I’m currently using the Free version of Bitwarden and using my Yubikey, along with the Yubikey authenticator, as the 2FA to unlock my vault.
If I upgrade to Premium, that will allow me to just plug the Yubikey into a USB port to authenticate, rather than manually retrieving the TOTP code and typing it in, and also improve security via FIDO U2F, correct?
Yes, you can use Yubico’s own authentication mechanism or WebAuthn (FIDO2 successor to FIDO U2F).
I recommend you keep a copy of the 2FA recovery codes especially if you disable TOTP and have only 1 key.
Yes I have a copy of the recovery codes and will make an encrypted backup of my vault.
I assume I should first disable 2FA from my account, then upgrade to Premium, then add 2FA back in?
Not exactly.
When I added the “premium” subscription (only $10 pa) to my account, it just enables the extra 2FA options. Then make any changes you want to.
Safer to add Webauthn first, before disabling the old 2FA.
Ok so make backup, upgrade account, enable Yubikey U2F for 2FA, then after I’ve tested and verified that it’s working correctly, disable the Yubikey TOTP authentication.
Thanks.
Will the Android app use my Yubikey directly when logging in as well? Like, enter password then tap the key on the back of the phone (the key supports NFC, and my old password manager did this so I am hoping Bitwarden works the same way).
That is how the NFC works for me on BitWarden (enter password, tap the key on the back of the phone).
Well that was a painless conversion to WebAuthn. Works fine on my laptop and phone.
Feeling like I made my security improvement for the day. I’ll go in later and remove the old authenticator app that I have set up.
A post was split to a new topic: Timeout and biometrics preferences lost when logging out of Android app
I use Yubico Authenticator and Yubikeys for sites that accept it. But if I want to enable theTOTP to show in the BW browser extension, how do I do that? The little clock is grayed out so it’s presently turned off.
I am a premium user. Not sure about step 2. Is there a link to it?
Yes, see the documentation about Bitwarden Authenticator.
Strong recommendation to add new 2FA methods and remove old ones one at a time and slowly. Add Premium subscription. Then add Yubikey via WebAuthn. Recommend to get used to the workflow before removing the TOTP method. NB. You can’t access the Mac desktop app via WebAuthn. If you need this access then consider also adding Yubikey OTP in addition to WebAuthn. And print 2FA Recovery Code and exporting vault is critical before you do any of this, as others have noted.
All good points. Yes the WebAuthn workflow is definitely different!
Actually that begs a question. I had printed out the recovery codes when I first enabled 2FA (using an authenticator app). Now that I’ve switched to WebAuthn, do I need to generate new recovery codes or are they the same?
You don’t have to, the recovery code remains the same. Actually, the only way to change it is to use it!
IIRC even disabling 2FA completely and re-enabling on the account retains the same recovery code, so you are correct the only true way to “reset” and get a new account Recovery Code is to actually use the code, which subsequently disables all 2FA methods after use.
I have noticed that a number of posters have suggested setting up the YubiKey via the WebAuthn option rather than directly with the YubiKey option. Is there a reason for that?
WebAuthn is a newer standard, resistant to phishing, which Yubikey OTP is theoretically susceptible to. It works on everything except the desktop app so there’s no reason not to use it. If you also need the desktop app, also set up Yubikey OTP as fallback. WebAuthn is also a bit quicker on signing in. 