Unlock Bitwarden with 2FA, e.g. Yubikey (instead of, not in addition to password)

As I understand it’s comparable to the already available unlock by fingerprint in the android app for the web interface.
That’s a feature I’m also looking forward too.

I’m a Premium user and would like this option as well.

The Android app can be unlocked using biometrics without retyping the password. I would like something similar with the Chrome plug-in. I have a FIDO key that I keep on my person.

For reference, my old password manager MYKI has similar functionality (i.e., unlocking with a MFA device). When unlocking MYKI in my browser, a push notification is sent to my Android phone through the installed MYKI app. I authenticate that notification with my fingerprint. Then MYKI is unlocked in my browser extension.

Other Enterprise and SSO solutions, such as Duo, have something similar.

A touch unlocks the vault on my phone. It should also unlock the vault in my browser.

4 Likes

This would be a GREAT feature. Just as the user can unlock the vault on a phone using fingerprint scan and without typing the password, the user should be able to unlock using Yubikey + PIN (without master password).

On Android the master password is stored on Android keystore. Not sure if similar storage is available on browsers on desktop to store the master pw.

5 Likes

Another vote for the PIN + Yubikey unlock mode from a premium user. My master password is long and a pain to enter on the mobile, so I usually default to entering a pin. In many cases, filming/stealing/guessing PIN + stealing device is much easier than stealing a secured Yubikey. Ability to add Yubikey to the PIN unlock would increase security of the PIN unlock while retaining usability; users like me would love this feature.

5 Likes

I would also love this feature!

I am using fingerprint on mobile devices to unlock, but for the browser extension there is no comparable option to unlock.

My FIDO2 key includes a fingerprint sensor, so only I can use it. Using it to unlock would be as secure as unlocking the mobile app with the fingerprint functionality.

3 Likes

It would be generally cool if bitwarden supported FIDO2 passwordless authentication. I actually expected this when I signed in for a premium account. My use case was to use a password manager with FIDO2 to get passwordless authentication on all web sites which do not support FIDO2 yet. I carry my USB key at my key ring and have of course a spare one at a secure location.

PS.: The option for “on premise” installations was for me the precondition for using a password manager at all. You should keep this feature.

1 Like

I purchased premium because I thought this feature will be there. I am a bit disappointed. Even when I set the option to logout after X minutes the vault only asks for my password and not the Yubikey.
Besides that, I also want to see an option to quick unlock & masterpassword+yubikey unlock i.e. at phone or computer restart. Why are we using a yubikey when we only need it once at login and then virtually no more else. That’s not secure enough for me.

8 Likes

Would love to see this feature implemented. I find it awfully inconvenient to retype my master password every time, but I don’t want to leave my vault completely unlocked…

3 Likes

+1 IMO it’s a transistion step for novice users to start working with a password manager in general.

1 Like

+1
KeepassXC (OTP/Challenge-Response) and Pass (GPG) offer to use a Smart Card / Yubikey as second factor.
Would be convenient and more secure to be able to use this as a second or first (e.g. after first unlock) factor to unlock.
If this would also be implemented into the mobile applications it would even make them more secure (require a NFC Key in some cases).

Yubikey(U2F/FIDO2) has no method to encrypt anything. It can only be used for authorization. Using a yubikey locally adds no real security. Using a pin adds infinitely more security that the yubikey does when used locally. The pin can be used to encrypt the secret, the yubikey cannot. Since using the yubikey means your secret is unencrypted, someone could go through the hassle of locating and copying the unencrypted secret.

It could be possible for the secret to be stored remotely, which would add security. An example of one such way

Locking

  1. Enable lock with yubikey
  2. Local instance generates a random secret to encrypt the master secret
  3. Local device uploads the encrypted master secret to Bitwarden

Unlocking

  1. Request unlock
  2. Yubikey auth back to Bitwarden is started
  3. If auth passes, Bitwarden sends back the encrypted master secret
  4. Local device uses local secret to decrypt master secret
  5. Bobs your uncle

This does potentially add a lot of latency as it requires many round-trips with Bitwarden’s servers. Though, because of the nature of this being a very small amount of data of a per-session encrypted fixed size data plus all yubikeys associated with the account, Bitwarden could have this service independent of the vault datastore and have edge cloud servers around the world to reduce latency, especially since this would be a read heavy feature.

1 Like

Yubikey(U2F/FIDO2) has no method to encrypt anything. It can only be used for authorization. Using a yubikey locally adds no real security.

Ben, I think you are missing the point of the user feedback.

Yubikey unlock adds no crypto security, but it adds operational security. It is not a replacement for the password, but an addition.

If I may quote my past self:

Coming back here to clarify something based on some thinking:

  1. Most users do not fill in their password after every screen lock
  2. Anything is better than nothing
  3. The Yubikey would not need to encrypt passwords, just unlock the app
  4. Unlocking the app should be reasonably easy to implement with a Yubikey

The workflow/config would be something like:

if( browser restarted ) prompt password
if( laptop locked || timeout ) require yubikey

Were the second does not actually encrypt anything, but does stop every day attack vectors (e.g someone grabbed my laptop).

This feature does not need to protect against an advanced threat actor, just to increase security in a convenient way.

5 Likes

This request is IMO not about increasing crypto security but to have similar UX and ease of usage as on mobile: you need to password to login but you only need fingerprint to unlock. The similar UX would be awesome on your desktop too: you need to login with the master password, but you can unlock easily with your Yubikey when you (say) step out from your computer for a few minutes.

I don’t know the details how Android biometric unlock is done and how the vault data is stored while the vault is locked (encrypted?). But a similar mechanism should be used on desktop.

2 Likes

In the simple case of no OS support, this reduces crypto security. It’s the same as leaving the vault permanently unlocked, which is an option, so I can’t say it’s worse than existing options. The main benefit is that it is obvious to the end user that their vault is unlocked. But if they “lock” their vault with a security key, they may think their vault is actually protected, when it is not.

If the platform has a method to store such secrets securely, then it wouldn’t be that bad. But not all platforms are the same methods and you can’t expect users to know how each platform works and decide if it’s safe to use the security key locking.

“Anything is better than nothing” is most definitely not true. Just look at the crap show of SMS “2fa”. Lets add SMS to your account, some 2FA is better than nothing. Then someone resets your password via SMS and you have 0FA.

As long as the end user is FULLY aware of how their decisions affect their security. This could be a UX issue. Maybe there are prominent legends next to the “lock” options indicating how safe they are. This could be platform dependent, allowing for security locking to be “safe” on say mobile where the secret can be saved in the OS keystore vs say browser where it’s just some dev mode debugging away from bypassing.

What I don’t want it to hear about how someone “locked” their browser with their yubikey and their 8 year old kid jumped on their computer and logged into their bank to transfer funds because they saw a 1 min video on youtube about how to bypass it. This would devalue trust in Bitwarden and security keys.

1 Like

BW is soon getting also TouchID support for browser extension and the desktop app already supports it:

So Yubikey is the logical next step.

1 Like

But if they “lock” their vault with a security key, they may think their vault is actually protected, when it is not … Maybe there are prominent legends next to the “lock” options indicating how safe they are.

This seems like the smallest issue. When locked bitwarden now has a red icon, when open it is white. When softlocked, orange seems the obvious choice. Add a prominent “Your vault is not encrypted” message and you’re good.

“Anything is better than nothing” is most definitely not true. Just look at the crap show of SMS “2fa”. Lets add SMS to your account, some 2FA is better than nothing. Then someone resets your password via SMS and you have 0FA.

SMS and Yubikey are fundamentally different attack vectors. By it’s nature SMS is insecure, by it’s nature a hardware key is limited to the spacetime coordinates it resides in.

What I don’t want it to hear about how someone “locked” their browser with their yubikey and their 8 year old kid jumped on their computer and logged into their bank to transfer funds because they saw a 1 min video on youtube about how to bypass it. This would devalue trust in Bitwarden and security keys.

  1. If you have a Yubikey, there is a nontrivial chance you are a power user who understands what an orange icon with a warning message means.
  2. Again, many of us (even the security-conscious) leave our vaults unlocked purely because of the hassle of typing the passphrase and would welcome the extra operational security of a softlock.
2 Likes

I don’t know enough about the FIDO standards to make a really informed comment here, but my understanding is that FIDO2 (supported e.g. by YubiKey 5) allows for password-less login. (I.e., the YubiKey becomes a single authentication factor.) I would suppose that this could somehow be integrated into Bitwarden for unlocking and decryption?

We could still give the user the option to also require a password when logging in (vs. unlocking). Basically, the password would become the second factor.

PS: I agree with others that a PIN is not secure enough. The only option that I consider safe is to have Bitwarden log-out on timeout, and then require re-authentication with username/password+YubiKey. It would be nice if the username+password could be skipped.

Maybe I’m not getting it right, but to the people claiming this wouldn’t increase the security:

Wouldn’t that help quite a bit versus keyloggers? E.g. the Vault can only be unlocked with a Fido/U2F device, so there would be no need to ever type the password (or, if technically not possible, only once on initial setup - preferably on a “clean” machine).

Over time, different software enters and leaves a computer, so it becomes quite hard to trust the own device - it would feel quite good knowing that only with my hardware key the vault can be unlocked. Or it’s a work computer where even the most simple remote administration software could work as a keylogger - do I trust the IT guy in my company? Who knows, better never type my master password.

If it additionally would work initially with the hardware key alone, I could even imagine opening the vault on some internet cafe computer in a country far away!

Sure, an infected computer could to all sorts of things with an unlocked vault, but I imagine it to be way harder (and more specific) to silently copy all my data from the web or extension vault than it would be to just record my keyboard strikes and copy my locked vault blob.

And isn’t all security just trying to make it as hard as possible for attackers?

I might overlook something here, but it feels like a nice feature to add.

4 Likes

Agree. It’s kinda weird that we have these 50-character-long auto-generated passwords stored in Bitwarden, but then Bitwarden itself is protected by an easy to remember PIN? Ouch.

And if you choose a longer / more complex PIN, you’re much more likely to set the vault timeout to a higher number, which again defeats the purpose.

Hi,

I see some reasonable pushback on using U2F keys instead of master password and I understand it. Worse, some keep implying that 2FA when 'unlocking' - #98 by tgreer adds exactly that feature when you are fully logged out and are forced to input both a password and a 2FA token. I share the same pain point as the people how asked for 2FA unlock (not 2FA login), however. I also see some pushback on 2FA unlock, I address that at the end of my post.

Let me try to reframe it in a better way. Can you let users use U2F keys instead of a PIN and show a warning that using U2F keys without any protection like a fingerprint sensor is a (physical) security risk? Lack of this option makes me set the lock period longer than I would like to.

While I respect this point and somewhat agree with it, I think people should be in control of their computers, not the other way around. What you are saying is that if people leave house keys under a door mat, the lock provides no security and it would devalue trust in the lock manufacturer. If anyone went on TV saying that, viewers would just have a healthy laugh. I think educating users is always better than telling them what to do.

Cheers,
Andrew

3 Likes