A bit of a noob question here, but I haven’t found much clarity elsewhere online. I am storing my passwords (and a couple passkeys) for many of my third-party services in BitWarden, and up to this point, I have used the integrated TOTP codes that many of these services offer as my 2FA method. However, I am planning to purchase a YubiKey 5 to begin using that instead.
My question is if I am able to set up to YubiKey for the third-party accounts through BitWarden (kind of like had been done for the TOTP’s), or if I am supposed to set up the YubiKey within each individual service (of those that support it)?
Is there a particular method that enables the YubiKey to be used with essentially any account that supports 2FA? Is a particular method more secure than another?
What 2FAs are available for a service depends on that service. If a service allows TOTP, BW can handle that for you. If a service allows passkey, BW can handle that for you as well.
In this case, you need to set up the Yubikey as a 2FA, or as a passkey authenticator, for each service that allows it. For example, try setting up the Yubikey as the “Physical security keys” for this site. Don’t forget to retrieve and keep 2FA recovery codes, just to be safe. For sites that don’t allow FIDO2/security key as a 2FA, there is no way to force it. Some sites will allow using multiple keys, and some sites may only allow one.
I think some(?) Yubikey models can be used along with an app as a TOTP authenticator, but since you are already using BW as your TOTP authenticator, you may not absolutely need this function. Or you may want to generate your TOTP codes for your important accounts outside of BW; in this case, you may be able to use the authenticator.
FIDO2 for 2FA or passkey authenticator on a security key is the best 2FA authentication you can have, because it cannot be phished, and the secrets held by the key are almost impossible to breach. TOTP is the next best thing, but it can be phished, and used by the attacker if they are quick.
Theoretically, you should have multiple Yubikeys for backups, but your Windows PC and Android phone can be used as FIDO2 keys as well, so the backups aren’t absolutely needed.
Thank you @Neuron5569 ! The FIDO2 method that you mentioned, is that the same thing as WebAuthn authentication? When setting up YubiKey with a service, how would I know whether it’s using FIDO2?
Yes, FIDO2 encompasses more protocols than WebAuthn, but they are often used almost equivalently. The term for FIDO2 key include: FIDO2 key, WebAuthn key, and security key. An oddball is Bitwarden 2FA, when setting up your key as 2FA, select “Passkey.” For BW, you may need to choose to use the key as a “real” passkey (without additional 2FA), or as a 2FA (requiring the password); somebody mentioned that it cannot be used for both(?), which if true, would be an oddity.