⭕Bitwarden
Useful information related to setting up your Yubikey with Bitwarden.
Last updated
Useful information related to setting up your Yubikey with Bitwarden.
Last updated
This tutorial requires one device of any in the following categories:
The primary authentication method that Bitwarden utilizes is a simple email and password. However, Bitwarden does support security devices such as the Yubikey.
In order to add a Yubikey to your Bitwarden vault, you must have a Premium account.
You can read a description for all of them below.
Type
Service
Self-Hosted
Premium Features
Free
Open-source
Yubikey Support
Bitwarden Client Support
Difficulty
To host your own Bitwarden server on a spare computer or virtual machine, you can use Vaultwarden as an alternative. However, since Vaultwarden does not store your vault data on Bitwarden's servers; you are responsible for the security. The machine you host Vaultwarden on is the machine that will store your vault data. If your Vaultwarden server is compromised, it's game over.
Should you decide on a self-hosted Vaultwarden solution, all the features of Bitwarden will be available. Including the ability to utilize a Yubikey to secure your account. However, on Vaultwarden, these Premium features are free.
If using Bitwarden, please remember that you must have a premium account in order to add two-step authentication such as a Yubikey. Otherwise, these features will be greyed out.
On upper-right side, locate circular avatar with a dropdown arrow and click.
From here, select Account Settings.
Locate Account Settings menu on the left and select Security.
Middle of screen, select Two-step Login.
Center screen, you should see a list of providers you can use for Two-step Authentication.
Authenticate with Yubikey's OTP feature. By default, when you press the gold button on your Yubikey, a generated string is spit out. You will need to touch your key and provide the generated Yubikey passcode each time you sign in. This method requires SLOT 1 of your Yubikey to be configured for OTP.
Generated string looks similar to: vvcccacrtduerauianecrdrfakitaigitkglfutbvngn
This is the most recommended method for two-step login. It is secure, and is the most recent FIDO protocol. it is made up of two components:
CTAP: Client to Authenticator Protocol
WebAuthn: WC3 Web Authentication
Allows you to access your Bitwarden account by confirming your login via an email. This is not secure compared to other providers.
If you decide to enable multiple providers for two-step authentication, please be aware that Bitwarden will determine which one to use based on priority that is internally programmed. The following is the order of priority:
Your master password is the main password you use to login to your Bitwarden account. It is what gives access to your vault all-together.
Ensure that your master password is completely different from any other password you have used for any website or service. It must be something that cannot be leaked, and it must be strong.
If you use the same password for both Bitwarden and a website such as "Kinky Midget Kingdom" and the website ends up suffering a data breach, your Bitwarden vault password is potentially at risk because of a website that is completely unrelated to Bitwarden due to carelessness on the companies' part. If the password on the website is not stored using a hash, or is stored in the website's database as a plain-text field, the password will now be available for all to see and it is only a matter of time before they match your email address and password to any other service that you may use the same credentials for.
Should you use the same password for multiple layers of security, this defeats the purpose of those layers.
Bitwarden is a password management software title that stores sensitive information such as website credentials in an encrypted vault.
For pricing, visit the Bitwarden Pricing Chart.
For documentation, visit the Bitwarden Help Center.
Just wondering what provider you should use for two-step? we recommend FIDO2 / Webauthn or DUO.
Vaultwarden is an unofficial self-hosted version of Bitwarden. It is compatible with the official Bitwarden clients, and is ideal for self-hosted deployments where running the official resource-heavy service is undesirable.
Login to your Bitwarden / Vaultwarden account.
Authenticate using programs such as Microsoft Authenticator or Authy. When signing into Bitwarden, you will be asked to open your authenticator app and copy a code which you will then paste into Bitwarden to finish signing in. For instructions on setting up an Authenticator app, visit the Bitwarden documentation.
This feature communicates with Yubico OTP validation servers. Your Yubikey OTP must be registered with their servers in order to work. You can test this on the official Yubikey OTP Demo page.
All Yubikey devices shipped brand new are registered with Yubikey's OTP server. However, if you re-configure SLOT 1 of your Yubikey using the Yubikey Manager application, you must re-configure SLOT 1 with OTP and register your new key with their servers.
This is more secure than email, but still vulnerable to phishing. It's recommended to use FIDO2 / Webauthn over this.
For instructions on setting up Yubikey OTP, please visit the official Bitwarden documentation.
This method requires you to register an account with DUO.
DUO is a secure method for two-step authentication, however, FIDO2 / Webauthn is far less complicated according to some people. This is all based on your own perspective.
For detailed instructions on setting up DUO, visit the official Bitwarden documentation.
For detailed instructions on setting up FIDO2 WebAuthn, visit the official Bitwarden documentation.
If you've like to learn about FIDO2, head over to our .
This method is now deprecated and only available on older version of Vaultwarden. You should not use this. FIDO2 / WebAuthn is far superior and more recent technologies.
Two-step login via email is not recommended if you are using login with SSO, as using multiple methods will cause errors. Consider setting up two-step login via a free authenticator instead.