How to configure Two-Step Login via FIDO2 WebAuthn in Bitwarden

Bitwarden password manager users who want to step up the security may configure two-step login via FIDO2 WebAuthn. The feature is not available for all users or in all Bitwarden apps.

This document is designed for Bitwarden users who want to understand what FIDO2 WebAuthn is, how it differs from traditional two-factor authentication systems, and how to set it up on Bitwarden.

First, WebAuthn is short for Web Authentication, which is a core feature of FIDO2. FIDO2 is an API that web services and applications may utilize FIDO-based authentication. Included as part of the API is support for FIDO security keys, and that is exactly what Bitwarden supports.

FIDO promises higher security, and it eliminates the "risks of phishing, all forms of password theft and replay attacks".

The security feature is optional and Bitwarden users may use other login options, such as signing in via passkeys or authenticator apps, instead.

Bitwarden: FIDO2 WebAuthn restrictions

There are two main restrictions when it comes to using FIDO2 Web Authentication support in Bitwarden.

1. The security feature is only available to Premium Bitwarden members. Free users do not get access to it. Bitwarden Premium is available for USD $10 per year. Users who subscribe get a number of extra features, including FIDO2 support, 1 gigabyte of personal storage space and Bitwarden Authenticator support.
2. Only some of Bitwarden's applications may support FIDO2 WebAuthn at the time. Support depends mostly on the platform that is used and not on Bitwarden itself.
   • Web vault and browser extensions require a web browser that supports FIDO2.
   • The desktop applications require Windows 10 or newer.
   • The Bitwarden mobile applications require Android / iOS 13.3 or newer, and a FIDO2 supported browser.

FIDO2 WebAuthn works with native biometric features of operating systems. Bitwarden mentions Windows Hello and Touch ID specifically. The security feature works with authenticators that are FIDO2 WebAuthn certified next to that. This includes security keys such as Yubikeys, SoloKeys or Nitrokeys.

Bitwarden: Setting up Two-step Login

Bitwarden warns users on the setup page that access to the entire vault may be lost under certain circumstances. The company suggests that users write down two-step login recovery codes to avoid this scenario. Another useful option is to back up the Bitwarden password database.

Bitwarden recommends setting another two-step login option, as WebAuthn may not be available on all platforms yet.

To set up FIDO2 WebAuthn, do the following:

1. Open the Bitwarden website and log in to the account.
2. Select the profile icon in the upper right corner and then Account Settings.
3. Switch to Security and then the Two-step Login tab.
4. There, all available two-factor authentication options are listed.
5. To use WebAuthn, activate the manage button next to it.
6. Type the master password for confirmation.
7. Select a name for this security key or biometric authentication option. Now, pick one of the following options:
   1. Plug the security key into the USB port of the device and select "Read Key". If the key has a button, it needs to be touched.
   2. Use native biometric authentication, e.g., Windows Hello. Select Read Key, and authenticate using Windows Hello or Touch ID.
8. Select Save to complete the process.
9. On the Two-step login Settings page, select "View recovery code".
10. Type the master password.
11. Write down or print the code, as it is used to gain access to Bitwarden's vault, even if the two-step login method is no longer available (e.g., device lost, PC stolen).

Et voila, WebAuthn is now protecting the Bitwarden vault.

Advertisement