Two-step Login via Duo

Category: Two-step Login
On this page:

    Two-step Login using Duo is unique among Bitwarden’s available Two-step Login methods in that it can be enabled for a Personal Vault (like the other methods) or enabled for an entire Organization by Teams and Enterprise Organizations.

    Enabling Duo for an Organization will prompt all enrolled members to register a device for Duo Two-step Login on their next login.

    Configuring Duo in the Admin Panel and registering a device will follow the same procedure in either case, but the interstitial setup procedure varies slightly depending on whether you’re setting up Duo for yourself or for an Organization.

    Configure Duo

    You’ll need a Duo account in order to obtain some information required by Bitwarden to complete setup. Sign up for free, or log in to your existing Duo Admin Panel. To configure Duo:

    1. In the left menu, navigate to Applications.
    2. Select the Protect an Application button.
    3. Find or search for Bitwarden in the Applications list, and select the Protect button. You will be redirected to a Bitwarden Application page:

      Bitwarden Application page
      Bitwarden Application page

    Take note of the Integration Key, Secret Key, and API Hostname. You will need to reference these values when you Setup Duo within Bitwarden.

    Setup Duo

    Setting up Duo in Bitwarden is slightly different depending on whether you’re enabling it for your Personal Vault or Organization. Select one of the following tabs accordingly for instructions:

    Setup for your Personal Vault

    Warning

    Losing access to your Duo-enabled device can permanently lock you out of your Vault, unless you write down and keep your Two-step Login Recovery Code in a safe place or have an alternate Two-step Login method enabled and available.

    Get your Recovery Code from the Two-step Login screen immediately after completeting the following steps.

    To enable Two-step Login using Duo for your Personal Vault:

    1. Log in to your Web Vault.
    2. Select Settings from the top navigation bar.

      Select Settings
      Select Settings
    3. Select Two-step Login from the left-side Settings menu.
    4. Locate the Duo option and select the Manage button.

      Select the Manage button
      Select the Manage button

      You will be prompted to enter your Master Password to continue.

    5. Enter the Integration Key, Secret Key, and API Hostname retrieved from your Duo Admin Portal.
    6. Select the Enable button.

    A green Enabled message should appear to indicate that Duo has been enabled for your Vault. You can double-check by selecting the Close button and seeing that the Duo option has a green checkmark ( ) on it.

    Once enabled, make sure you get your Recovery Code. You should also log out of all Bitwarden client apps (mobile, browser extension, etc.) to immediately trigger the Two-step Login requirement. If you don’t, you will be automatically logged out of these apps eventually.

    Setup for your Organization

    Warning

    Organizations Only: Once you initially Configure and Setup Duo, it is critically important that you disable it for the Organization before making any further application configuration changes from the Duo Admin Panel. To make configuration changes; disable Duo in Bitwarden, make the required changes in the Duo Admin Panel, and re-enable Duo in Bitwarden.

    This is because Duo for Organizations does not currently support Recovery Codes, instead you will need to rely on the Duo Admin panel to bypass Two-step Login for members who lose access to Duo. Altering the application configuration from the Duo Admin Panel while Duo is active risks losing the ability to bypass Two-step Login for you or your Organization’s members.

    You must be an Organization Owner to setup Duo for your Organization. To enable Two-step Login using Duo for your Organization:

    1. Log in to your Web Vault.
    2. Open your Organization and select Settings from the Organization navigation.

      Select Settings
      Select Settings
    3. Select Two-step Login from the left-side Settings menu.
    4. Locate the Duo (Organization) option and select the Manage button.

      Select Manage
      Select Manage

      You will be prompted to enter your Master Password to continue.

    5. Enter the Integration Key, Secret Key, and API Hostname retrieved from your Duo Admin Portal.
    6. Select the Enable button.

    A green Enabled message should appear to indicate that Duo has been enabled for your Vault. You can double-check by selecting the Close button and seeing that the Duo option has a green checkmark ( ) on it.

    Register a Device

    Once Duo is setup, navigate to the Web Vault in a new tab. If Duo is your highest-priority Two-step Login method, you will be prompted by a Duo setup screen.

    Duo Setup Screen
    Duo Setup Screen

    Follow the on-screen prompts to configure a Secondary Device to use Duo (for example, type of device to register and send SMS or send push notification). If you haven’t already downloaded the Duo Mobile App, it’s recommended that you do so:

    Use Duo

    The following assumes that Duo is your highest-priority enabled method. Complete the following steps to access your Vault using Two-step Login:

    1. Login to your Bitwarden Vault on any app and enter your Email Address and Master Password.

      A Duo screen will appear to begin your Two-step Login verification.

    2. Depending on how you’ve configured Duo, complete the authentication request by:

      • Approving the Duo Push request from your registered device.
      • Finding the 6 digit verification code in your Duo Mobile app or SMS messages, and enter the code on the Vault login screen.
      Tip

      Check the Remember Me box to remember your device for 30 days. Remembering your device will mean you won’t be required to complete your Two-step Login step.

    You will not be required to complete your secondary Two-step Login step to Unlock your Vault once logged in. For help configuring Log Out vs. Lock behavior, see Vault Timeout Options.