hmmm…maybe I clicked on something unnoticeably . I will have to double check when it shows up again. Where do I disable that?
Just go into the login item in your vault and there is an option to enable/disable the prompt.
2 Likes
I noticed this thread is going off the rails a bit so want to refocus it: this thread is filled with about 2.5 years of users asking for an “unlock with Yubikey” feature.
The users here acknowledge this is not a high-security measure, but a cosmetic one that protects only form cursory attacks.
We emphasise that from a threat-model perspective this covers a usecase that the current system does not. And that this is a feature that other password managers like Lastpass already have.
1 Like
@actuallymentor Given the threat model that you have described, and the quote below from one of your previous posts, I’m wondering if there are actually two different things being requested in this thread (or alternatively, that there may be two possible solutions, one of which may be satisfy your needs but not those of some of the other thread contributors).
I’m assuming you meant “not decryption, just unlocking”, in which case what you are describing sounds like a variant of the Master Password Reprompt feature — i.e., for selected vault items (or for the entire vault), block access to the Bitwarden UI until the user “un-blocks” access using a registered hardware key. In this scenario, the decrypted vault would reside in memory while the block is in place, so the caveats that apply to the Master Password Reprompt feature would apply here, as well.
I don’t know if such an option would be any more (or less) likely to be implemented than a bona fide Yubikey unlock functionality (which by definition requires vault decryption), but I wanted to point out that there could be different paths to meeting some of the needs that have been expressed in this Feature Request thread.
1 Like
I think you might be right. I might have clicked that unnoticeable somewhere. Thanks a lot, really helpful! i will keep an open eye next time it shows up!
1 Like
I just created then deleted a similar topic.
I also would like the ability to unlock with a Yubikey only. Set separate timeouts for each: x amount of hours/browser restart/etc. for Yubikey to be required, x amount of hours/days before password plus Yubikey are required.
1 Like
+1 for this
i’d like to be able to “unlock” using a yubikey bio, similar to the “unlock with biometrics/hello” feature
the only time i want tto enter my full password is if logged out, if its locked (app or extension) id like to be able (if its even technically possible) to “unlock” with the yubi bio
I imagined Bitwarden would have implemented unlock via Yubikey rather than asking me to type my password again. I actually thought this would be a primary use case of the Yubikey support. I was surprised to see it was only considered in the 2 factor after the master password is entered. I imagined it would work super similar to how fingerprint works in the Android app. Android app is basically like: “Enter your master password or use your finger.” I imagined it would be like “Enter your master password or tap your Yubikey.” Pretty surprised this is not treated the same.
My guess is that with Bitwarden’s acquisition of passwordless.dev and their announced 2023 implementation of passkeys that we should be able to do this in the coming months. Yubikey would be an obvious authentication device a user should be able to use. NB. This would do away with both passwords and 2FA.
It would also do away with the need for a keyfile too (which will be nice for the peace) 
1 Like
I’d like that but doubt it. Look at the age of this thread. Team doesn’t seem to care.
In youbikey, I have the master password set as long-press, it is very convenient
It is also not very secure, someone can grab your yubikey for a second and extract your (static) password without you ever knowing.
1 Like
Same as it can capture yubikey and according to this post unlock my vault and capture all my passwords.
I know my youbikey is the key to my passwords so it works out the same
Yubikeys and other security hardware keys are very secure. Yubikey OTP is less secure than Yubikey WebAuthn, both of which Bitwarden allows. Yubi OTP is still more secure than 2FA codes, which is also still very secure. Then you move down the chain to email and SMS 2FA. You can also set a pin on your Yubikey to prevent local attacks. AND you can use it as a static password AND even add a bit of salt to it that you have memorized. If someone has a known threat that can overcome all four of those then a cloud based password manager probably isn’t the right choice for them.
I have never understood why Yubico don’t let you PIN protect the static password interface, it would be so much more secure if they did.
+1, would be nice to be able to use hardware key to unlock the vault.
1 Like
Because it wouldn‘t work anymore. Static password mode acts as a keyboard. (Remember that for FIDO2 the OS asks for your credentials. There‘s no way how it could see the difference between your keyboard and the key.)
Now, theoretically, the Yubikey bio could do some sort of authentification because of its onboard independent fingerprint scanner. Or Onlykeys, for example, have a PIN pad on the USB stick. You can also store passwords in them.
Unfortunately, I can‘t recommend them anymore as they‘re using outdated hardware. The microcontroller in use is not really optimized for high security operations and NXP (the manufacturer of the chip) recommends on its website that new products should use the „new“ SE050 secure element (EAL6+ and FIPS 140-2 Level 4 certification, which is really impressive).
But yeah, I really don’t like the static password solution 
2 Likes
This might be a digression of the OP but I just wanted to be able to use my master password on android and use the Yubikey NFC to complete the authentication. I want the Yubikey to always be required. No bio, face, or prints. I also have a secondary Yubikey, apps, and SMS for backup.
Right now, the only way this works is with a log-off. If BW mobile locks then can you re-authenticate with just the master password. If you log out of BW mobile then all the app settings such as vault timeout, approve login requests, vault time-out action, and the like are reset to factory defaults.
Currently, the only way to force BW mobile authentication via Yubikey is to log out each, time whether manually or automatically, and accept the app factory defaults each time.
2 Likes
I recently switched to Bitwarden from LastPass, but I did a pitstop with Synology C2 password. I actually liked Synology C2 Password as it just worked. It allowed you to unlock your vault on your PC through my YubiKey and required the YubiKey pin setup when I first used the YubiKey. It was quick and simple for me to set my vault to lock when it went to sleep or I closed my chrome browser. They presented two options to unlock; enter master password or click on Use Key to Decrypt. I also had the same thing with Lastpass with my YubiKey being my quick unlock, but no pin was required as it was in C2. Now that I spent a day with BitWarden I am ok with using my PC Hello PIN/Face, but I would much prefer to use my YubiKey.
I chose BitWarden mostly because C2 is new and did not provide a lot of detail around where and how they store the vault and frankly any details on their security other than the standard encryption statements. I actually really wanted them to self-host on Synology NAS, but they did not have that option. I hope to figure out and use BitWarden Unified on my Synology NAS, so my migration will be easier starting with BitWarden Cloud service. I do find it odd in BitWarden that you have to have desktop version to turnon biometric unlock on my PC and other functionality in my chrome extension. I am not knowledgable enough to figure out if this is more secure or less, but it seems like that communications required between my extension and a PC application is one more point of failure for being hacked. Perhaps it is the opposite for reasons unknown to me.