The Bitwarden Blog
FIDO2 Security Key Support Enabled for Mobile Clients
July 23, 2022
The FIDO2 passwordless authentication protocol facilitates passwordless login and continues to gather more support as an industry standard. Updates to mobile operating systems added native support for the standard, enabling Bitwarden FIDO2 support to take advantage of this secure protocol. But what is FIDO2, and how does it impact you?
FIDO stands for Fast IDentity Online (not the name of a dog), as shorthand for the authentication standard created by the FIDO Alliance, an open industry association. The group, including internet industry leaders, worked together to develop the standard and advance online authentication, specifically for reducing the reliance on passwords.
FIDO2 serves as a protocol for applications, servers, and other devices to communicate with each other, ensuring that the user trying to log in is authenticated appropriately. In other words, they are who they say they are. Other technologies under this umbrella term include WebAuthn, an open web standard, and CTAP; both run under-the-hood to help keep everything secure. Compared to other protocols such as OTP (one-time passcodes) FIDO2 offers greater protection because it is stronger against phishing and fake websites thanks to the use of a public/private key pair as part of its security.
One FIDO2 example is a hardware security key, which is a special device that may look like a USB thumb drive. When plugged into a computer or held close to a phone to be read by NFC (near-field communication) the security key authenticates the user. A hardware key is considered very secure since it can’t be duplicated and requires a physical device to be carried by the user.
With this release Bitwarden is now a FIDO2 password manager that supports the use of FIDO2 hardware security keys on mobile clients. This adds to the lineup of the web vault, browser extensions, and Windows desktop clients supporting FIDO2 as a form of two-step login to help keep your account secure.
It’s important to note that Bitwarden uses FIDO2 for two-step login, not as a means to unlock your Bitwarden vault. The master password is used to log in to download the encrypted vault to the client, and the key derived from the master password is used to decrypt it. More on encryption can be found in the Bitwarden Security Whitepaper.
During two-step login, Bitwarden will ask you to plug in your USB hardware security key or to hold it (if NFC-enabled) close to your phone. Once the key is read, Bitwarden will use the FIDO2 Webauthn protocols to verify your identity. If you select Remember Me, it will remember your device for 30 days. This is one powerful form of two-step login that Bitwarden offers.
Two-step login, also known as two-factor authentication, 2FA, and multifactor authentication, is a way to drastically increase the security on any of your accounts. It’s so important that even though it’s been covered extensively in a Bitwarden blog, webcast, and field guide it’s worth revisiting again here.
Two-step login can be thought of in terms of having something you know, and something that you have. For example, in order for an adventurer to gain entrance to the forbidden mystical city, they must speak the magic phrase (that they know) and present the enchanted medallion (that they have). Overhearing the magic phrase in a tavern won’t give them access alone!
In contemporary terms, after you’ve enabled two-step login on any of your accounts, logging in with a username and password from an unrecognized device will trigger the second step. Depending on the site, you could be asked for a code sequence that was sent to you via text message or email, or a timed one time password (TOTP) from an authentication app as examples.
Different types of two-step login methods have varying levels of security and resilience to attacks. Text message (SMS) codes are generally known as the least secure as phone numbers can be vulnerable to SIM-swap attacks. Hardware keys are widely agreed to be the most secure form of identity verification.
Any type of two-step login provides significantly more security than leaving your account unprotected! Without two-step login your account is protected only by a single password. Data breaches and password leaks may reveal an accidentally reused password, or a brute force attack could try to guess your password millions of times a minute. Two-step login stops these bad actors in their tracks!
Detailed step-by-step instructions for enabling FIDO2 WebAuthn in Bitwarden can be found on the help page.
From the web vault go to the Settings tab, and then the Two-step login page. From there you can select which form of two-step login to use. Note that the FIDO2 option is available in the Bitwarden Premium plan.
Any FIDO2 security key can be set up for use. Some common brands are YubiKey, SoloKey, and Nitrokey. Note that YubiKey can be supported in two different ways by Bitwarden: OTP (one-time password) and FIDO2. Make sure you make the right selection for your needs.
You can have up to five keys added. It’s a good idea to register more than one so you can keep one on yourself and another one in a safe place. You should also generate a recovery code and also keep it in a safe place in case you lose your hardware keys. Remember that there is a risk of being locked out of your account forever if you lose your keys and recovery code, even if you still have your master password!
There are two important steps that anyone can do today to improve security on the internet. The first is to implement any form of two-step login (2FA, two-factor authentication, multifactor authentication) on every account that offers it. Bitwarden can help with a tool called “Inactive 2FA Report” that will check all logins in the vault against a list of sites that offer TOTP as a two-step login and flag logins that haven’t had it set up.
The second is to practice good password habits: use unique, randomly-generated strong passwords for every account. The built-in password generator in Bitwarden is a useful tool for making this easier, alongside storing those passwords in a secure vault so they don’t need to be remembered.
Additionally, the Bitwarden Authenticator which is available with the Bitwarden Premium plan, can help with TOTP two-step login by generating codes and making it more convenient to verify identities on websites.
Enable two-step login on all your accounts today!
Editor's Note: This article was originally written on September 28th, 2021 and was updated on July 23rd, 2022.
Back to Blog