I’m considering getting some YubiKeys for the first time and had some questions.
My setup: I use Bitwarden as my password manager and Ente for 2FA. I want add 2FA protection to my Bitwarden account but I’d rather not use Ente for these purposes in case I lose my phone. I of course have the codes backed up on a server in my apartment, but I’m more concerned about traveling and not having access
So I was considering using YubiKeys only for Biwarden as my 2FA. I figured I’d carry one on me, have one in a safe at home, and maybe another in my parents safe in their home. So this would be used to login to my Bitwarden vault.
My questions:
- I see YubiKey make several different keys. Given my usecase above, and needing NFC and USB, which key would I need?
- Is there any option to protect the key with a code? So for example: I go to unlock Bitwarden on a new device. I enter my Master Password and then when it prompts for 2FA, I connect my YubiKey. Is there any way to require a code to utilize the key?
Anything else I should consider?
Get the 5C it has the most compatibility for connectivity.
You need to press/touch the metal part of the yubikey for it to acknowledge that you want to activate the 2FA. Think of it as a 1 key code. You have to touch it for it to work, otherwise the machine it is connected to doesnt get the code. You dont need to do this for NFC though, only for when it is inserted in the USB slot, because doing the NFC is a concious effort.
Thank you! Good to know that I can use a pin and I’ll try out the model you suggested
When you say the 5C has the most compatibility for connectivity, what do you mean?
It means it will work on iPhones and Android (via NFC) as well as desktop systems (Windows/Linux/MacOS via USB)
But don’t the 5C and the Security Key C NFC support both NFC and USB like @phnx is suggesting?
There are two models, the 5C without NFC and the 5C with NFC, there are also type-A USB models, with and without NFC, as well as a type-C and lightning connector option without NFC.
I’d recommend the 5C with NFC or the Type-A USB with NFC.
1 Like
Any reason to go with a 5 series over a Security Key? They both support USB and NFC
That depends on what methods of authentication you want to use with your hardware key.
The Security Key C only supports FIDO2/WebAuthn (hardware bound passkey) and FIDO U2F authentication protocols.
The 5 Series supports FIDO2/WebAuthn (hardware bound passkey), FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV) and OpenPGP.
Typically FIDO2/WebAuthn is sufficient for most users and should cover 99% of regular authentication cases. It should be completely sufficient for your use case of BitWarden second factor for login/authentcation.
2 Likes
I ended up getting a Yubico security key and was experimenting with getting it setup on my Bitwarden account and attempting to access the account from different devices.
At first, I assumed I would set it up in the Yubikey section of my account, but that didn’t work. It only seemed to work if I added it to the Passkeys section.
Next, I found that while it seems to work with my iphone, and I was prompted for WebAuthn, it didn’t seem to work with the Bitwarden Desktop app, or on the Mullvad Browser. In both cases, it only prompts me for traiditional 2FA codes.
Is this expected? A little concerning that it might not work in certian insrtances
I did end up getting a Security Key from Yubico, and using the Yubio Authenticator, I did set a pin. However when I setup the key as my MFA webauthn key for Bitwarden, Bitwarden doesn’t prompt me for the pin when asking for the key.
Is there anything additional I need to do?
Great, that worked for me. Thanks!
1 Like