Dear Bitwarden Team: Is there any effort or progress in this topic? Still seeing almost 250 upvotes but nothing happens…
2 Likes
Currently, the only way to force BW mobile authentication via Yubikey is to log out each, time whether manually or automatically, and accept the app factory defaults each time.
Correct. The way BW implemented 2FA is for the second factor (Yubikey or the new passkeys or whatever) to be used only to authenticate the installation of the client on a device. It does not play a role in the encryption key for your vault.
It should be fairly simple to leverage this same principle for the purpose of triggering an “unlock” of your vault, and be able to set clients to require it for use cases where you want a 2FA method to unlock rather than typing a PIN. For mobile it could be a setting for “unlock with biometrics or PIN or 2FA”, and what many are really asking for, is to use a 2FA method to “reprompt for PIN” similar to how we have the current “reprompt for master password” per entry now.
The purpose is and never could be to add an additional protection because the same master password is needed for both decrypting your vault and accessing these entries. So if either point of attack is broken, and your master password compromised, asking for the same already cracked password twice doesn’t matter and won’t slow down the criminals. The real purpose is to stop having to type your master password so freakin’ many times. Every time you have to type it is another chance for it to be compromised, whether by keylogger or shoulder surfer (or a surveillance camera). This is especially true in remote work environments where employers are routinely using key loggers to monitor “productivity”. whether that is an employer device, an employee device or remote VMs.
It would also help security a great deal for all BW clients to have a way to CLEAR the currently displayed entry. That the desktop client retains the current entry and continues to display it after minimizing or entering something else in the search box and has no timeout is just baffling.
I would like to second the idea to allow use of a biometric key for pin unlock
That’s exactly the feature I’ve been looking for and why I subscribed to Bitwarden premium. It’s frustrating that this feature hasn’t been implemented, especially given that people have been asking for it for at least 3 years
I, too, would like the ability to unlock using my Yubikey on the desktop/laptop, in a similar way to how I use a PIN on the android client.
Will the support of passkeys in bitwarden change this?
If bitwarden supports passkeys to login into their service, you could you the yubikey to log in without password
Hi there @l0rdraiden! Yes, passkey support is a piece of moving in this direction. Stay tuned for more over the coming months.
2 Likes
will it be a free or paid feature?
Oh gosh. I just bought BW premium and added my yubikeys and I thought I could login everywhere using a yubikey.
I mean I feel safer now anyways but I strongly expected to be able to unlock with a yubikey. For example loging into bitwarden with password and then until the phone shuts down I can use a yubikey to unlock every password usage on every service/website.
using 60+ digit passwords on websites/services is pretty tedious and if someone steals my yubikey or if I lose one, I can just “kick” it from every service.
Edit: I added yubikeys as 2FA but I on my phone, bitwarden is not asking me to 2FA. Desktop is asking me but not my phone???
@sightseeer Welcome to the forum!
Not sure I’m following your commentary, but I can try to help you with this:
Log in to the Web Vault (vault.bitwarden.com or vault.bitwarden.eu, depending on where you registered your account), click on the profile icon (top right) and go to “Account Settings”, then scroll down to the area labeled “Danger Zone” in red, and click on **Deauthorize Sessions".
When your mobile app gets logged out, log back in. You will need your 2FA every time that you log in on any device, unless you enable the “Remember me” option on that device.
When you lock your Bitwarden app but do not log out, you will not need 2FA to unlock the app. This is normal, as 2FA is only required for logging in, not for unlocking.
1 Like