Two-step Login via YubiKey
Two-step login using YubiKey is available for premium users, including members of paid organizations (families, teams, or enterprise). Any YubiKey that supports OTP can be used. This includes all YubiKey 4 and 5 series devices, as well as YubiKey NEO and YubiKey NFC. You can add up to five YubiKeys to your account.
Most modern YubiKeys, including 5 series keys, support the FIDO2 WebAuthn protocol. If your key supports it, which you can determine using the YubiKey Manager application, we recommend setting up your key as a FIDO2 WebAuthn device by following these instructions.
To enable two-step login using Yubikey:
Losing access to your two-step login device can permanently lock you out of your vault unless you write down and keep your two-step login recovery code in a safe place or have an alternate two-step login method enabled and available.
Get your recovery code from the Two-step login screen immediately after enabling any method.
Log in to your web vault.
Select the profile icon and choose Account Settings from the dropdown:
Select the Security page and the Two-step Login tab:
Locate the YubiKey OTP Security Key option and select the Manage button.
You will be prompted to enter your master password to continue.
Plug the YubiKey into your computer's USB port.
Select the first empty YubiKey input field in the dialog in your web vault.
Touch the Yubikey's button.
If you will be using the YubiKey for a NFC-enabled mobile device, check the One of my keys supports NFC checkbox.
Select Save. A green
Enabledmessage will indicate that two-step login using YubiKey has been enabled.
Select the Close button and confirm that the YubiKey OTP Security Key option is now enabled, as indicated by a green checkbox ( ).
Repeat this process to add up to 5 YubiKeys to your account.
We recommend keeping your active web vault tab open before proceeding to test two-step login in case something was misconfigured. Once you have confirmed it's working, logout of all your Bitwarden apps to require two-step login for each. You will eventually be logged out automatically.
The following assumes that YubiKey is your highest-priority enabled method. To access your vault using a YubiKey:
Log in to your Bitwarden vault on any app and enter your email address and master password.
You will be prompted to insert your YubiKey into your computer's USB port or hold your YubiKey against the back of your NFC-enabled device:
Check the Remember Me box to remember your device for 30 days. Remembering your device will mean you won't be required to complete your two-step login step.
If you are using a non-NFC YubiKey on a mobile device:
Plug your YubiKey into the device.
Tap Cancel to end the NFC prompt.
Tap the text input field, denoted by a gray underline.
Tap or press your YubiKey button to insert your code.
Select or tap Continue to finish logging in.
You will not be required to complete your secondary two-step login step to unlock your vault once logged in. For help configuring log out vs. lock behavior, see vault timeout options.
If your YubiKey's NFC functionality isn't working properly:
Check that NFC is enabled:
Download YubiKey Manager.
Plug the YubiKey into your device.
Select the Interfaces tab, and check that all boxes in the NFC section are checked.
Check that NFC is configured properly:
Download the YubiKey personalization tool.
Plug the YubiKey into your device.
Select the Tools tab.
Select the NDEF Programming button.
Select the the configuration slot you would like the YubiKey to use over NFC.
Select the Program button.
(Android-only) Check the following:
That you checked the One of my keys supports NFC checkbox during setup.
That you have NFC enabled on your Android device (Settings → More).
That your keyboard layout/format/mode is set to QWERTY.