In reading all of the documentation, other posts here, and research I’ve come across thus far as new Bitwarden enterprise organization; I wanted to see if I could get some help in confirming a few things or find out what our exact options are, based on our environment and information below:
We currently have and use DUO as our MFA throughout the organization; and have just recently begun testing, adopting, and soft-rolling out YubiKeys (PWDLESS) for IT Staff.
Our “ideal” goal for setup/configuration for our Bitwarden implementation is to;
Use YubiKeys for login/authentication and as the *ONLY* method that can be used for logging in.
Then wrapping Duo around it as our MFA/2FA, which we currently have in place and I’ve already setup/tested in our current tenant when going through the onboarding documentation.
We are flexible and still debating certain other org policies/options to help us try and achieve this, such as Using or Enforcing SSO/SAML; Single Account Org, etc., SCIM/Account Provisioning
Can anyone possibly shed light on the items above? I believe I came across a document or post that said it was not possible to restrict User Authentication to only allow/use YubiKeys? We do not want to use them as the Second-Step/2FA as is most prevalent, and would like to stick with Duo.
I myself am not familiar with Bitwarden’s full enterprise options, so only a few points that sticked out to me…
So, you’re speaking of “Log in with passkeys”, right? (–> login-passkeys, that are stored on YubiKeys, or any other hardware security key)
(I’m asking to clarify to that – also because I don’t know of any other way, a YubiKey would make it possible to log in to Bitwarden – but “Log in with passkeys” may not be available for you, depending on how you set things up… more to that below…)
If you speak of “Log in with passkeys”, then that works without 2FA/MFA (as passkeys are already considered being MFA):
For personal usage, there is no way to restrict the log in options. From what I understand, for enterprise usage, it depends on the way you set it up (e.g. SSO yes/no, trusted devices…) and maybe on some policies you may have set up or not.
When you use SSO, then you can’t use “Log in with passkeys” (!):
The first thing you have to decide is if you want to use Duo as the bitwarden second step login verification (2SV) or as SSO.
AFAIK, there is no way of restricting a certain 2SV method for bitwarden user accounts.
At work we also have Duo as our corporate IdP. We ended up setting bitwarden login through SSO with Duo and enforcing the Require single sign-on authentication enterprise policy.
Leaving the authentication part entirely to Duo.
Then you will have to decide how are your users going to decrypt the vault after login. In our case we went for SSO with trusted devices.
I wish there was a policy to forbid sso users from enabling bitwarden 2SV, but there isn’t (this means that if a user enables bitwarden 2SV and loses the authenticator or the recovery code we will not be able to help him recover his account).
And you need to take into account that all this (as most bitwarden policies) only applies to non admin bitwarden accounts.
