Am I missing something? BW Enterprise new conversion from LP and it appears we cannot REQUIRE certain 2FA methods (or block certain ones). Prime culprit is email. Email 2FA is no 2FA at all in any opsec playbooks I have ever seen. For an enterprise named product it appears to be lacking in the ability to enforce something as important as that.
Am I missing something (Hopefully) ?
Hey Brian, best practice is to use Login with SSO and utilize your existing identity provider’s 2FA functionality.
We are setup for Azure AD SSO and have conditional access and MFA in it. Are you saying we would then disable MFA in Bitwarden altogether to then avoid double MFA? I am unclear how that would impact lock/unlock vault situations during the course of a day since that function would not trigger the SSO element part right?
Correct, if you have MFA enforced at your IDP and you have conditional access, then additional 2FA on Bitwarden login would be redundant.
SSO, and similarly Bitwarden 2FA, is only used during Login and not Unlock remember this is used to validate authentication and login.
Decryption of the vault though still currently requires the master password (unless you self-host with key connector)
With the soon to come feature for Vault Timeout Enterprise Policy you should be able to specify what Vault timeout action either Lock or Logout of the vault for your users.
Otherwise either with the Bitwarden 2FA policy, or your own SSO policy in place with your IDP users can simply leave their vault locked, and unlock with the master password, PIN, or biometrics.
Though I would also note, with the Bitwarden 2FA users can also check the “Remember me” option, which will not require 2FA for 30 days.
So if you wish to have stricter controls, this is where SSO and conditional access policies on the IDP will help.
Excellent explanation - Thank you!