Unlock Bitwarden with 2FA, e.g. Yubikey (instead of, not in addition to password)

What happens when you unlock the app using a pin code or fingerprint ? I believe the secrets were not encrypted using those, so whatever mechanism already in place that allows for not typing the entire password when unlocking the app, and just rely on an authentication mechanism could be extended to use a yubikey, no ?

6 Likes

Lastpass doesn’t protect the vault with U2F. The server will refuse to send the vault to you if you don’t have the U2F key. But once the vault is copied down to a local machine, anyone with access to that machine, can copy the vault and attack the vault directly and ignore U2F.

A pin can be like a short password. While it is possible for the application to simply do an “if pin is equal” check and grant access, the proper way to to encrypt the password with the pin.

Think of it like this. There are two primary forms of “encryption” used to authenticate people

  1. Simply hash their password and see if the hash matches then grant them access if they have the correct password

  2. End to end encryption where the data is completely encrypted by their password and without the password, even if you were granted access, you still can’t see the data

U2F is #1. It’s only used to grant access, but cannot be used to actually encrypt.

There are ways around this to some degree. One example is yubikey hmac authentication. It is generally used similar to TOTP, except instead of current time, a nonce(random value to be checked) is used. Buuuuttttt… Instead of using a nonce, Keypass actually mixes the password with the HMAC, which means that if you don’t have a yubikey with that HMAC secret, you won’t be opening that vault.

1 Like

Wouldn’t this be possible to buffer against by keeping 2 encrypted versions? One by the password and one with te HMAC system?

Correct, but technically the vault is already encrypted by the password. The yubikey(HMAC) could be used to encrypt the hashed password locally, allowing you to unlock the vault by yubikey(HMAC) or your password.

The 2FA when 'Unlocking feature request implementation is great for when you are logging out of a device. However, this still does not implement 2FA when simply locking/unlocking the device, unless I am mistaken. It would be great if I could use biometrics+YubiKey to unlock BW on my Android.

As an example, back when I was using KeePassXC/KeePass2Android, KeePass2Android would store the master password and allow me to login via biometric. I then I could use ‘Password + Challenge-Response for KeePass XC’ as the master key type, which would prompt for my biometrics, and then asks for my YubiKey via NFC.

I’ve added a GIF’d example. I hope this makes sense. Thanks!

4 Likes

Coming back here to clarify something based on some thinking:

  1. Most users do not fill in their password after every screen lock
  2. Anything is better than nothing
  3. The Yubikey would not need to encrypt passwords, just unlock the app
  4. Unlocking the app should be reasonably easy to implement with a Yubikey

The workflow/config would be something like:

if( browser restarted ) prompt password
if( laptop locked || timeout ) require yubikey

Were the second does not actually encrypt anything, but does stop every day attack vectors (e.g someone grabbed my laptop).

This feature does not need to protect against an advanced threat actor, just to increase security in a convenient way.

5 Likes

Thanks for adding some additional information!

I think that if we did bring this functionality to the vault, we would need to make sure that it did actually control the encryption/decryption of the data (much like the PIN function) such that we don’t give users a false sense of security and have two different ‘locked’ states.

4 Likes

As I understand it’s comparable to the already available unlock by fingerprint in the android app for the web interface.
That’s a feature I’m also looking forward too.

I’m a Premium user and would like this option as well.

The Android app can be unlocked using biometrics without retyping the password. I would like something similar with the Chrome plug-in. I have a FIDO key that I keep on my person.

For reference, my old password manager MYKI has similar functionality (i.e., unlocking with a MFA device). When unlocking MYKI in my browser, a push notification is sent to my Android phone through the installed MYKI app. I authenticate that notification with my fingerprint. Then MYKI is unlocked in my browser extension.

Other Enterprise and SSO solutions, such as Duo, have something similar.

A touch unlocks the vault on my phone. It should also unlock the vault in my browser.

4 Likes

This would be a GREAT feature. Just as the user can unlock the vault on a phone using fingerprint scan and without typing the password, the user should be able to unlock using Yubikey + PIN (without master password).

On Android the master password is stored on Android keystore. Not sure if similar storage is available on browsers on desktop to store the master pw.

5 Likes

Another vote for the PIN + Yubikey unlock mode from a premium user. My master password is long and a pain to enter on the mobile, so I usually default to entering a pin. In many cases, filming/stealing/guessing PIN + stealing device is much easier than stealing a secured Yubikey. Ability to add Yubikey to the PIN unlock would increase security of the PIN unlock while retaining usability; users like me would love this feature.

4 Likes

I would also love this feature!

I am using fingerprint on mobile devices to unlock, but for the browser extension there is no comparable option to unlock.

My FIDO2 key includes a fingerprint sensor, so only I can use it. Using it to unlock would be as secure as unlocking the mobile app with the fingerprint functionality.

3 Likes

It would be generally cool if bitwarden supported FIDO2 passwordless authentication. I actually expected this when I signed in for a premium account. My use case was to use a password manager with FIDO2 to get passwordless authentication on all web sites which do not support FIDO2 yet. I carry my USB key at my key ring and have of course a spare one at a secure location.

PS.: The option for “on premise” installations was for me the precondition for using a password manager at all. You should keep this feature.

1 Like

I purchased premium because I thought this feature will be there. I am a bit disappointed. Even when I set the option to logout after X minutes the vault only asks for my password and not the Yubikey.
Besides that, I also want to see an option to quick unlock & masterpassword+yubikey unlock i.e. at phone or computer restart. Why are we using a yubikey when we only need it once at login and then virtually no more else. That’s not secure enough for me.

7 Likes

Would love to see this feature implemented. I find it awfully inconvenient to retype my master password every time, but I don’t want to leave my vault completely unlocked…

3 Likes

+1 IMO it’s a transistion step for novice users to start working with a password manager in general.

1 Like

+1
KeepassXC (OTP/Challenge-Response) and Pass (GPG) offer to use a Smart Card / Yubikey as second factor.
Would be convenient and more secure to be able to use this as a second or first (e.g. after first unlock) factor to unlock.
If this would also be implemented into the mobile applications it would even make them more secure (require a NFC Key in some cases).

Yubikey(U2F/FIDO2) has no method to encrypt anything. It can only be used for authorization. Using a yubikey locally adds no real security. Using a pin adds infinitely more security that the yubikey does when used locally. The pin can be used to encrypt the secret, the yubikey cannot. Since using the yubikey means your secret is unencrypted, someone could go through the hassle of locating and copying the unencrypted secret.

It could be possible for the secret to be stored remotely, which would add security. An example of one such way

Locking

  1. Enable lock with yubikey
  2. Local instance generates a random secret to encrypt the master secret
  3. Local device uploads the encrypted master secret to Bitwarden

Unlocking

  1. Request unlock
  2. Yubikey auth back to Bitwarden is started
  3. If auth passes, Bitwarden sends back the encrypted master secret
  4. Local device uses local secret to decrypt master secret
  5. Bobs your uncle

This does potentially add a lot of latency as it requires many round-trips with Bitwarden’s servers. Though, because of the nature of this being a very small amount of data of a per-session encrypted fixed size data plus all yubikeys associated with the account, Bitwarden could have this service independent of the vault datastore and have edge cloud servers around the world to reduce latency, especially since this would be a read heavy feature.

1 Like

Yubikey(U2F/FIDO2) has no method to encrypt anything. It can only be used for authorization. Using a yubikey locally adds no real security.

Ben, I think you are missing the point of the user feedback.

Yubikey unlock adds no crypto security, but it adds operational security. It is not a replacement for the password, but an addition.

If I may quote my past self:

Coming back here to clarify something based on some thinking:

  1. Most users do not fill in their password after every screen lock
  2. Anything is better than nothing
  3. The Yubikey would not need to encrypt passwords, just unlock the app
  4. Unlocking the app should be reasonably easy to implement with a Yubikey

The workflow/config would be something like:

if( browser restarted ) prompt password
if( laptop locked || timeout ) require yubikey

Were the second does not actually encrypt anything, but does stop every day attack vectors (e.g someone grabbed my laptop).

This feature does not need to protect against an advanced threat actor, just to increase security in a convenient way.

5 Likes