Dear Bitwarden Team: Is there any effort or progress in this topic? Still seeing almost 250 upvotes but nothing happens…
2 Likes
Currently, the only way to force BW mobile authentication via Yubikey is to log out each, time whether manually or automatically, and accept the app factory defaults each time.
Correct. The way BW implemented 2FA is for the second factor (Yubikey or the new passkeys or whatever) to be used only to authenticate the installation of the client on a device. It does not play a role in the encryption key for your vault.
It should be fairly simple to leverage this same principle for the purpose of triggering an “unlock” of your vault, and be able to set clients to require it for use cases where you want a 2FA method to unlock rather than typing a PIN. For mobile it could be a setting for “unlock with biometrics or PIN or 2FA”, and what many are really asking for, is to use a 2FA method to “reprompt for PIN” similar to how we have the current “reprompt for master password” per entry now.
The purpose is and never could be to add an additional protection because the same master password is needed for both decrypting your vault and accessing these entries. So if either point of attack is broken, and your master password compromised, asking for the same already cracked password twice doesn’t matter and won’t slow down the criminals. The real purpose is to stop having to type your master password so freakin’ many times. Every time you have to type it is another chance for it to be compromised, whether by keylogger or shoulder surfer (or a surveillance camera). This is especially true in remote work environments where employers are routinely using key loggers to monitor “productivity”. whether that is an employer device, an employee device or remote VMs.
It would also help security a great deal for all BW clients to have a way to CLEAR the currently displayed entry. That the desktop client retains the current entry and continues to display it after minimizing or entering something else in the search box and has no timeout is just baffling.
1 Like
I would like to second the idea to allow use of a biometric key for pin unlock
1 Like
That’s exactly the feature I’ve been looking for and why I subscribed to Bitwarden premium. It’s frustrating that this feature hasn’t been implemented, especially given that people have been asking for it for at least 3 years
I, too, would like the ability to unlock using my Yubikey on the desktop/laptop, in a similar way to how I use a PIN on the android client.
Will the support of passkeys in bitwarden change this?
If bitwarden supports passkeys to login into their service, you could you the yubikey to log in without password
Hi there @l0rdraiden! Yes, passkey support is a piece of moving in this direction. Stay tuned for more over the coming months.
2 Likes
will it be a free or paid feature?
Hi @l0rdraiden, currently Bitwarden is planning to include passkey support for free.
1 Like
Oh gosh. I just bought BW premium and added my yubikeys and I thought I could login everywhere using a yubikey.
I mean I feel safer now anyways but I strongly expected to be able to unlock with a yubikey. For example loging into bitwarden with password and then until the phone shuts down I can use a yubikey to unlock every password usage on every service/website.
using 60+ digit passwords on websites/services is pretty tedious and if someone steals my yubikey or if I lose one, I can just “kick” it from every service.
Edit: I added yubikeys as 2FA but I on my phone, bitwarden is not asking me to 2FA. Desktop is asking me but not my phone???
1 Like
@sightseeer Welcome to the forum!
Not sure I’m following your commentary, but I can try to help you with this:
Log in to the Web Vault (vault.bitwarden.com or vault.bitwarden.eu, depending on where you registered your account), click on the profile icon (top right) and go to “Account Settings”, then scroll down to the area labeled “Danger Zone” in red, and click on Deauthorize Sessions.
When your mobile app gets logged out, log back in. You will need your 2FA every time that you log in on any device, unless you enable the “Remember me” option on that device.
When you lock your Bitwarden app but do not log out, you will not need 2FA to unlock the app. This is normal, as 2FA is only required for logging in, not for unlocking.
1 Like
It would also be nice to be able to do it with not only YubiKeys but passkeys as well, it would balance the security and convenience factors for me because I keep my YubiKey and phone BOTH on me at all times.
1 Like
I can’t believe this is such an old topic! I can do with PIN and Windows Hello but still not another method like Duo? It would be nice to know if someone is trying to access my timed-out BitWarden at home with a push notification.
Root Problem
It’s recommended that my master password has high entropy, which makes it hard to type every time I need to access my secrets. It’s fine to type it once to login but I don’t want to type it every time to unlock the app.
Issues with PIN
A PIN is basically a shorter password to encrypt your longer password, which reduces the security of the whole account and compared to modern 2FA tools, it’s not very convenient either.
Issues with Windows Hello
Windows Hello is terrible on traditional desktop apps. See HackerOne from last year for context about why they put the “also use PIN?” prompt to the app. Going UWP seems like a possible solution to make Windows Hello safer, but this doesn’t seem to be on the roadmap.
Why hardware keys?
Using my YubiKey to unlock (again, not login, which would require both my master password and a 2FA method; I’m specifically talking about unlocking a logged-in account here) would keep my master password way more secure from malicious applications.
Windows already has its own security mechanism to access the user account, that is, either PIN (Knowledge) or Windows Hello (Inherence). So, the best unlock mechanism Bitlocker can implement to complement Windows is to support hardware keys (Posession).
2 Likes
Just to add on top: Windows Hello is, obviously, a Windows-only solution, meanwhile Bitwarden is supported and relatively popular on Linux and Mac as well, while there is system authentication dialog in the native app, it’s not as strong as Windows Hello, at least on Linux since Polkit doesn’t support biometrics by itself, can’t tell how it works on Apple systems. It would be nice to see more secure method than PIN available across the board.
This. Also signed up for premium expecting to be able to use my security keys for accessing my vault using the desktop application, and web browser extension (biometrics are fine for me on android).
Ended up cancelling my premium, though I am otherwise enjoying Bitwarden. I hope they implement this in the future - at which point I’ll sign up for premium again.
2 Likes
@go12 so, are the BETA passkeys also supported to unlock the Chrome Extension? I don’t see an option to do this at the moment and it’s also not mentioned on that page.
It works indeed to “Log in using passkey” on bitwarden.com using YubiKey.
1 Like
No, passkeys can only be used for login, not for unlocking. And passkeys cannot be used for logging in to the browser extension.
No, passkeys can only be used for login, not for unlocking. And passkeys cannot be used for logging in to the browser extension.
And is it in the roadmap to support this? What is the (security) reason I cannot use my hardware key to unlock the vault in Chrome Extension and that I need Desktop app for that? That’s why Chrome supports WebAuthN…
So I can log in to bitwarden.com using them (which is unlocking the vault as well) and I cando everything there, but I cannot just use the vault in the browser extension - that sounds silly - that’s why I’m curious if that’s a security issue/approach or a (soon) coming feature?
Are we waiting for the browser extensions support for this?
You can’t log in or unlock using passkeys in the Bitwarden Desktop app either. To my knowledge, there is no deliberate decision to not support passkey use for authorization in the browser extension or Desktop app, but rather there are technical constraints that prevent this.
1 Like