[Security Feature] Option to require Yubikey tap, to autofill or view password, within browser extension


I got this idea last night:

If 2FA is configured, since account security is already reduced when using the browser extension with a master password (2FA only required while setting up the extension initially), not to mention the reduced security when using a numerical pin.

Why not have the option, to require a yubikey tap (if configured), in order to autofill or view a password, when the vault is unlocked?

In a sense this would serve as an additional layer of protection.

Also, if the browser extension files are compromised by a malicious actor, and even if that actor gets a hold of the master password/pin, they wouldn’t be able to use the data without the physical Yubikey.

Let me know what you folks think!

This is not accurate. No matter whether using a browser extension or any other Bitwarden client app, 2FA must be provided on every login when 2FA is enabled for the account (unless you have checked the “Remember me” option when logging in previously on a specific app, which designates that particular app as trusted).

Ah understood.

But still, do you agree how it would add to security and convenience, in the case where most users wouldn’t need to type their complicated master password and also tap the Yubikey every time, compared to just entering a single pin, but requiring a Yubikey tap for each autofill, while maintaining a high level of security.

Personally, I am happy with the way things work presently (since I don’t allow other people to access my devices), but I would like to clarify your Feature Request and determine if you are requesting something that has not previously been requested.

There are two or three relevant existing Feature Requests:


Please let me know if one of the above Feature Requests would address your needs (in which case you can add your support to the Feature Request in question, and I will close this thread).

Alternatively, if you feel that your request is sufficiently different from the others that it should stand on its own, please clarify if you want the Yubikey protection to apply to every vault item when enabled, or whether it should be a modification of the Master Password Re-Prompt feature (which applies only to individual items for which this extra protection has been enabled).

(since I don’t allow other people to access my devices)

Of course, me neither. I’m talking about hypothetical scenarios where a bitwarden device (high probability for desktop, lesser for mobile), is compromised using malware or 0-Day exploits.

Out of the 3 feature requests, mine is most similar to the 3rd one, except with a slight modification.

It does seem convenient to unlock the browser extension vault with a Yubikey, but also having the option to require a Yubikey tap in order to autofill is a “more secure” option, which is what I am proposing, in addition to the features of the 3rd feature request.

So perhaps my post can be linked over there or something similar?

EDIT: Actually, when I think about it, unlocking the vault with ONLY a Yubikey tap, makes the vault easily compromisable, physically.

My final proposal for potential new features:

  • Option to require Yubikey tap (or biometric 2FA) ALONGSIDE master password or pin, when unlocking a previously registered browser extension
  • Option to require Yubikey tap (or biometric 2FA) in order to view or autofill vault entries from browser extensions. This makes the vault more secure in the case of browser extension file compromise + master password/pin compromise (Additional layer of encryption basically)

There is little or nothing that can be used to protect your secrets if this happens.

The above is identical to another existing feature request (Require 2FA during unlocking process ), you can just vote for that request.

This would be essentially equivalent to the another of the previously mentioned feature requests (Adding Biometric/PIN authentication with Master password re-prompt ), except that you are esking for additional encryption (whereas the Master Password Re-Prompt feature is just an access control function and does not add extra encryption).

So what you’re asking for is to encrypt sensitive information (what exactly — only the passwords and custom hidden fields, or the entire contents of every vault item?) using a Yubikey or biometrics before encrypting a second time with the account encryption key. Thus, after unlocking the vault (which deciphers the contents using the account encryption key), the protected contents would still be encrypted until decrypted using the Yubikey or biometrics.

Perhaps you can flesh out the proposal a bit, and add an update to your top post. I would also suggest changing the feature request topic title to something like “Second Encryption Layer for Passwords Using Yubikey/Biometrics” (to distinguish it from the other, existing feature requests).

What do you mean by “browser extension file”?

That “little”, is my proposed feature. If the extension vault data is compromised, and even the pin, the attack would be fruitless without the physical yubikey.

Voted, thank you.

In a way, yes, the request is similar, though my request is leaning towards having an option to require both pin, and biometric/hardware 2FA.

The actual implementation, be it double encryption, isn’t within my field of expertise, and I’m sure someone could make a proper recommendation.

I was referring to the vault data from the browser extension: /home/user/.mozilla/firefox/....

It seems I cannot modify the original post, nor the title.

“Double encryption” is not some standard technical term, it just refers to the fact that Bitwarden already encrypts your vault data using an encryption key that is obtained from your master password, and now you want to additionally encrypt some or all data a second time, using the Yubikey — thus, “doubly” encrypted.

:point_right: Let me know how you would like to word your revised title and the updated text to your top post, and I can make the revisions for you.