I mean, you could even have it default to requiring both Yubikey and password at every unlock, as long as it’s a togglable option. My thinking is that if someone wants to get into my account that badly there’s nothing keeping them from pointing a gun at my head and demaning my passphrase anyway. Does that seem reasonable?
Also, wish more forums would have this “2 months later” or “10 days later” between posts. Exceptionally good idea. (Edit: is this just a default Discourse feature?)
I joined the forums exclusively to support this. I thought this was already a feature when I signed up for Premium, tbh, and it was the entire reason I did so. Having an option to verify (PÎN + key) unlocks seems like a basic convenience feature, especially for devices without biometric options like desktop computers.
When talking about keyloggers, I don’t think people realise how easy it is to compromise a password. All it takes is someone at the next table in a cafe recording you typing with their phone, and your master password is toast.
I feel so uncomfortable unlocking my Bitwarden (after a timeout, not on initial login) with my master password or PIN every time. It feels like terrible security, when I have a device with me that requires physical touch and cannot be remotely exploited, whether across the web or from the next table.
For those who say they don’t want someone being able to access their Bitwarden by simply pressing their Yubikey … Why are you leaving your laptop unlocked?! If your laptop is unlocked and logged in when you’ve stepped away, you’ve got much bigger opsec problems than your Bitwarden extension.
@tgreer please start taking this request more seriously, it is a huge flaw in the current Bitwarden security model.
@actuallymentor my god, you have the patience of a saint, I salute you.
@tgreer, what would it take for you to implement this? I’ll gladly get X signatures on a petition or something.
I’d like to re-point out that:
we are asking for a cosmetic “unlock with yubikey” that protects against “my kid is using the laptop” and not “Wladimir is using jack the ripper on my vault”
we are fine with this feature being hidden under 3 sub levels of “advanced settings” and “DANGER” popups
if you are a perfectionist you can always implement Yubikey’s PIV (smartcard) functionality, but that is far beyond what we are asking here
Every attack surface counts, and as you can tell many here know what the words “Opsec” and “Attack surface” mean, we’re not inexpert users just wanting sham security so we can feel good about ourselves.
I’ll happily throw in a US$10,000 bounty for this. It’s easily worth more than that for me to have my master password (or pin) compromised due to having to continually type it in on every unlock event.
To be clear on what I’m referring to, this would be to allow a Yubikey to perform the same functionality as the existing “Unlock with PIN” and “Unlock with biometrics” options.
@actuallymentor
In case of biometrics “unlock” (and not login) the decrypted key derived from your stretched master password is already stored in memory after you opt for biometrics, so thats why you don’t have to type the password.
Also Biometrics is an integral part of your OS and not an external application.
So, as far as your OS is not compromised (including change in system partition) then threats from outside would be minimal and largely depending upon your vulnerability of OS.
Incase your OS is compromised in terms of modifying the system then there are no means of security that could save your master password/decryption key from leaking. OS compromise is like getting into key logger debate.
Also as you mentioned about people leaving their device unattended or their device unlock pin being visible to others is something that you need analyse according to your personal threat model. if you think you have people around that may have reason to spy on you then get a fingerprint reader for your PC as well or a more secure way if that’s not enough.
Any attempt to store the master password on the main device storage or on a external device (even if encrypted) would serve greater risk according to Bitwarden safety standards.
I am not a cybersec expert but yeah this what i make of the sitaution.
Edit : how about using yubikey as a means to open your device so indirectly it will open your bitwarden vault too . I guess windows hello allows you to unlock through yubikeys
While there isn’t a specific threshold for implementation - the Bitwarden team does have to balance the needs of their commercial and individual clients. That said, I can totally understand how useful and convenient this would be for those who want an option aside from PIN/Biometrics.
@bw-admin is running point on community feedback these days so I wanted to make sure he saw these replies as well.
I’m a commercial client with 100 seats, and I emailed to request this feature on May 15, 2020, and had a conversation with Clayton regarding it. I also request this feature personally.
Hi @_Alan, after checking in with the devs, it’s not something we’re actively exploring at this point in time. There’s a bit more about the functionality here, along with the following:
“The WG’s consensus is that the Web Authentication WG’s charter and specification is focused on user authentication for websites and that we are respectfully declining this invitation to expand the WG’s scope to include providing “support for general (hardware backed) cryptographic signatures and key exchange”.”
Update
We are closely following industry standards for options to use FIDO2. Right now the primary use cases are for authentication as a 2nd factor, but we are keeping our eyes on all options for the future.
@bw-admin I genuinely feel like we’re talking about different things here.
Let me try asking the question a different way:
Are you saying that Bitwarden prefers that to unlock a locked Chrome extension, you need something that is easy to exploit (a fixed unchanging piece of textual data (pin or master password)), vs something that is hard to exploit (a physical device that is with the user in their pocket attached to their keyring).
Before you say it’s not easy to obtain a pin or password, please refer to my previous comment that all it requires is someone to video your keystrokes typing in your password from the next table in a cafe. And every single unlock event is a repeated exposure of that master password or pin.
Even worse is that once the pin or password is obtained, it can be re-used as much as you like without the victim’s knowledge. With a Yubikey, if you were to obtain the text string, it’s useless. If you were to obtain the physical device, the victim would be aware.
Can you please confirm that Bitwarden understands the issue we’re talking about here is the highly compromisable nature of a fixed unchanging textual piece of data, vs an unforgeable hardware key?
Hi @_Alan, thanks for providing more context. We’re on the same page and I can see how this could be useful for interested users and we are constantly looking at the landscape and seeing what industry standard options are out there.
Releasing new features is a balance between distributing internal resources and serving individuals and families, teams and enterprise and MSPs. Bitwarden is also built in part by the open source community, so anyone is able to suggest code implementations, so if this is something you really want to explore through a code contribution, you can use the Github Contributor’s portion of the forums to continue the conversation.
Be specific and include the scope of your feature and functionality to the fullest extent possible.
Detail any repositories that will be affected by those changes; remembering that new or updated dependencies must be kept consistent across impacted repositories
Once you’ve created your topic, tag a moderator - use @bw-admin and @kspearrin to make sure we get notified.
The Bitwarden team will chime in and give you the feedback necessary to get you started in the right direction.
Once this additional detail is provided, the product and engineering team can have a closer look. Please keep in mind, suggesting a contribution does not guarantee implementation and as documented in the about section, is a collaborative review process to ensure consensus between all parties.
For anyone interested, user @stevel just posted a clever way to use a Yubikey as both a 2FA device for authentication as well as a secure way to unlock your vault. See his idea in the linked thread below (makes me think I need to ditch my FIDO2 keys and get a Yubikey 5 now…).
We have been asking for this for years. This is the future. I want the security of a long master-password + not leaving my vault unlocked all day. A PIN to unlock accomplishes nothing other than false safety, Yubi/2FA only for unlock is the way to go.
Start the day, log-in with masterpassword + 2FA, auto-lock vault in 5 minutes, log-off in x hours or browser close.
Unlock by pressing the Yubi.
Done, protected against remote attacks while still using a long master-password.
The company is allowing users to unlock their vault using the LastPass Authenticator app (in case you don’t already have enough Authenticator apps installed). The app will allow users to unlock their vault using a random code through the app, skipping the need of having to enter a password.
LastPass plans to also allow for other authentication options that also make use of FIDO2 compliance. This means that, eventually, you’ll be able to use your fingerprint as well as specific security keys like the YubiKey products
Hopefully, some of the other options, like Dashlane, follow suit with their own password-less logins to eliminate master passwords altogether.
I feel you. And honestly I really don’t understand the Bitwarden team…
Maybe my impression is wrong, but many Bitwarden users seem to be tech enthusiasts & professionals who like the open source ethos.
Keeping that group happy seems like a core priority.
I switched from Lastpass to Bitwarden years ago for that reason, and honestly keep considering switching back after every new reply on this forum topic.
Making noise here. @Tiago_R hit the nail on the head IMO.
Start the day, log-in with masterpassword + 2FA, auto-lock vault in 5 minutes, log-off in x hours or browser close.
Unlock by pressing the Yubi.
Without this feature, on average the length of people’s auto-lock is going to be proportional to the length of their password, which is far worse than the worst-case scenarios people have outlined.
As has been noted many other times in this thread, it’s an option provided by major competitors and one that your userbase actively wants.
As far as dev time, obviously “simple little” feature requests have a whole lot more to them than it appears on the surface, but at the same time this isn’t a new feature on the level of implementing YubiKey for the first time. It’s allowing an existing feature (YubiKey auth) to stand in for another feature (PIN).
we are asking for a cosmetic “unlock with yubikey” that protects against “my kid is using the laptop” and not “Wladimir is using jack the ripper on my vault”
we are fine with this feature being hidden under 3 sub levels of “advanced settings” and “DANGER” popups
if you are a perfectionist you can always implement Yubikey’s PIV (smartcard) functionality, but that is far beyond what we are asking here
. I guess windows hello allows you to unlock through yubikeys