I too believe this would be a great addition. Having the u2f hardware token unlock (not login), but still prompt for u2f button press i think would be a good compromise. It’d be practical then to use the immediate vault time-out, ideally then also have it logout completely if one goes to auth with u2f and then the dongle isn’t present, and logout if the browser is closed.
1 Like
Yes. Please implement this feature. Thank you
1 Like
Please add Yubikey NFC support for the Bitwarden mobile app on iOS to unlock the app in addition to logging in (which is currently supported). This was my expectation when getting BW premium and the Yubikeys. I want BW and Yubikeys to be my central, secure source/method for password storage.
1 Like
2FA is a way for someone else to validate who you are, not a way to secure local resources. Not without OS support anyway. The OS can do things to protect secrets. Think Apple or Android biometrics.
Local application level 2FA is security theatre. I’ve seen videos of people popping open the Chrome dev console, changing the plugin’s code, and 2FA is bypassed.
Ben, you are completely ignoring years of discussion in this threat. And ignoring customer wishes at that.
To quote myself yet again (though the short version since you seem to ignore the longer ones):
Yes. Basic unlock. No encryption needed. It’s operational security rather than cryptographical security. It is an addition to the master password + yubi unlock.
It is no more security theatre than closing the door when having a sensitive conversation and arguing “yeah but anyone can open that door because it is not locked”.
A person who is looking for moderate convenience can either:
- Not lock Bitwarden (as many do)
- Use a Yubikey superficial lock
Option 2 protects against “oh shit I forgot to lock my laptop and now my collegue has my facebook password”. Option 1 protects against nothing.
You are being entirely dogmatic. Painfully so.
3 Likes
I’m not ignoring anything. I professionally disagree with the priorities and reasoning. My specialty is dealing with complex customer needs and delivering a product that satisfies the customer’s needs and not their wants. I deal with a wide range of software projects and have a long track records of happy customers. Many of the projects were rejected by other companies due to complexity even when the customer was willing to pay above average for the effort.
In my personal experience, preventing the customer from having a feature that can be easily misunderstood is a core tenant of delivering a product that the customer will be happy with. What can happen will eventually happen given enough events. And in this case if the industry is saying that using a security key is the ultimate in security and BW customers are asking for “feel good” fake security that is based around “keeping honest people honest”. Someone somewhere is going to get bitten and suddenly BW and security keys will come under fire. Trust will be lost.
For something that objectively provides less security than a pin and more cumbersome to use, I don’t see the upside. The one exception is if the unlock secret can be stored in the OS secure enclave, and the OS handles authenticating the security key.
I have immense respect for your work and love Bitwarden’s ethos. On this issue however I feel like you have blinders on and are strawmanning every customer in this thread.
You seemed not to want to rebut or substantively respond to my October 2020 comment:
We are taling about Yubikey users. Those know to find the ‘Advanced Settings’ button and understand the risks.
I’m not sure if you misunderstand or are ignoring my point:
- Password and pin are for cryptographic security
- Yubikey unlock is for operational security
Different attack surfaces. Neither are not meant to replace the other.
Don’t get me wrong, I love your product and ethos. I’m not a hater, I’m a fanboy. I just disagree with your view.
3 Likes
@actuallymentor just to clarify, Ben is not a Bitwarden employee 
I appreciate the banter here and hope the thoughtful and respectful conversation continues as needed.
an assumption on my part.
Do you have a position on this issue?
1 Like
I do indeed! But thankfully my opinions are only .00001% of the prioritization process 
1 Like
all_right_then_keep_your_secrets.gif
Joking aside if I can lobby anyone for this let me know. Otherwise I’ll just chime in on this thread a few times a year…
4 Likes
I would like to also explain why I want this feature. My use-case is the unlocking of the vault on my mobile phone.
So imagine this: I am sitting on the tram, and want to login to paypal to do something. Then I have to either:
Enter my master password (which is long and as such difficult to type, also someone might be watching me typing it over my shoulder (2FA enabled, but I’d rather not compromise my master password))
Use biometrics (somehow my phone does not like my fingers, also my fingerprints are all over my screen and the back of my device, not hard to use those if the phone is lost)
Enter a PIN (even easier to just look over my shoulder and figure the PIN out, but phone needs to be stolen in addition to the PIN-surfing to make use of it)
Instead, I would like to just take the Yubikey that is on my keychain, hold it onto the NFC port of my phone, and unlock the vault with that. There is a risk to this, namely someone stealing my phone and my Yubikey at the same time, but then hopefully the general PIN to unlock the phone will deter an attacker just long enough for me to go home and change my master password.
2 Likes
I would like to second this request. I have a very secure computer at the office and I want it to be secure if I accidentally leave it unlocked when I go to the restroom.I don’t want to have to type in my master password.
It should require a master password on restart and then allow me to use the yubikey on locks after that.
1 Like
+1 Authentication with U2F, not Encryption (or Unencryption).
See this: Use U2F key to unlock app — 1Password Support Community
+1
PIN + Yubikey for unlocking would be the best solution.
Right now if someone gets remote access and sets a Keylogger on my computer, they will either have access to the master password or the PIN for unlocking, gaining access to all my vault data (from my computer).
Masterpassword + Yubikey for unlocking would be the safest, but completely unpractical, no one is going to set that with the proper timeout (every login or after a few minutes) and it will lead to weaker masterpasswords.
Most people just set a PIN for ease of use, leaving the vault 100% exposed to remote RDP/Keylogger attacks. (far more likely than someone stealing the laptop without triggering a timeout)
PIN + Yubi required with every login would kill any remote only or physical only threat. RDP/Keylogger attacks wouldn’t reach the Yubi, and an authorized physical access to the laptop would get access to the Yubi but not have the PIN.
My only solution to this right now would be to set a weak/small masterpassword + Yubi for 2FA.
1 Like
Here too I will really want to have to NOT type my password while I have a physical key. I hate typing my password because I feel exposed every time I type it.
When I’m on linux I’m almost ok but NOT when I’m working on windows.
Please, give us that feature to keep us happy to pay for your product.
<3
1 Like
PIN + hardware key please. Everyone’s use case is different. I’m a low value target, don’t have millions or cryptocurrency stashed away in a wallet somewhere. I’m not worried about someone coming and stealing my hardware key as I WFH.
The computer is part of a domain. I don’t have admin access. Can’t install the desktop client, Windows Hello is disabled.
My Bitwarden password is over 100 characters. I copy and paste it from a local password manager. The copy/paste process, the insecure clipboard, is the biggest security threat to me. I’m not going to change my ways. PIN + Yubikey is more than enough for me.
3 Likes
I had the opportunity to read the long discussion that was created for this request and I would like to say my opinion, I am young in the community but I would like to give my contribution.
Many people say that this request is not necessary or senseless, saying that the use of biometric data is enough, completely forgetting that 90% of computers do not yet have a fingerprint reader or face, and not all use the password manager only. on the phone.
Most likely the person who made the request and that I would like to support wanted to make sure that once the physical key for example (Google Titan) was connected to the computer, the volt would unlock automatically without asking for the Master password or pin or any What.
Many have complained that if they lost the physical token anyone would have found it would have been able to access their account, But what if you made sure that the Master password was asked only at the first connection of the physical token of the device?
For example, if my physical tolken is connected to the computer and I unlocked it with the Master password the first time, if by chance I had to shut down my computer upon reboot, I would only be prompted for the Master password for the first time.
This would be fantastic and would be very convenient and productive for someone like me who doesn’t have a computer that can read fingerprints, so if the physical authentication key remains connected to the computer there will be no need to enter the Master password every time but it will be enough. enter the password only once, i.e. the first time the key is connected to the computer or immediately after restarting the device.
P.s. Obviously if you lose the physical authentication key with the backup codes you can simply revoke that key from the control panel as is currently possible.
For the rest it could very well continue to use the same key both for two-factor verification and for an instant unlocking which however would require that the key is always connected to the computer or NFC.
If you could not keep the physical key always connected to the computer, it would be enough to unlock two factors the first time and enter the master password every time the computer requests it.
All this to avoid making your computer an authentication key
1 Like
I would like this feature implemented both on mobile (via NFC) and desktop.
I’ll start with mobile. I use an iPhone with FaceID. Currently mobile will unlock simply with FaceID for me. This is convenient but I often wonder if I ever get in a situation where someone forces me to unlock my phone/BW that simply holding my phone in front of me will allow it to unlock. I have a Yubikey with NFC and would like to unlock BW with both FaceID and using my Yubikey via NFC. This adds an additional security layer that provides opportunities to either not have your Yubikey with you, destroy your Yubikey, toss it away, etc. This will limit access to physical local access only.
For the desktop I don’t mind entering my master password for the initial unlock/decryption of vault. The downside is it’s a master password, which means it’s a long password I generated with BW using special characters and all. It’s not something I can easily type in every time I want to unlock BW afterwards. I don’t mind using a PIN to lock/unlock the vault afterwards but like other people, now you’re open to keyloggers, people looking over your shoulder, etc. Having to have your Yubikey available in addition to a PIN, or even to replace using a PIN entirely, just to unlock the vault is something I’m interested in. This will limit access to physical local access only.
No matter what a master password + 2FA of some kind should be used to encrypt/decrypt vault. But once logged in using just the Yubikey to unlock would be nice.
Currently, just out of convenience, I don’t even set a PW or PIN to unlock BW once logged in. So using a Yubikey is definitely better than nothing.
For reference I also keep access to my hardware relatively secure. If I ever step away from my desktop I always lock my system. My drives are all fully system encrypted via VeraCrypt with a PIM in place. No one has an account on my systems other than me. (Which is why I’m comfortable with no PIN to unlock BW on my system). But I’d still like to use the Yubikey to unlock just out of convenience and not having to enter any static PIN that a keylogger could snag.
I keep my Yubikey on my keyring so it’s not something I just leave plugged into my computer ever. I plug it in and use it as needed. I do have a backup Yubikey I keep locked in a safe as well.
1 Like