Unlock Bitwarden with 2FA, e.g. Yubikey (instead of, not in addition to password)

I’m very interested in this feature as well - it’s honestly the functionality that I expected when I purchased premium.

I don’t see why a Yubikey can’t be used as a replacement for biometrics in every circumstance. If I can use my fingerprint to unlock my vault on my phone then I should be able to do the same thing using a Yubikey on my desktop.

1 Like

+1 for this… great request.

I’ve been following this for a year. Surprised this thread is still going on and it hasn’t been implemented.

Yes it’s not encrypted, but it beats having your password key logged.

1 Like

That’s like saying its better to leave your house key under a rock outside the door, so that you avoid the risk of losing it! It increases convenience, but completely bypasses a password manager’s main protection.

Encryption is the only way to protect your data. Authentication can always be bypassed by someone with access to your device. For example, they could copy your Bitwarden vault and the copy of your master password stored by the app.

Bitwarden already supports unlock with PIN and unlock with biometrics. These provide increased convenience without undermining your security.

1 Like

Signed up for the community to vote for this feature.

Big competitors of Bitwarden have this feature and i thought Bitwarden would have it to. Just make it some hidden feature if you don’t like people use it. When someone activates it you can promt them with a message “we do not recommend using this, use at your own risk” or something if you realy don’t like it being used.

If you want a password manager to use with your Yubikey, you are probaply going to a competitor only for this small feature.

You can argue that you should not work this way, that is okey. But let people decide that for themselfs please. If you want Yubikey users to start using Bitwarden or keep using Bitwarden, for most people this is very important, so why not give them the option like competitors do.

I would like to be able to “lock” my vault but require a FIDO2 authentication in order to unlock it.

This would allow everyone to require a hardware key to access their password data (far more secure) but also lock it to preserve offline access when needed.

No. These provide increased convenience WHILE undermining your security.

This is quite simple to explain.

Lets say your computer has been compromised and someone has RDP access to it and sets a keylogger. IMO, the most common type of attack.

You go on with your day, type your master + yubikey, the vault is decrypted and unlocked.

You step away for a few minutes, the attacker now has full access to your vault.

If you set it up to unlock it with a PIN, the attacker just needs to wait for you to type it, then he’ll know that too.

The ONLY safe option is to set bitwarden lock your vault with each use, and require an unlock method that includes a physical device, either just Yubikey or Yubikey+PIN.

**Right now, the only alternative to this is to require login/decryption with each use, master + yubikey.

That’s the best option available right now, but makes people use weaker/smaller masterpasswords so they can remember them and type them quickly.**

I’m having a hard time understanding how using a Yubikey for unlocking (not decrypting!) is a weaker option than using a PIN.

Anyway, PIN + Yubi for unlock would be the way to go. Pair that with always locking the vault with each use and an RDP attacker would never get access.

2 Likes

I don’t think any password manager can operate securely on an insecure, i.e. compromised, device. However, I agree that a PIN or biometrics can only be less secure than using a strong master password.

The point I was trying to make was that using these options keeps the master key beyond the reach of an attacker. In the case of unlock with PIN, the master key is encrypted with the PIN. I assume that unlock with biometrics uses the secure enclave to achieve the same result, but I can’t find a reference to it in the white paper.

U2F/FIDO2 don’t provide any means for the YubiKey to be involved in the encryption. So they will only ever provide a means of authentication and authentication can always be bypassed. For example, the attacker doesn’t need to use the BitWarden app on your device, he can decrypt the database on his own device with his own software. So any authentication steps added to the BitWarden app will inconvenience the legitimate user without presenting any obstacle to an attacker.

2 Likes

Hi there,

This is inaccurate I think?
Passwordless covers MANY use cases from local apps, SSO, Linux/UNIX and what.not.
Whereas webauthn (the actual standard) only does web apps.
And FIDO2 is a certain lobby/alliance led application of that standard with the equivalent of a cisco backdoor by way of a certificate server that can turn any admin into an insider threat, whether they seat at the vendor or the client.

Right, is this making sense?

Why does it take so long to implement this feature?

@Maurits we’re balancing quite a few requests from the community and business customers (there are 1800+ requests here alone) - so it does take a little time. To see more of what we’re working on, our roadmap and release notes will give some insight.

1 Like

adding my support for any additional Yubikey features.

1 Like

+1 on this, I bought a premium subscription expecting this feature and apparently it is being DEMANDED but ignored ???

Well, I will ask for a refund and go to LASTPASS who has this feature. SO SAD…I like bitwarden, lastpass are greedy incompetent that cost 4 times the price of your software and are worse…:frowning:

3 Likes

@tgreer I’m a dev and understand the pain of development, but I would like to point out that this issue and the preceding #353 have a combined vote count of 350, making it the 6th highest voted issue.

What would be needed to convince you to put this on the official roadmap?

1 Like

Hi @actuallymentor this is on our radar, but of course, we have to balance lots of different requests and needs.

Our public roadmap is really a method to show the “headline” features and themes for where we are going, not a full detailed listing of things we will or won’t do. We’re a member of the FIDO Alliance and absolutely support the security and convenience benefits of hardware keys today and going forward.

1 Like

I am adding my support for better support of Yubikey. I am having difficulties logging in from Firefox and IOS. Clearly reading this thread is causing lots of people a lot of friction and its not so much hard work to get it on the roadmap.

We are almost in 2022 and using a yubikey is nothing esoteric.

2 Likes

+1
I have browsed over the comments on this forum and support the addition of this (or something similar) of a feature.

I am rolling out Bitwarden as a security process upgrade across my family, and want to make it easy to adopt. The master password must be long to be secure, and ideally it should be exposed as little as possible. My ideal solution would be master password + security key to login a new device, then pin + security key to unlock whenever necessary.

1 Like

+1
I have browsed over the comments on this forum and support the addition of this (or something similar) of a feature.

I am rolling out Bitwarden as a security process upgrade across my family, and want to make it easy to adopt. The master password must be long to be secure, and ideally it should be exposed as little as possible. My ideal solution would be master password + security key to login a new device, then pin + security key to unlock whenever necessary.

Exactly my opinion… same situation here. Make sure to vote this topic up at the very first post on the top left of this topic.

I am currently considering to get usb fingerprint sensors and configure them with windows hello als alternative. As far as I know it should then be possible to set the vault to be logged out automatically after a certain period and then you can turn on to have a biometrics login instead of master password and additionally the security key on login. I think this is a very secure alternative. The only problem I see is: What if family members bypass the settings on their computer… if they change it and disable the “log out” feature the security key will be not necessary…

Anyway: Buying usb finger print sensors is definitly a good and convenient deal because you can also use them for log in to windows etc. Unfortunately Microsoft does not natively support a setting, which makes the windows login forced to fingerprint plus security key without any sms & mail and pin recovery (to buypass the security key). Because this would be also very secure in combination with a full encrypted drive. Nobody would be able to get access to your notebook - even if you might still be logged into bitwarden in some session.

To achieve safety “also for family members, who have no clue about IT and are easy victims” is really really not easy. I think it starts with not giving them accounts with admin rights on windows. And security key is the next step.

I fully support this request!
I consider (optional) passwordless (FIDO2/Smartcard + PIN) login & decrypt both more secure and convenient.
Obvious attack vector now is: If somebody logs / scouts my masterkey (no matter how long & complex it might be), he could decrypt offline vault copys on my computer/phone.

No idea if FIDO2 (+PIN) would be feasible to login AND encrypt/decrypt. But Smartcard (+PIN) should and it is available on Security Keys (YubiKey, NitroKey, …) and Windows (Windows Hello).

Bitwarden offers the option to request the master password when opening defined entries. I’d like to request the feature to request the security key (Yubikey, FIDO2, …) instead of the master password when opening the defined entries.
Thank you very much in advance for considering my request.

1 Like