Hello,
I wish there was a checkbox on the “Require two-step login” policy to only apply to “Master Password” logins. I’m currently using Entra SSO/SCIM with conditional access policies, one of which requires MFA. I don’t see the point in forcing my users to MFA into bitwarden after MFAing into Entra simply to protect the Owner/Admin accounts which are still capable of logging in with a master password even after enabling the “Require Single Sign-on Authentication” policy.
The objective for me is to force users to use SSO so that my IDP is still the single point of control and only require MFA for Bitwarden if the login method is “login with master password”. Since the “Require Single Sign-on Authentication” policy doesn’t apply to admins/owners if their username/master-password were to be compromised, the whole vault could be vulnerable because it becomes an “honor system” for MFA enrollment vs an enforcement
This feels like a fairly simple and substantial missed opportunity. Adding the checkbox to the policy allows people the flexibility of continuing to require their staff login/MFA to the IDP as well as then MFA again as a tertiary authentication method for Bitwarden if they’d like… but that it’s no longer a requirement to do so.