PersonalBusinessDownloadPricingHelpBlogContact
Get Started
Log In
PersonalBusinessDownloadPricingHelpBlogContactBusiness SalesGet StartedLog In

Two-step Login via FIDO2 WebAuthn

Two-step login using FIDO2 WebAuthn authenticators is available for premium users, including members of paid organizations (families, teams, or enterprise).

Any FIDO2 WebAuthn Certified authenticator can be used, including security keys such as YubiKeys, SoloKeys, and Nitrokeys, as well as native biometrics options like Windows Hello and Touch ID.

tip

Existing FIDO U2F security keys will still be usable and will be marked (Migrated from FIDO) on the Two-step Login Manage FIDO2 WebAuthn dialog.

FIDO2 WebAuthn cannot be used on all Bitwarden applications. Enable another two-step login method in order to access your vault on unsupported applications. Supported applications include:

Setup FIDO2 WebAuthn

To enable two-step login using FIDO2 WebAuthn:

warning

Losing access to your two-step login device can permanently lock you out of your vault unless you write down and keep your two-step login recovery code in a safe place or have an alternate two-step login method enabled and available.

Get your recovery code from the Two-step login screen immediately after enabling any method.

  1. Log in to your web vault.

  2. Select the profile icon and choose Account Settings from the dropdown:

    Account Settings
    Account Settings

  3. Select the Security page and the Two-step Login tab:

    Two-step Login
    Two-step Login

  4. Locate the FIDO2 WebAuthn option and select the Manage button.

    Select the Manage button
    Select the Manage button

    You will be prompted to enter your master password to continue.

  5. Give your security key a friendly Name.

  6. Plug the security key into your device's USB port and select Read Key. If your security key has a button, touch it.

    note

    Windows Hello is natively a FIDO2 authenticator. If you are using Windows Hello but want to register a key or other device, you may need to dismiss the native Windows Hello prompt by selecting Cancel.

  7. Select Save. A green Enabled message will indicate that two-step login using FIDO2 WebAuthn has been successfully enabled and your key will appear with a green checkbox ( ).

  8. Select the Close button and confirm that the FIDO2 WebAuthn option is now enabled, as indicated by a green checkbox ( ).

Repeat this process to add up to 5 FIDO2 WebAuthn security keys to your account.

note

We recommend keeping your active web vault tab open before proceeding to test two-step login in case something was misconfigured. Once you have confirmed it's working, logout of all your Bitwarden apps to require two-step login for each. You will eventually be logged out automatically.

Use FIDO2 WebAuthn

The following assumes that FIDO2 WebAuthn is your highest-priority enabled method. To access your vault using a FIDO2 WebAuthn device:

  1. Log in to your Bitwarden vault and enter your email address and master password.

    You will be prompted to insert your security key into your device's USB port. If it has a button, touch it.

    FIDO2 Prompt
    FIDO2 Prompt
tip

Check the Remember Me box to remember your device for 30 days. Remembering your device will mean you won't be required to complete your two-step login step.

You will not be required to complete your secondary two-step login setup to unlock your vault once logged in. For help configuring log out vs. lock behavior, see vault timeout options.

NFC troubleshooting

If you are using a FIDO2 authenticator with NFC functionality like a YubiKey or other hardware security key, you may need to practice finding the NFC reader in your device as different devices have NFC readers in different physical locations (for example, top of phone vs. bottom of phone, or front vs. back).

tip

Hardware security keys typically have a physical plug, which will work more reliably in cases where NFC is difficult.

Troubleshooting YubiKey NFC

On mobile devices, you may encounter a scenario where your YubiKey is read twice consecutively. You will know this has occurred when your device's browser opens the YubiKey OTP website (https://demo/yubico.com/yk) and if your device vibrates multiple times to signal multiple NFC reads.

To solve this, use the YubiKey Manager application to disable the NFCOTP interface for your key:

YubiKey Manager
YubiKey Manager
warning

Disabling NFCOTP will prevent you from being able to use two-step login via YubiKey (OTP) over NFC with this key. In this scenario, OTP via USB will still function as expected.


Language

Products

Resources

  • Resource Center
  • Community Forums
  • Security Compliance
  • Success Stories
  • User Reviews
  • Newsfeed
  • Subscribe to Updates
©2022 Bitwarden, Inc.
Terms Privacy Sitemap