I’m currently using the Free version of Bitwarden and using my Yubikey, along with the Yubikey authenticator, as the 2FA to unlock my vault.
If I upgrade to Premium, that will allow me to just plug the Yubikey into a USB port to authenticate, rather than manually retrieving the TOTP code and typing it in, and also improve security via FIDO U2F, correct?
Yes, you can use Yubico’s own authentication mechanism or WebAuthn (FIDO2 successor to FIDO U2F).
I recommend you keep a copy of the 2FA recovery codes especially if you disable TOTP and have only 1 key.
Will the Android app use my Yubikey directly when logging in as well? Like, enter password then tap the key on the back of the phone (the key supports NFC, and my old password manager did this so I am hoping Bitwarden works the same way).
Well that was a painless conversion to WebAuthn. Works fine on my laptop and phone.
Feeling like I made my security improvement for the day. I’ll go in later and remove the old authenticator app that I have set up.
I use Yubico Authenticator and Yubikeys for sites that accept it. But if I want to enable theTOTP to show in the BW browser extension, how do I do that? The little clock is grayed out so it’s presently turned off.
Strong recommendation to add new 2FA methods and remove old ones one at a time and slowly. Add Premium subscription. Then add Yubikey via WebAuthn. Recommend to get used to the workflow before removing the TOTP method. NB. You can’t access the Mac desktop app via WebAuthn. If you need this access then consider also adding Yubikey OTP in addition to WebAuthn. And print 2FA Recovery Code and exporting vault is critical before you do any of this, as others have noted.
All good points. Yes the WebAuthn workflow is definitely different!
Actually that begs a question. I had printed out the recovery codes when I first enabled 2FA (using an authenticator app). Now that I’ve switched to WebAuthn, do I need to generate new recovery codes or are they the same?
IIRC even disabling 2FA completely and re-enabling on the account retains the same recovery code, so you are correct the only true way to “reset” and get a new account Recovery Code is to actually use the code, which subsequently disables all 2FA methods after use.
WebAuthn is a newer standard, resistant to phishing, which Yubikey OTP is theoretically susceptible to. It works on everything except the desktop app so there’s no reason not to use it. If you also need the desktop app, also set up Yubikey OTP as fallback. WebAuthn is also a bit quicker on signing in.