Unlock Bitwarden with 2FA, e.g. Yubikey (instead of, not in addition to password)

I would like to be able to “lock” my vault but require a FIDO2 authentication in order to unlock it.

This would allow everyone to require a hardware key to access their password data (far more secure) but also lock it to preserve offline access when needed.

No. These provide increased convenience WHILE undermining your security.

This is quite simple to explain.

Lets say your computer has been compromised and someone has RDP access to it and sets a keylogger. IMO, the most common type of attack.

You go on with your day, type your master + yubikey, the vault is decrypted and unlocked.

You step away for a few minutes, the attacker now has full access to your vault.

If you set it up to unlock it with a PIN, the attacker just needs to wait for you to type it, then he’ll know that too.

The ONLY safe option is to set bitwarden lock your vault with each use, and require an unlock method that includes a physical device, either just Yubikey or Yubikey+PIN.

**Right now, the only alternative to this is to require login/decryption with each use, master + yubikey.

That’s the best option available right now, but makes people use weaker/smaller masterpasswords so they can remember them and type them quickly.**

I’m having a hard time understanding how using a Yubikey for unlocking (not decrypting!) is a weaker option than using a PIN.

Anyway, PIN + Yubi for unlock would be the way to go. Pair that with always locking the vault with each use and an RDP attacker would never get access.

2 Likes

I don’t think any password manager can operate securely on an insecure, i.e. compromised, device. However, I agree that a PIN or biometrics can only be less secure than using a strong master password.

The point I was trying to make was that using these options keeps the master key beyond the reach of an attacker. In the case of unlock with PIN, the master key is encrypted with the PIN. I assume that unlock with biometrics uses the secure enclave to achieve the same result, but I can’t find a reference to it in the white paper.

U2F/FIDO2 don’t provide any means for the YubiKey to be involved in the encryption. So they will only ever provide a means of authentication and authentication can always be bypassed. For example, the attacker doesn’t need to use the BitWarden app on your device, he can decrypt the database on his own device with his own software. So any authentication steps added to the BitWarden app will inconvenience the legitimate user without presenting any obstacle to an attacker.

2 Likes

Hi there,

This is inaccurate I think?
Passwordless covers MANY use cases from local apps, SSO, Linux/UNIX and what.not.
Whereas webauthn (the actual standard) only does web apps.
And FIDO2 is a certain lobby/alliance led application of that standard with the equivalent of a cisco backdoor by way of a certificate server that can turn any admin into an insider threat, whether they seat at the vendor or the client.

Right, is this making sense?

Why does it take so long to implement this feature?

@Maurits we’re balancing quite a few requests from the community and business customers (there are 1800+ requests here alone) - so it does take a little time. To see more of what we’re working on, our roadmap and release notes will give some insight.

1 Like

adding my support for any additional Yubikey features.

1 Like

+1 on this, I bought a premium subscription expecting this feature and apparently it is being DEMANDED but ignored ???

Well, I will ask for a refund and go to LASTPASS who has this feature. SO SAD…I like bitwarden, lastpass are greedy incompetent that cost 4 times the price of your software and are worse…:frowning:

3 Likes

@tgreer I’m a dev and understand the pain of development, but I would like to point out that this issue and the preceding #353 have a combined vote count of 350, making it the 6th highest voted issue.

What would be needed to convince you to put this on the official roadmap?

1 Like

Hi @actuallymentor this is on our radar, but of course, we have to balance lots of different requests and needs.

Our public roadmap is really a method to show the “headline” features and themes for where we are going, not a full detailed listing of things we will or won’t do. We’re a member of the FIDO Alliance and absolutely support the security and convenience benefits of hardware keys today and going forward.

1 Like

I am adding my support for better support of Yubikey. I am having difficulties logging in from Firefox and IOS. Clearly reading this thread is causing lots of people a lot of friction and its not so much hard work to get it on the roadmap.

We are almost in 2022 and using a yubikey is nothing esoteric.

2 Likes

+1
I have browsed over the comments on this forum and support the addition of this (or something similar) of a feature.

I am rolling out Bitwarden as a security process upgrade across my family, and want to make it easy to adopt. The master password must be long to be secure, and ideally it should be exposed as little as possible. My ideal solution would be master password + security key to login a new device, then pin + security key to unlock whenever necessary.

1 Like

+1
I have browsed over the comments on this forum and support the addition of this (or something similar) of a feature.

I am rolling out Bitwarden as a security process upgrade across my family, and want to make it easy to adopt. The master password must be long to be secure, and ideally it should be exposed as little as possible. My ideal solution would be master password + security key to login a new device, then pin + security key to unlock whenever necessary.

Exactly my opinion… same situation here. Make sure to vote this topic up at the very first post on the top left of this topic.

I am currently considering to get usb fingerprint sensors and configure them with windows hello als alternative. As far as I know it should then be possible to set the vault to be logged out automatically after a certain period and then you can turn on to have a biometrics login instead of master password and additionally the security key on login. I think this is a very secure alternative. The only problem I see is: What if family members bypass the settings on their computer… if they change it and disable the “log out” feature the security key will be not necessary…

Anyway: Buying usb finger print sensors is definitly a good and convenient deal because you can also use them for log in to windows etc. Unfortunately Microsoft does not natively support a setting, which makes the windows login forced to fingerprint plus security key without any sms & mail and pin recovery (to buypass the security key). Because this would be also very secure in combination with a full encrypted drive. Nobody would be able to get access to your notebook - even if you might still be logged into bitwarden in some session.

To achieve safety “also for family members, who have no clue about IT and are easy victims” is really really not easy. I think it starts with not giving them accounts with admin rights on windows. And security key is the next step.

I fully support this request!
I consider (optional) passwordless (FIDO2/Smartcard + PIN) login & decrypt both more secure and convenient.
Obvious attack vector now is: If somebody logs / scouts my masterkey (no matter how long & complex it might be), he could decrypt offline vault copys on my computer/phone.

No idea if FIDO2 (+PIN) would be feasible to login AND encrypt/decrypt. But Smartcard (+PIN) should and it is available on Security Keys (YubiKey, NitroKey, …) and Windows (Windows Hello).

Bitwarden offers the option to request the master password when opening defined entries. I’d like to request the feature to request the security key (Yubikey, FIDO2, …) instead of the master password when opening the defined entries.
Thank you very much in advance for considering my request.

1 Like

I created an account to vote this up.

I mean, you could even have it default to requiring both Yubikey and password at every unlock, as long as it’s a togglable option. My thinking is that if someone wants to get into my account that badly there’s nothing keeping them from pointing a gun at my head and demaning my passphrase anyway. Does that seem reasonable?

Also, wish more forums would have this “2 months later” or “10 days later” between posts. Exceptionally good idea. (Edit: is this just a default Discourse feature?)

Welcome to the crew of patient users, or at least I hope you’re patient. I also really hope that the devs see how much of a wanted feature this is:

But they are understandably busy, though I obviously differ on how I’d prioritise given the user action in here over the past 2 years.

I joined the forums exclusively to support this. I thought this was already a feature when I signed up for Premium, tbh, and it was the entire reason I did so. Having an option to verify (PÎN + key) unlocks seems like a basic convenience feature, especially for devices without biometric options like desktop computers.

+1 for this feature, I would love the simplicity of the Windows Hello unlock to also be available on my desktop through a Yubikey

A post was split to a new topic: Unlock with PIN