Bitwarden Free: WebAuthn new passwordless 2FA method
Free users of the open source password manager Bitwarden may use a new two-factor authentication (2FA) method in the latest version of the application. The developers of the password management service have enabled Web Authentication (WebAuthn) support for all users of the service.
This means, that Bitwarden Free users may now use Windows Hello or Touch ID, and hardware security keys such as Yubikeys to protect their accounts using the authentication standard.
Free Bitwarden users could protect their accounts with two two-factor authentication methods up until now: email or authentication app. Email is considered insecure, which left using an authenticator app, such as Authy, Google Authenticator and others for protection.
The addition of WebAuthn support extends the available options that users have significantly. Next to enabling biometric authentication options for accounts, supported are those that support WebAuthn, it also enables support for hardware keys.
Bitwarden launched support for WebAuthn back in March 2023. Back then, the feature was enabled for Premium and Families plans only. Paid plans for individuals are available for a flat fee of $10 per year. Bitwarden has not yet updated its pricing page with the new information.
WebAuthn support has been added to version 2023.9.0 of the password manager. The release notes on GitHub reveal the change: "WebAuthn now a free 2FA method".
WebAuthn is supported by most Bitwarden applications. It is recommended to add a backup two-factor authentication provider to Bitwarden, especially if incompatible or older app versions are used that do not support it.
Setting up WebAuthn as a two-step login authentication option is a straightforward process. I have described it on this page for Bitwarden Premium users, but the steps are identical. Just scroll down to the setup section on the page and follow the instructions.
A recovery code is created during the process, which can be used to access the account if the two-step authentication method is not available anymore, e.g., after losing a security key or an entire device.
Closing Words
Support for FIDO2 WebAuthn is a major step for free account users of Bitwarden. It unlocks options to use security keys, albeit only with WebAuthn, and also biometric authentication options provided by the operating system. Still, it is a major addition to the password management service.
Now You: do you use password managers and two-factor authentication?
That’s a welcome change. It never sat right with me that important security features like WebAuthn were being deliberately withheld.
thanks for pointing that out!