Would using hardware 2FA justify short(er) master password?

95% of my Bitwarden use is via the Firefox extension on a desktop in my home office. Hypothesis: using a Yubikey or similar device for 2FA for Bitwarden would justify using a shorter – less secure – master password than not using it. True, false, or “it depends”?

Hi @brec and welcome to the Community!

I would say “false” for a couple reasons:

  1. If a bad actor breaks into Bitwarden’s cloud servers and steals all the Vaults, then he would be able to bypass 2FA and try to break just your password. This is what happened in the recent Lastpass incident.
  2. Your Vault is sometimes encrypted locally when your Vault is locked on your device. If a bad actor could get access to your device, then he could download the encrypted Vault and bypass 2FA.

I think of 2FA as an extra level of security, but your Master Password is your main and most important level of security.

1 Like

Correction: A copy of your encrypted vault is always present on your device, until you completely log out of every instance of Bitwarden that is installed on the device.

@brec Welcome to the forum! The answer to your question is “false”, unless you are convinced that Bitwarden’s servers will never be breached and that your devices will never be stolen or compromised. 2FA mainly protects against credential stuffing attacks (i.e., when you have reused login credentials on multiple sites, and one of those sites is breached, then your stolen password can be used to access all other accounts that use the same password) and active or passive disclosures of the master password (e.g., master password entry observed by shoulder surfing, or master password disclosed to a trusted individual who later abuses that trust).

Yubiko strongly implies that WebAuthn’s public-private key security is a replacement for passwords for user authentication.

…But even if so, that wouldn’t address the risk of the purloined encrypted vault. In the convenience vs. security balance, the risks of such purloining would be a factor.

@brec In Bitwarden, the master password is used for two distinct purposes:

  1. To authenticate the user to Bitwarden’s servers (by verifying the provided login email, master password, and optionally, some form of 2FA). An authenticated user is able to download an encrypted copy of the vault contents, along with an encrypted (“protected”) version of the account encryption key; this is done automatically by the Bitwarden client upon successful authentication. An authenticated user can also add or edit vault items, and push those changes to the cloud database.

  2. To derive a master key that is used to encrypt/decrypt the protected account encryption key (which is then used to encrypt/decrypt vault contents).

It may be possible to replace the authentication process (Purpose #1 in the list above) by a passwordless protocol (as suggested in the WebAuthn documentation that you linked), but this would not replace the encryption process (Purpose #2 in the list above), which would still require a master password password.