I’ll start off by saying I only know the very basics when it comes to encryption, so explain like I’m 5.
It’s my understanding that 2fa is currently only used for downloading the vault, and only the master password is used for actually encrypting it.
While this is certainly beneficial for general security, it does nothing should bitwarden’s cloud server ever be compromised.
I would like the ability to (optionally, of course) use hardware 2fa (yubikey, open key, etc) to encrypt the vault itself in addition to the master password.
Essentially, I want to use a hardware 2fa device in the same manor as 1password’s “secret key”
This essentially gives me 2 “passwords”. One I know, which is limited by my human memory, and one I keep, which isn’t limited and can be vastly more complex. I can’t help but think this would be vastly more secure, should my vault ever get stolen somehow.
As far as how I imagine it would work is that you would enter your password and then be asked to either tap NFC key (if you were on a phone, for example) or insert/tap the USB dongle to log in. Pretty seemless UI experience at least.
Is this something that could be added to bitwarden?
While I wouldn’t be interested in doing so, I imagine it would also be fairly simple to implement at the same time the option of ONLY using the hardware device.