Unlock Bitwarden with 2FA, e.g. Yubikey (instead of, not in addition to password)

I’m a commercial client with 100 seats, and I emailed to request this feature on May 15, 2020, and had a conversation with Clayton regarding it. I also request this feature personally.

3 Likes

Hi @_Alan, after checking in with the devs, it’s not something we’re actively exploring at this point in time. There’s a bit more about the functionality here, along with the following:

“The WG’s consensus is that the Web Authentication WG’s charter and specification is focused on user authentication for websites and that we are respectfully declining this invitation to expand the WG’s scope to include providing “support for general (hardware backed) cryptographic signatures and key exchange”.”

Update
We are closely following industry standards for options to use FIDO2. Right now the primary use cases are for authentication as a 2nd factor, but we are keeping our eyes on all options for the future.

1 Like

@dwbit I genuinely feel like we’re talking about different things here.

Let me try asking the question a different way:

Are you saying that Bitwarden prefers that to unlock a locked Chrome extension, you need something that is easy to exploit (a fixed unchanging piece of textual data (pin or master password)), vs something that is hard to exploit (a physical device that is with the user in their pocket attached to their keyring).

Before you say it’s not easy to obtain a pin or password, please refer to my previous comment that all it requires is someone to video your keystrokes typing in your password from the next table in a cafe. And every single unlock event is a repeated exposure of that master password or pin.

Even worse is that once the pin or password is obtained, it can be re-used as much as you like without the victim’s knowledge. With a Yubikey, if you were to obtain the text string, it’s useless. If you were to obtain the physical device, the victim would be aware.

Can you please confirm that Bitwarden understands the issue we’re talking about here is the highly compromisable nature of a fixed unchanging textual piece of data, vs an unforgeable hardware key?

3 Likes

Hi @_Alan, thanks for providing more context. We’re on the same page and I can see how this could be useful for interested users and we are constantly looking at the landscape and seeing what industry standard options are out there.

Releasing new features is a balance between distributing internal resources and serving individuals and families, teams and enterprise and MSPs. Bitwarden is also built in part by the open source community, so anyone is able to suggest code implementations, so if this is something you really want to explore through a code contribution, you can use the Github Contributor’s portion of the forums to continue the conversation.

If I write a Pull Request for a “unlock with Yubikey” function (not encryption, just unlocking) will you accept it?

2 Likes

Hi @actuallymentor, the best place to start is the About the GitHub Contributions category

Rules for creating a topic:

  • Define the feature you’d like to contribute
  • Be specific and include the scope of your feature and functionality to the fullest extent possible.
  • Detail any repositories that will be affected by those changes; remembering that new or updated dependencies must be kept consistent across impacted repositories

Once you’ve created your topic, tag a moderator - use @dwbit and @kspearrin to make sure we get notified.

The Bitwarden team will chime in and give you the feedback necessary to get you started in the right direction.

Once this additional detail is provided, the product and engineering team can have a closer look. Please keep in mind, suggesting a contribution does not guarantee implementation and as documented in the about section, is a collaborative review process to ensure consensus between all parties.

For anyone interested, user @stevel just posted a clever way to use a Yubikey as both a 2FA device for authentication as well as a secure way to unlock your vault. See his idea in the linked thread below (makes me think I need to ditch my FIDO2 keys and get a Yubikey 5 now…).

2 Likes

We have been asking for this for years. This is the future. I want the security of a long master-password + not leaving my vault unlocked all day. A PIN to unlock accomplishes nothing other than false safety, Yubi/2FA only for unlock is the way to go.

Start the day, log-in with masterpassword + 2FA, auto-lock vault in 5 minutes, log-off in x hours or browser close.
Unlock by pressing the Yubi.

Done, protected against remote attacks while still using a long master-password.

The company is allowing users to unlock their vault using the LastPass Authenticator app (in case you don’t already have enough Authenticator apps installed). The app will allow users to unlock their vault using a random code through the app, skipping the need of having to enter a password.

LastPass plans to also allow for other authentication options that also make use of FIDO2 compliance. This means that, eventually, you’ll be able to use your fingerprint as well as specific security keys like the YubiKey products

Hopefully, some of the other options, like Dashlane, follow suit with their own password-less logins to eliminate master passwords altogether.

1 Like

I feel you. And honestly I really don’t understand the Bitwarden team…

Maybe my impression is wrong, but many Bitwarden users seem to be tech enthusiasts & professionals who like the open source ethos.

Keeping that group happy seems like a core priority.

I switched from Lastpass to Bitwarden years ago for that reason, and honestly keep considering switching back after every new reply on this forum topic.

Making noise here. @Tiago_R hit the nail on the head IMO.

Start the day, log-in with masterpassword + 2FA, auto-lock vault in 5 minutes, log-off in x hours or browser close.
Unlock by pressing the Yubi.

Without this feature, on average the length of people’s auto-lock is going to be proportional to the length of their password, which is far worse than the worst-case scenarios people have outlined.

As has been noted many other times in this thread, it’s an option provided by major competitors and one that your userbase actively wants.

As far as dev time, obviously “simple little” feature requests have a whole lot more to them than it appears on the surface, but at the same time this isn’t a new feature on the level of implementing YubiKey for the first time. It’s allowing an existing feature (YubiKey auth) to stand in for another feature (PIN).

1 Like

+1 to this, but a similar idea would be to have the browser extension require a pin from the open vault on a mobile phone. I have biometrics on my phone, and can open the vault easily with that. I then keep the master password inside my vault, which is probably not best practice, but I need it for the bitwarden browser extension. If I could receive a otp, or a yes/no challenge on my phone, perhaps inside my bitwarden app, then this would save me having to enter the master password, which is a long one, of course.

+1 to this, the entire reason I have a Yubikey is to make good security easier, but i’m still forced to type in my password or a PIN to unlock my vault? I don’t understand how this makes any sense. And I agree that Tiago described how i’d like to be using Bitwarden perfectly. I’m also thinking about switching if this feature isn’t implemented as well, because I want to switch everything over to Yubikey based auth.

Thanks for the feedback everyone! I’ve passed this info on to the team :+1:

1 Like

as a citizen of a country where devices are often seized or compromised by corrupt law enforcement, the ability to unlock with a hardware key would be a godsend in terms of convenience. being able to unlock my vault quickly with a key would make life so much easier than having to type a hellishly long password every minute, while still giving me peace of mind.

I’ve been following this thread for a while and also +1

I’ve just moved from LastPass to Bitwarden and I’m certain this issue will cause me pain to the point that in 12 months I’ll move to another service again.

Wish I’d known prior to moving that when the vault locks you MUST re-enter your master password. Really annoying when I have a highly secure 2FA hardware device sitting right here that I can’t use…

Thanks for the feedback @Majoof, the team is making progress in this space including adding passwordless login options to the 2022 roadmap.

No, you are not forced to re-enter your master password to unlock your vault. You can also use a PIN instead or biometrics if your device supports it. And if your security device happens to be a Yubikey 5, you can store a really long PIN as a static password for a very secure unlock method.

I guess my issue is a PIN is almost always less secure than a password, and to get biometrics on a desktop is another level of painful.

Using a static password with a yubikey might be a good approach until this feature is implemented, thanks for the suggestion!

1 Like

+1 I would really love to be able to use a Yubikey Bio to unlock my vault, instead of using a weak PIN code (because it needs to be easy to unlock).