I am after a way for my elderly parents to log into their bit Warden easier. I was looking at putting a YubiKey or something similar on their laptop so all they have to do is press the button to log into their vault. I understand the risks but the chances of their laptop being stolen where they are is very low, i just want to make it easier for them to log in. Will YubiKey (and what version) or similar device is best to do this where they just press the button and the vault will log in with a master password. I currently have the pin set up but something that they can just physically push would be a lot more simple for them thanks.
1 Like
Hello,
YubiKey (Passkey) can only be used to log into the web vault at the moment, not the browser extension, desktop app, or mobile app. Some such features are on the roadmap, but it isn’t clear when.
If you don’t have to worry about malware/scams and their computer getting stolen (definitely use BitLocker!), you have more options. For example, Login with Device for both login and approval is available on all clients now. All you have to do is configure the browser extension to “Logout” on “Browser restart” and ask them to never shut down the browser (and maybe even the computer—just sleep or hibernate).
Then, logging in may be minimal (when you restart the browser or the computer), which they can do via Login by Device. They can approve their own logins, perhaps from the mobile which is setup to not logout by default (but do use biometrics), and even if they fumble, but if you have a YubiKey set up with their vault passkey, you’ll be able to log in with the passkey and approve the login for them.
This is one possibility, probably with many variations. Others may suggest more alternatives.
The Bitwarden Web Vault does support “Login with Passkey”, and you can use any Yubikey model to authenticate this way, as long as the operating system and browser support something called “PRF” (e.g., Windows 11 and modern Chromium-based browsers work well).
However, I should clarify that the above authentication method (“Login with Passkey”) only works when the account is logged out — not for a locked vault — and it does not cause the master password to be transmitted by the key. If you get a Series 5 Yubikey, you can configure it to emit a static password string stored in one of two “slots”, which are activated by a short (~1-sec) or long (~5-sec) press of the Yubikey contact pad, respectively. Perhaps this is something that you could explore.
One benefit of using the static password slots is that they could potentially be used also for unlocking a locked vault — by emitting a PIN and/or the master password at the unlock prompt.
Also, as already noted by @Neuron5569, the first method (“Login with Passkey”) only works for the Web Vault (although Bitwarden is currently working on making this functionality available also in some of the other client apps). The second method (static password) should work for any Bitwarden app (as long as the device can accept USB inputs from the Yubikey).
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.