Two-step Login via YubiKey
Two-step login using YubiKey is available for premium users, including members of paid organizations (families, teams, or enterprise). Any YubiKey that supports OTP can be used. This includes all YubiKey 4 and 5 series devices, as well as YubiKey NEO and YubiKey NFC. You can add up to five YubiKeys to your account.
tip
Most modern YubiKeys, including 5 series keys, support the FIDO2 WebAuthn protocol. If your key supports it, which you can determine using the YubiKey Manager application, we recommend setting up your key as a FIDO2 WebAuthn device by following these instructions.
To enable two-step login using Yubikey:
warning
Losing access to your two-step login device can permanently lock you out of your vault unless you write down and keep your two-step login recovery code in a safe place or have an alternate two-step login method enabled and available.
Get your recovery code from the Two-step login screen immediately after enabling any method. Additionally, users may create a Bitwarden export to backup vault data.
Log in to the Bitwarden web app.
Select Settings → Security → Two-step login from the navigation:
Locate the YubiKey OTP Security Key option and select the Manage button.
You will be prompted to enter your master password to continue.
Plug the YubiKey into your computer's USB port.
Select the first empty YubiKey input field in the dialog in your web vault.
Touch the Yubikey's button.
If you will be using the YubiKey for a NFC-enabled mobile device, check the One of my keys supports NFC checkbox.
Select Save. A green
Enabled
message will indicate that two-step login using YubiKey has been enabled.Select the Close button and confirm that the YubiKey OTP Security Key option is now enabled, as indicated by a green checkbox (
).
Repeat this process to add up to 5 YubiKeys to your account.
note
We recommend keeping your active web vault tab open before proceeding to test two-step login in case something was misconfigured. Once you have confirmed it's working, logout of all your Bitwarden apps to require two-step login for each. You will eventually be logged out automatically.
If you're an organization administrator, you'll need to configure a pair of environment variables in global.override.env
in order to allow calls to be made to the YubiKey OTP API:
Variable | Description |
---|---|
globalSettings__yubico__clientId | Replace value with ID received from your Yubico Key. Sign up for Yubico Key here. |
globalSettings__yubico__key | Input the key value received from Yubico. |
The following assumes that YubiKey is your highest-priority enabled method. To access your vault using a YubiKey:
Log in to your Bitwarden vault on any app and enter your email address and master password.
You will be prompted to insert your YubiKey into your computer's USB port or hold your YubiKey against the back of your NFC-enabled device:
tip
Check the Remember Me box to remember your device for 30 days. Remembering your device will mean you won't be required to complete your two-step login step.
If you are using a non-NFC YubiKey on a mobile device:
Plug your YubiKey into the device.
Tap Cancel to end the NFC prompt.
Tap the text input field, denoted by a gray underline.
Tap or press your YubiKey button to insert your code.
Select or tap Continue to finish logging in.
You will not be required to complete your secondary two-step login step to unlock your vault once logged in. For help configuring log out vs. lock behavior, see vault timeout options.
If your YubiKey's NFC functionality isn't working properly:
Check that NFC is enabled:
Download YubiKey Manager.
Plug the YubiKey into your device.
Select the Interfaces tab, and check that all boxes in the NFC section are checked.
Check that NFC is configured properly:
Download the YubiKey personalization tool.
Plug the YubiKey into your device.
Select the Tools tab.
Select the NDEF Programming button.
Select the the configuration slot you would like the YubiKey to use over NFC.
Select the Program button.
(Android-only) Check the following:
That you checked the One of my keys supports NFC checkbox during setup.
That your Android device supports NFC and is known to work properly with YubiKey NEO or YubiKey 5 NFC.
That you have NFC enabled on your Android device (Settings → More).
That your keyboard layout/format/mode is set to QWERTY.
Suggest changes to this page
How can we improve this page for you?
For technical, billing, and product questions, please contact support