my employer is looking for a Password Manager solution and we’re currently comparing the major ones. Most of them seem to have one missing piece though and I was hoping if someone could tell me how bitwarden solved the following scenario:
Your companies IT department is an external company for example and can remote into your machine (or a bad actor once they have been breached), log the master password by installing a keylogger and unlock the Vault on the same machine while you’re away. This leads to all your passwords being compromised.
I saw that bitwarden supports FIDO2 authentication using a Yubikey but is that only used for authenticating the machine once on setup (like 1Password) or does it require the key, every time you unlock the vault? Can you set it up so you need a PIN/Password and the key every time to unlock?
Am I correct to assume that the encryption of the local vault is done using the master password and a machine specific secret, to prevent moving the vault to another machine and decrypt it using a possibly compromised master password? Or did bitwarden go all out and re-encrypts the vault with the security key on top of that?
FIDO2 key is currently used to authenticate you for downloading your vault, i.e. loggin in. It is not used for decryption, or unlocks in combination with PIN or Biometrics. If you are not logged out, you are not asked to supply the FIDO2 key again. You cannot set it up to use FIDO2 key with PIN/biometrics unlock.
You can set up BW to log out after some period of time and hence requiring a master password/FIDO2 key (without the “remember me” option). This has the drawback of being slower in term of workflow and possibly KDF computation. You would also have the risk of the vault not being accessible during the maintenance period (about monthly or bimonthly). I personally think a slower/interrupted (during maintenance) workflow would pretty much hinder using BW for your usecase.
BW vault is encrypted by an encrypted symmetric key stored in your vault. The symmetric key is protected by a password derived key. If someone has your master password and your encrypted vault, they theoretically can decrypt the vault on any machine, knowing the algorithm that Bitwarden uses to derive the key.
Generally, these password managers cannot protect you if you have a malware or people with password access to your machines. If they can install a keylogger, they can exfiltrate your vault, read your unencrypted memory, copies from the clipboard, etc. Malware on an unrooted Android will be able to do less. You shouldn’t expect a comprehensive (for some, any) malware protection on a Windows machine; all you get it is coincidental protection because the malware isn’t sophisticated enough or hasn’t had enough time.
Your PWM being compromised doesn’t have to mean your credentials being completely compromised. Use FIDO2 security key for 2FA everywhere possible. Keep TOTP code generation function outside of BW and on the phone. Someone/malware with access may still have your access tokens, but they may be harder to use, and may be easier to revoke in some cases.