@MetBril @actuallymentor stated that he wanted to unlock the account with the yubikey after the extension(logged in) timed out.So in addition to unlocking the vault with yubikey, an option for the entry of master passoword or pin should be there. Then there won’t be any problem if he looses the key, right?
I subscribed to BW Premium and expected it to be possible to unlock with U2F/Yubikey in addition to logging in. Like instead of the PIN or biometrics option, which would be far more secure. Please consider adding it to all apps and (browser) plugins.
Everyone who owns a hardware security key knows the risks of leaving that key plugged in. But they will always carry it with them or have it stored in a secure location. The PIN is much easier to attack than the key generated by a Yubikey for example. I didn’t say make it default, I said add it as an option. If you advertise with U2F for premium subscribtions it should be possible to use at the level of locking/unlocking your vault instead of just logging in.
Technically U2F devices only support authentication, not encryption. It might be possible to play with the nonce in such a way as to lock the vault, but that abuses the protocol. And abusing a security protocol is generally considered bad security practice, which means Bitwarden would be criticized for bad security and fail security audits.
What happens when you unlock the app using a pin code or fingerprint ? I believe the secrets were not encrypted using those, so whatever mechanism already in place that allows for not typing the entire password when unlocking the app, and just rely on an authentication mechanism could be extended to use a yubikey, no ?
Lastpass doesn’t protect the vault with U2F. The server will refuse to send the vault to you if you don’t have the U2F key. But once the vault is copied down to a local machine, anyone with access to that machine, can copy the vault and attack the vault directly and ignore U2F.
A pin can be like a short password. While it is possible for the application to simply do an “if pin is equal” check and grant access, the proper way to to encrypt the password with the pin.
Think of it like this. There are two primary forms of “encryption” used to authenticate people
Simply hash their password and see if the hash matches then grant them access if they have the correct password
End to end encryption where the data is completely encrypted by their password and without the password, even if you were granted access, you still can’t see the data
U2F is #1. It’s only used to grant access, but cannot be used to actually encrypt.
There are ways around this to some degree. One example is yubikey hmac authentication. It is generally used similar to TOTP, except instead of current time, a nonce(random value to be checked) is used. Buuuuttttt… Instead of using a nonce, Keypass actually mixes the password with the HMAC, which means that if you don’t have a yubikey with that HMAC secret, you won’t be opening that vault.
Correct, but technically the vault is already encrypted by the password. The yubikey(HMAC) could be used to encrypt the hashed password locally, allowing you to unlock the vault by yubikey(HMAC) or your password.
The 2FA when 'Unlocking feature request implementation is great for when you are logging out of a device. However, this still does not implement 2FA when simply locking/unlocking the device, unless I am mistaken. It would be great if I could use biometrics+YubiKey to unlock BW on my Android.
As an example, back when I was using KeePassXC/KeePass2Android, KeePass2Android would store the master password and allow me to login via biometric. I then I could use ‘Password + Challenge-Response for KeePass XC’ as the master key type, which would prompt for my biometrics, and then asks for my YubiKey via NFC.
I’ve added a GIF’d example. I hope this makes sense. Thanks!
I think that if we did bring this functionality to the vault, we would need to make sure that it did actually control the encryption/decryption of the data (much like the PIN function) such that we don’t give users a false sense of security and have two different ‘locked’ states.