Unlock Bitwarden with 2FA, e.g. Yubikey (instead of, not in addition to password)

@tgreer closed the 2FA when ‘unlocking’ feature request due to the new “force 2FA upon timeout”.

While that is a great feature it is not what the majority of the people in that thread meant.

Lastpass has this great browser extension feature that allows a user to unlock with their Yubikey, without typing a password. This is fast and far more secure than typing a password.

This feature request is to allow a flow where:

1. User has a logged in browser extension
2. Browser extension locks after x minutes (already possible)
3. Unlocking can be done with Yubikey alone (no password)

I would like to stress again that this is a different feature than what the recent update introduced and that the unlocking with 2FA if what post people in that thread were looking for.

Small addition: this is not a fringe feature, it is central to a lot of organisations that use Lastpass.

I personally prefer using my password (I know) to unlock instead of the second token (I have). If someone steals my token or if I leave it in the device the feature is of no use.

I also use my iPhone Face ID or Touch ID which are superior to my yubikey.

@MetBril
@actuallymentor stated that he wanted to unlock the account with the yubikey after the extension(logged in) timed out.So in addition to unlocking the vault with yubikey, an option for the entry of master passoword or pin should be there. Then there won’t be any problem if he looses the key, right?

The user story says unlock with yubikey only. That is something I wouldn’t want.

Ok. I get you. Unlocking only with Yubikey would be risky.

@MetBril it’s about unlocking after timeout yes. It would even be reasonable to hard-lock (with password) every X days.

This would never allow anyone to unlock an account for the first time on a device with Yubikey only.

My Lastpass workflow used to be:

1. Log in with password & yubikey
2. Auto-lock on display timeout
3. Unlock with Yubikey only

I subscribed to BW Premium and expected it to be possible to unlock with U2F/Yubikey in addition to logging in. Like instead of the PIN or biometrics option, which would be far more secure. Please consider adding it to all apps and (browser) plugins.

Also signed up for this, same as @koval 2FA when 'unlocking'

Really? How more secure is it if you leave your key lying around or even plugged in?

Everyone who owns a hardware security key knows the risks of leaving that key plugged in. But they will always carry it with them or have it stored in a secure location. The PIN is much easier to attack than the key generated by a Yubikey for example. I didn’t say make it default, I said add it as an option. If you advertise with U2F for premium subscribtions it should be possible to use at the level of locking/unlocking your vault instead of just logging in.

How more secure is it if you leave your key lying around or even plugged in?

2FA is mostly a buffer against nonlocal attacks. And as silvershadow states those with hardware keys are also those who know how to use them.

The PIN is much easier to attack than the key generated by a Yubikey for example

Indeed. I’m more worried about a keylogger than I am about my yubikey being compromised.

I didn’t say make it default, I said add it as an option

I agree. This is the kind of thing the security minded users would use.

Technically U2F devices only support authentication, not encryption. It might be possible to play with the nonce in such a way as to lock the vault, but that abuses the protocol. And abusing a security protocol is generally considered bad security practice, which means Bitwarden would be criticized for bad security and fail security audits.

But, it might technically be possible.

but that abuses the protocol

If the industry standard Lastpass supports it I would venture that there are non-abuse ways.

The question is more how than whether it is useful.

What happens when you unlock the app using a pin code or fingerprint ? I believe the secrets were not encrypted using those, so whatever mechanism already in place that allows for not typing the entire password when unlocking the app, and just rely on an authentication mechanism could be extended to use a yubikey, no ?

Lastpass doesn’t protect the vault with U2F. The server will refuse to send the vault to you if you don’t have the U2F key. But once the vault is copied down to a local machine, anyone with access to that machine, can copy the vault and attack the vault directly and ignore U2F.

A pin can be like a short password. While it is possible for the application to simply do an “if pin is equal” check and grant access, the proper way to to encrypt the password with the pin.

Think of it like this. There are two primary forms of “encryption” used to authenticate people

1. Simply hash their password and see if the hash matches then grant them access if they have the correct password

2. End to end encryption where the data is completely encrypted by their password and without the password, even if you were granted access, you still can’t see the data

U2F is #1. It’s only used to grant access, but cannot be used to actually encrypt.

There are ways around this to some degree. One example is yubikey hmac authentication. It is generally used similar to TOTP, except instead of current time, a nonce(random value to be checked) is used. Buuuuttttt… Instead of using a nonce, Keypass actually mixes the password with the HMAC, which means that if you don’t have a yubikey with that HMAC secret, you won’t be opening that vault.

Wouldn’t this be possible to buffer against by keeping 2 encrypted versions? One by the password and one with te HMAC system?

Correct, but technically the vault is already encrypted by the password. The yubikey(HMAC) could be used to encrypt the hashed password locally, allowing you to unlock the vault by yubikey(HMAC) or your password.

The 2FA when 'Unlocking feature request implementation is great for when you are logging out of a device. However, this still does not implement 2FA when simply locking/unlocking the device, unless I am mistaken. It would be great if I could use biometrics+YubiKey to unlock BW on my Android.

As an example, back when I was using KeePassXC/KeePass2Android, KeePass2Android would store the master password and allow me to login via biometric. I then I could use ‘Password + Challenge-Response for KeePass XC’ as the master key type, which would prompt for my biometrics, and then asks for my YubiKey via NFC.

I’ve added a GIF’d example. I hope this makes sense. Thanks!

ezgif.com-video-to-gif300×634 1.36 MB

Coming back here to clarify something based on some thinking:

1. Most users do not fill in their password after every screen lock
2. Anything is better than nothing
3. The Yubikey would not need to encrypt passwords, just unlock the app
4. Unlocking the app should be reasonably easy to implement with a Yubikey

The workflow/config would be something like:

if( browser restarted ) prompt password
if( laptop locked || timeout ) require yubikey

Were the second does not actually encrypt anything, but does stop every day attack vectors (e.g someone grabbed my laptop).

This feature does not need to protect against an advanced threat actor, just to increase security in a convenient way.

Thanks for adding some additional information!

I think that if we did bring this functionality to the vault, we would need to make sure that it did actually control the encryption/decryption of the data (much like the PIN function) such that we don’t give users a false sense of security and have two different ‘locked’ states.