I’m just trialling bitwarden to migrate from LastPass. On LastPass, my wife & I had one account with two separate identities, making it easy for me to retrieve a password for her if she couldn’t access it herself. It appears bitwarden will handle us more like two unconnected users with different logins which we can switch between, if I understand correctly?
Now, as we’re both longterm YubiKey users, it appears I’ll need a Premium account for these. But if my wife & I need separate accounts (as above), does that mean two separate bitwarden Premium accounts, or that I need the Family Premium account to achieve this, offering up to 6 users?
1 Like
Hello and welcome to the community! 
For a husband and wife setup, people generally create 2 accounts (as the TOS stipulate that you shouldn’t share accounts) and set up a free org or a paid family org to share items between them.
You don’t need paid subscriptions (either premium or family) to use YubiKeys for almost everything, including Passkey 2FA and passkey login with encryption. The only thing about YubiKeys that requires payment is the “Yubico OTP security key,” which you don’t need to use.
If you plan to share a file attached to an item/entry between you two, then you need the family subscription, which allows file sharing. If you don’t need 1) TOTP code generation ability, 2) the ability to attach files to personal items, 3) emergency access, 4) vault health reports, and 5) (rolling-out) active weak/breached/re-used password check, then you don’t need paid subscriptions either.
The features that would place you in different free/subscription buckets include:
- TOTP code generation (paid plans)
- File attachment to individual vault items (paid plans)
- File attachment to org/family items (family plan)
- Emergency access (paid plans)
- Vault health reports (paid plans)
- (rolling-out) active weak/breached/re-used password check (paid plans)
You don’t need paid plans for any typical/recommended 2FA or passkeys.
Note that there are likely to be more features rolling out for paid plans in the near future.
Many thanks for the comprehensive answer! It has raised many questions however. I have a range of YubiKeys:
YubiKey Standard (2010 - Yubico OTP, OATH – HOTP (Event))
YubiKey Neo with NFC (2013 - Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Smart Card (PIV-Compatible), OpenPGP, FIDO U2F)
And a brand new 5C NFC (Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Smart Card (PIV-Compatible), OpenPGP, FIDO U2F, FIDO2).
Given this detail, are you still sure all these will work without Premium/Family?
I did try last night to add the newest key to the free bitwarden, but without success reading it; however LastPass was popping saying something about PassKeys, so it may be that was interfering with bitwarden reading it. I haven’t uninstalled LastPass yet, I could disable it.
What you say about making an Organization was interesting, but I am puzzled why I would do this? The husband/wife accounts have separate accounts, we don’t share any logins or exchange files etc. We could use the same master password for emergency access for the other (I know, bad). I suppose an Organization would mean I could get the joint bill if we had to go premium, otherwise if free, I’m not sure what this Organization achieves compared to two standalone accounts?
You are right; only the newest one supports FIDO2, and that’s the one you can register for (free) with “Passkey” 2FA. The other two YubiKeys require a premium account. Note also that Windows computers, with Windows Hello enabled, can work as “Passkey” 2FA as well, so it can serve as a “backup.”
Yes, disable LastPass and try registering the newest key again. Passkey 2FA registration usually happens without a glitch.
Org is primarily used for sharing credentials and files that can be updated in one place. If you don’t share credentials or files, then you don’t need an org.
You could use different passwords to increase online security, but write them down and keep them safe and accessible to both of you. An emergency sheet is what you are strongly encouraged to do anyway.
P.S.: Your FIDO2 key (the 5 series) can also be used to “Login with Passkey with Encryption” (usually protected by a PIN) instead of just serving as 2FA for a password. This can also act as a backup login method.
Thanks for the clarification. So we need either Premium bitwarden accounts, or I buy another new series 5 FIDO2 key and stay with free accounts. This begs two questions:
- If we go the premium route, would two such premiums or one family account be better? I’m not sure how the latter works, and whether the member accounts are fully separate or related?
- If we buy a new FIDO2 key to stay free, is bitwarden really going to stay free, or is this more an introductory offer. Because if fees are coming, there’s no point in buying new YubiKeys.
@Neuron5569 and @RMC I’m not sure about that… As was discussed on the forum some time ago, also older (U2F) security keys should work with “passkey”-2FA – see e.g. this post and the linked discussion – so, I would test this with the YubiKey Neo first, before drawing definite conclusions.
1 Like
Thanks @Nail1684, I will test the old ones with LastPass disabled, once bitwarden has accepted the new 5C OK. On the subject of which, you link to a post with the question ‘Will bitwarden be phasing out yubikeys 5c series throughout 2025’. As mine cost over £50 and is a week old from Amazon, I am sincerely hoping the answer to that is No.
No worries. The answer is “No”. (for the foreseeable future)
1 Like
Why do you think that you need Premium accounts (or a Family account, for that matter)? What Premium or Family Plan features do you need (I don’t see any such needs articulated in your previous comments)?
If you do get Premium subscriptions (for at least one year), then you can configure the Emergency Access function for this purpose. If you let your Premium subscription lapse after the first year, then the Emergency Access feature will still work, but you cannot make any changes to what you originally configured (unless you get Premium again).
There was uncertainty by the previous poster as to whether all the YubiKeys would work on the free option. My asking about Premium options was in case that was the only way to make them all work.
I have just tried registering them on the free version. At the point of reading one (an old standard key as a test) a Windows 11 dialogue appears, about saving the PassKey for vault.bitwarden. I have to agree to proceed, and after entry of my windows PIN, it apparently saves that oldest Yubikey.
Thereafter, trying to add other YubiKeys, Windows intervenes as before and after agreement says I don’t need to register this PassKey again. Should Windows be doing this? It’s stopping me running the test I need to of all my keys, in the hope I do not need premium.
Update: The PassKey successfully saves to the new 5C key, but not the older (Standard/Neo) ones. So, if that means Premium, should we be looking at 2x Premium accounts or 1x Family?
The way I read the comments posted above, the only point of confusion in the exchange between @Neuron5569 and @Nail1684 was whether the old YubiKey Neo would work in Bitwarden at all (regardless of whether the account is free or Premium).
If you want to use your 2010 YubiKey Standard as a two-step login factor in Bitwarden, the only way to do so would be using the Yubico OTP method, which does require a Premium subscription. However, Yubico OTP has largely fallen in disuse, and we don’t typically recommend it (especially not as a sole reason for upgrading to Premium).
You’ll need to provide additional detail for us to help with this. Which of your YubiKeys were you testing when this happened? What exactly were you doing in the Bitwarden Web Vault when Windows “intervened”? What was the exact wording of the message about not needing to register the passkey again, and did that message come from Windows or from Bitwarden? Can you post a screenshot of the message?
No surprise about the Standard YubiKey (as explained above). The Neo key might be WebAuthn compatible, which means it may be possible to add it as a two-step login factor using the “passkey” method. I would need to see exactly what you tried before I concur that it doesn’t work.
If your Neo and Standard keys don’t work as passkeys, the only benefit of upgrading to a paid plan would be that you could now register those keys as two-step login factors using the Yubico OTP protocol (which, as I explained above, is not generally recommended).
Since you don’t need to share any vault items with your spouse, getting two Premium accounts would be sufficient.
1 Like
You didn’t save that key; you registered your Windows machine as the passkey (as I mentioned before that you can do for use as a backup). Here are the steps to register a security key on my machine; I hope it’s similar on yours (I never really know about Windows; they seem different from version to version).
2 Likes
… you are talking about the Bitwarden 2FA-“passkeys”, right? (and not the "login-passkeys?)
Thanks for the screenshots. Here are some of mine. I ‘think’ I was doing the same as you show, selecting the key not windows device to store which I may have done the very first time. Weirdly, one of the Neo’s seems to have been accepted by bitwarden, but not the other, and not the oldest pair (standard) which it sounds from comments here are pretty obsolete. Here are the shots, for most keys/triess (except the new 5C) it doesn’t acknowledge a key being present when there is, whether or not the green button is pressed. Just found I can only post one embedded media, will try singly in case that’s OK:
1 Like
Maybe I don’t understand something about your screenshot or text – but that 2FA-passkey wouldn’t be stored on your YubiKey NEO but via Windows Hello.
Like @Neuron5569 showed above, you’d have to click “Change” in that Windows Security dialog/prompt and choose “Security Key” for it to be stored on the YubiKey (and not the Windows device).
Maybe we will see that in the rest of the screenshots (not yet posted by @RMC).
@RMC looking at your account profile, it looks like you are very close to advancing your forum trust level from “New Member” to “Basic Member”, which should give you the ability to embed additional screenshots in your comments. I would suggest spending another few minutes reading comments in topic that you have not already read.
Have you used the Yubikey Manager to confirm that the U2F protocol is enabled on the key that is not working? Do the two Neo keys have different firmware versions?
Hi, I didn’t go away. But just after being told by the site bot that I couldn’t post a few screenshots, I was told that I had also made too many posts for a new user, so must wait 16 hrs before making any more; so I couldn’t even post to say this. A little cautious? Anyway, I am assuming I can post this now. I’ll add the other screenshots I meant to, if the site allows me. But since then, I tried removing all keys then re-adding them, in case of confusion somewhere. I don’t fully understand where Windows Hello features here?
But I found that only the newest 5C YubiKey can be reliably added to the account, so only Premium would presumably enable the older keys. Given the opinions expressed earlier about the older YubiKey OTP protocol, I am thinking of dumping the older keys, and getting another 5C (or two). Paying a Premium fee to keep 10-15 year old tech running seems like the wrong decision. I am slightly worried by that thread linked to earlier suggesting a 5C key might have limited recognition in future; is there another key I should be buying?
Separately, upon logging into bitwarden browser extension today, I was not asked for my new 5C key, the vault opened up with just my password. But logging into the main bitwarden site, it did want and accept my 5C key. Is this right? On LastPass, enabling a YubiKey meant you needed it for browser extension and main vault website. The window on the browser extension where the 5C key is requested resembled the (Windows Hello?) windows captured yesterday, is that right? I don’t know anything about Windows Hello, so can’t say if this is correct behaviour.
I will now try to post the other two screenshots from yesterday, before the bot blocked me out.
The two Neo keys (newer 2 of the 4 old ones) do not allow me to enable FIDO with the Yubikey manager program; remains greyed out. So I guess it’s not possible with any of the four older keys.
The protocol that is being phased out is U2F, which the 5C NFC supports, but the key also supports FIDO2, which is unlikely to be phased out any time soon. You don’t have to worry about this at all. (Plenty of people would be upset otherwise; it is a popular and expensive key.)
All new FIDO keys set up with Bitwarden are registered as WebAuthn keys. If you have a registered FIDO key that is marked (Migrated from FIDO) in the Two-step Login → Manage FIDO2 WebAuthn view of the web app, it is a U2F key and should be removed and re-registered to automatically set the key up with WebAuthn. Bitwarden will begin phasing out support for (Migrated from FIDO) U2F keys in 2025.
Also, remember that your Windows machine (with Windows Hello enabled) WILL serve as a Passkey 2FA. All you have to do is save the Passkey to the Windows device with the “Continue” button X-marked out above. It isn’t going to be as secure as Yubikey, but it may work well enough.
1 Like