge improvement.

Feature name

TOTP Re-prompt

Feature function

Master password re-prompt is good, but TOTP is better. My master password is long, tedious, and nearly impossible to guess, as it should be, but that makes inputting it a hassle. I’d rather have the option to add individual TOTP per vault item. It could either re-prompt the default TOTP for my BitWarden account or possibly generate a new one that is specific to the vault item.

Related topics + references

1 Like