I would like to understand how getting a vault and unlocking works.
I am not sure if i understand it correctly, but I currently understand it like this:
- To get the password vault, one has to log in, for one which needs the master password and optionally 2FA, like a yubikey, or TOTP, for example.
- Then the app (browser, mobile) puts the vault into its cache somehow, which then is accessible offline.
- One can “lock” the vault, making it still accessible offline and without 2FA
- For unlocking, one can unlock it via the master password or via a PIN
- Logging out essentially means clearing the offline cache, and one has to log in again.
- If one wants to always enfore 2FA, one needs to log out, this is not possible offline only.
So, first I would like to just ask if I am understanding the above correctly.
The following would be nice:
- Being able to unlock via more methods, like using a security key or TOTP
- Being able to enforce 2FA offline as well (not sure how well this works from a security standpoint because offline, one can tamper with the clock and therefore with TOTP and other 2FA options, I guess…?)
I have found the following posts about this:
- How to use YubiKey for unlocking - solution
- Unlock Bitwarden with 2FA, e.g. Yubikey (instead of, not in addition to password) - #135 by grb
- Also information in an update post on the bitwarden announcements site talking about vault lockouts as a new feature, but I am only allowed to include two links per post here on discourse, apparently.
Are there any recommendations, setups, updates, news, or just general knowledge things that you can tell me about?