This is what I meant, if anybody is confused.
After entering our e-mail, the web vault will generate a QR code(optional). A person has to scan this QR code with the Bitwarden mobile app. They should be signed in to the account on mobile with the account that the person want to access from the web vault. So master password will not be required.
Heavy Support on this, means of logging in , without typing master password is a big need for security , QR code is awesome, other option would be using fingerprint in an already logged device (such as your own phone) to approve login in another.
Signing in without a (monstrous) master password is a great option for me too.
I’m sure there are many ways to implement this, but one that immediately comes to mind is to generate a ephemeral key pair, encrypt the vault’s master secret with the public key, then the QR code could be the private key. The Bitwarden service should be able to look up the private key’s finger print and offer up the encrypted master secret and the client can decrypt it and use it.
ECC keys are pretty small and should fit in a QR code. Probably want some sort of life time on these and probably a per account limit, possibly of one. So creating a new one will remove any existing ones.
This process obviously requires the mobile App, so why not use a notification with a knowledge check (e.g. select “42” on your app) to verify the session you are authenticating. You can then use either a biometric or pin as a 2nd factor.
An example of this would be the Microsoft Authenticator app when using passwordless authentication on your MS account.
i mentioned MS auth before here, ita a good example of how it works, it could be approved by fingerprint, or simple clicking in ‘accept’ on your unlocked mobile app
Good point about noting that this would be an online process. But you can’t just authenticate the session, you also have to transfer the secret, which bitwarden does not have. You definitely do not want the secret transferred unencrypted. The existing session will need some way to transfer to and decrypt the secret on the phone.
I really like the idea of accepting a sign in from a mobile device without having to scan the QR code. This sounds more convenient.
Authy has this system implemented and makes multi device sign in a breeze.
I have used this number token method of signing in with my Google account. Great idea!
Yes, Authy does have this, but you still have to enter in your password manually.
You still need a secure way to communicate your secret between the two devices in a way that an intermediate cannot read it.
In order to transfer your secret securely, you have to encrypt it… with a secret… then you have to transfer that secret securely. Turtles all the way down.
The QR code is something local that cannot be eavesdropped by someone remotely, they must physically be in line of sight.
An alternative process that is closer to your suggestion.
- Authenticated device uploads ephemeral public key
- Unauthenticated device enters in username+2fa
- Unauthenticated device uploads its own ephemeral public key
- Authenticated device displays the fingerprint of the unauthorized’s public key
- The end user compares the values and accepts them if they look the same
- Secret is encrypted and sent to the unauthorized device
Off the top of my head, a variation of this method should be nearly perfectly secure assuming the devices can generate enough entropy for strong ephemeral keys. And it comes down to the user properly validating the fingerprint.
If the end user didn’t properly validate this fingerprint, if Bitwarden’s servers were to become compromised, it is possible for the attacker to man-in-the-middle and possibly generate a key with a similarly looking fingerprint.
I registered using my phone number and I never entered any password. I did set a password for encrypting my backup, but thats optional.
When I entered my phone number, Authy asked me to verify the login from a trusted device. No password needed.
I think a feature like this is more convenient than using a temporary master password. Of course, there may be situations where a user doesn’t have their mobile device with them.
Signing in with a trusted device/QR code is a must have feature, its safe and convenient. Hope the Bitwarden team will add this to the 2021 roadmap.
In my case, master password consists of 6-letter word (remembered) + 72 random digits (stored on computer). I had to re-enter the whole password on each of my devices. So it would be much better if there was login using QR code scanning.
Were you aware that Bitwarden already supports a variety of two-factor authentication methods that are more secure than this?
I am not saying it is not valid. I am only wondering why it is needed.
whatsapp is not zero-knowledge encrypted. Authenticating via QR is trivial. The problem is figuring out how to transfer the master secret in a secure way.