Unlock Bitwarden with 2FA, e.g. Yubikey (instead of, not in addition to password)

A post was split to a new topic: Unlock with PIN

Also joined exclusively to vote for this topic.

When talking about keyloggers, I don’t think people realise how easy it is to compromise a password. All it takes is someone at the next table in a cafe recording you typing with their phone, and your master password is toast.

I feel so uncomfortable unlocking my Bitwarden (after a timeout, not on initial login) with my master password or PIN every time. It feels like terrible security, when I have a device with me that requires physical touch and cannot be remotely exploited, whether across the web or from the next table.

For those who say they don’t want someone being able to access their Bitwarden by simply pressing their Yubikey … Why are you leaving your laptop unlocked?! If your laptop is unlocked and logged in when you’ve stepped away, you’ve got much bigger opsec problems than your Bitwarden extension.

@tgreer please start taking this request more seriously, it is a huge flaw in the current Bitwarden security model.

@actuallymentor my god, you have the patience of a saint, I salute you.

1 Like

Welcome to the crew @andromeda and @_Alan :wave:

@tgreer, what would it take for you to implement this? I’ll gladly get X signatures on a petition or something.

I’d like to re-point out that:

:one: we are asking for a cosmetic “unlock with yubikey” that protects against “my kid is using the laptop” and not “Wladimir is using jack the ripper on my vault”

:two: we are fine with this feature being hidden under 3 sub levels of “advanced settings” and “DANGER” popups

:three: if you are a perfectionist you can always implement Yubikey’s PIV (smartcard) functionality, but that is far beyond what we are asking here

Every attack surface counts, and as you can tell many here know what the words “Opsec” and “Attack surface” mean, we’re not inexpert users just wanting sham security so we can feel good about ourselves.

2 Likes

I’ll happily throw in a US$10,000 bounty for this. It’s easily worth more than that for me to have my master password (or pin) compromised due to having to continually type it in on every unlock event.

To be clear on what I’m referring to, this would be to allow a Yubikey to perform the same functionality as the existing “Unlock with PIN” and “Unlock with biometrics” options.

2 Likes

@actuallymentor
In case of biometrics “unlock” (and not login) the decrypted key derived from your stretched master password is already stored in memory after you opt for biometrics, so thats why you don’t have to type the password.
Also Biometrics is an integral part of your OS and not an external application.
So, as far as your OS is not compromised (including change in system partition) then threats from outside would be minimal and largely depending upon your vulnerability of OS.
Incase your OS is compromised in terms of modifying the system then there are no means of security that could save your master password/decryption key from leaking. OS compromise is like getting into key logger debate.
Also as you mentioned about people leaving their device unattended or their device unlock pin being visible to others is something that you need analyse according to your personal threat model. if you think you have people around that may have reason to spy on you then get a fingerprint reader for your PC as well or a more secure way if that’s not enough. :sweat_smile:
Any attempt to store the master password on the main device storage or on a external device (even if encrypted) would serve greater risk according to Bitwarden safety standards.
I am not a cybersec expert but yeah this what i make of the sitaution. :smile:

Edit : how about using yubikey as a means to open your device so indirectly it will open your bitwarden vault too :thinking:. I guess windows hello allows you to unlock through yubikeys

@actuallymentor thanks for the note!

While there isn’t a specific threshold for implementation - the Bitwarden team does have to balance the needs of their commercial and individual clients. That said, I can totally understand how useful and convenient this would be for those who want an option aside from PIN/Biometrics.

@dwbit is running point on community feedback these days so I wanted to make sure he saw these replies as well.

2 Likes

I’m a commercial client with 100 seats, and I emailed to request this feature on May 15, 2020, and had a conversation with Clayton regarding it. I also request this feature personally.

3 Likes

Hi @_Alan, after checking in with the devs, it’s not something we’re actively exploring at this point in time. There’s a bit more about the functionality here, along with the following:

“The WG’s consensus is that the Web Authentication WG’s charter and specification is focused on user authentication for websites and that we are respectfully declining this invitation to expand the WG’s scope to include providing “support for general (hardware backed) cryptographic signatures and key exchange”.”

Update
We are closely following industry standards for options to use FIDO2. Right now the primary use cases are for authentication as a 2nd factor, but we are keeping our eyes on all options for the future.

1 Like

@dwbit I genuinely feel like we’re talking about different things here.

Let me try asking the question a different way:

Are you saying that Bitwarden prefers that to unlock a locked Chrome extension, you need something that is easy to exploit (a fixed unchanging piece of textual data (pin or master password)), vs something that is hard to exploit (a physical device that is with the user in their pocket attached to their keyring).

Before you say it’s not easy to obtain a pin or password, please refer to my previous comment that all it requires is someone to video your keystrokes typing in your password from the next table in a cafe. And every single unlock event is a repeated exposure of that master password or pin.

Even worse is that once the pin or password is obtained, it can be re-used as much as you like without the victim’s knowledge. With a Yubikey, if you were to obtain the text string, it’s useless. If you were to obtain the physical device, the victim would be aware.

Can you please confirm that Bitwarden understands the issue we’re talking about here is the highly compromisable nature of a fixed unchanging textual piece of data, vs an unforgeable hardware key?

3 Likes

Hi @_Alan, thanks for providing more context. We’re on the same page and I can see how this could be useful for interested users and we are constantly looking at the landscape and seeing what industry standard options are out there.

Releasing new features is a balance between distributing internal resources and serving individuals and families, teams and enterprise and MSPs. Bitwarden is also built in part by the open source community, so anyone is able to suggest code implementations, so if this is something you really want to explore through a code contribution, you can use the Github Contributor’s portion of the forums to continue the conversation.

If I write a Pull Request for a “unlock with Yubikey” function (not encryption, just unlocking) will you accept it?

2 Likes

Hi @actuallymentor, the best place to start is the About the GitHub Contributions category

Rules for creating a topic:

  • Define the feature you’d like to contribute
  • Be specific and include the scope of your feature and functionality to the fullest extent possible.
  • Detail any repositories that will be affected by those changes; remembering that new or updated dependencies must be kept consistent across impacted repositories

Once you’ve created your topic, tag a moderator - use @dwbit and @kspearrin to make sure we get notified.

The Bitwarden team will chime in and give you the feedback necessary to get you started in the right direction.

Once this additional detail is provided, the product and engineering team can have a closer look. Please keep in mind, suggesting a contribution does not guarantee implementation and as documented in the about section, is a collaborative review process to ensure consensus between all parties.

For anyone interested, user @stevel just posted a clever way to use a Yubikey as both a 2FA device for authentication as well as a secure way to unlock your vault. See his idea in the linked thread below (makes me think I need to ditch my FIDO2 keys and get a Yubikey 5 now…).

2 Likes

We have been asking for this for years. This is the future. I want the security of a long master-password + not leaving my vault unlocked all day. A PIN to unlock accomplishes nothing other than false safety, Yubi/2FA only for unlock is the way to go.

Start the day, log-in with masterpassword + 2FA, auto-lock vault in 5 minutes, log-off in x hours or browser close.
Unlock by pressing the Yubi.

Done, protected against remote attacks while still using a long master-password.

The company is allowing users to unlock their vault using the LastPass Authenticator app (in case you don’t already have enough Authenticator apps installed). The app will allow users to unlock their vault using a random code through the app, skipping the need of having to enter a password.

LastPass plans to also allow for other authentication options that also make use of FIDO2 compliance. This means that, eventually, you’ll be able to use your fingerprint as well as specific security keys like the YubiKey products

Hopefully, some of the other options, like Dashlane, follow suit with their own password-less logins to eliminate master passwords altogether.

1 Like

I feel you. And honestly I really don’t understand the Bitwarden team…

Maybe my impression is wrong, but many Bitwarden users seem to be tech enthusiasts & professionals who like the open source ethos.

Keeping that group happy seems like a core priority.

I switched from Lastpass to Bitwarden years ago for that reason, and honestly keep considering switching back after every new reply on this forum topic.

Making noise here. @Tiago_R hit the nail on the head IMO.

Start the day, log-in with masterpassword + 2FA, auto-lock vault in 5 minutes, log-off in x hours or browser close.
Unlock by pressing the Yubi.

Without this feature, on average the length of people’s auto-lock is going to be proportional to the length of their password, which is far worse than the worst-case scenarios people have outlined.

As has been noted many other times in this thread, it’s an option provided by major competitors and one that your userbase actively wants.

As far as dev time, obviously “simple little” feature requests have a whole lot more to them than it appears on the surface, but at the same time this isn’t a new feature on the level of implementing YubiKey for the first time. It’s allowing an existing feature (YubiKey auth) to stand in for another feature (PIN).

1 Like

+1 to this, but a similar idea would be to have the browser extension require a pin from the open vault on a mobile phone. I have biometrics on my phone, and can open the vault easily with that. I then keep the master password inside my vault, which is probably not best practice, but I need it for the bitwarden browser extension. If I could receive a otp, or a yes/no challenge on my phone, perhaps inside my bitwarden app, then this would save me having to enter the master password, which is a long one, of course.

+1 to this, the entire reason I have a Yubikey is to make good security easier, but i’m still forced to type in my password or a PIN to unlock my vault? I don’t understand how this makes any sense. And I agree that Tiago described how i’d like to be using Bitwarden perfectly. I’m also thinking about switching if this feature isn’t implemented as well, because I want to switch everything over to Yubikey based auth.

Thanks for the feedback everyone! I can see how useful this would be and I l do love my hardware keys. I’ve passed this info on to the team :+1:

1 Like

as a citizen of a country where devices are often seized or compromised by corrupt law enforcement, the ability to unlock with a hardware key would be a godsend in terms of convenience. being able to unlock my vault quickly with a key would make life so much easier than having to type a hellishly long password every minute, while still giving me peace of mind.