Yes, WebAuthn will do a far better job of protecting you from phishing than OTP; it's nearly impossible to phish WebAuthn. Yubikey OTP is just like Google Authenticator (TOTP) but instead of the secret key being stored in an app its stored on the Yubikey. Some could argue Yubikey OTP is less secure than TOTP because it's not time based, so I would go with the Authenticator App over it. Not only is the Yubikey OTP less secure but requires you buy the more expensive series 4 and 5 keys to use them. The one downside with using WebAuthn with Bitwarden is that not every platform supports it, so having a backup 2FA option is needed. I use WebAuthn and that is the default one I try to use when possible, but the fall back is the Authenticator App.
If you still enable email 2FA then you might as well not have the yubikey.
Is there a benefit to choosing "FIDO2 WebAuthn" instead of "YubiKey OTP Security Key" as the provider even when you're using a YubiKey?
Yes, WebAuthn will do a far better job of protecting you from phishing than OTP; it's nearly impossible to phish WebAuthn. Yubikey OTP is just like Google Authenticator (TOTP) but instead of the secret key being stored in an app its stored on the Yubikey. Some could argue Yubikey OTP is less secure than TOTP because it's not time based, so I would go with the Authenticator App over it.
Not only is the Yubikey OTP less secure but requires you buy the more expensive series 4 and 5 keys to use them. The one downside with using WebAuthn with Bitwarden is that not every platform supports it, so having a backup 2FA option is needed. I use WebAuthn and that is the default one I try to use when possible, but the fall back is the Authenticator App.
@@passwordbits Do android phones support both WebAuthn and OTP?
@@radfaraf I'm able to log in using a USB-C Yubikey on an Android phone that has WebAuthn enabled.
Do I need to use 2fa for auto filling passwords everywhere and every time , or is it a one off per device?
Once you're logged in to Bitwarden, you shouldn't need to use 2FA anymore. You use 2FA to log into that, and all of your stuff is there.
Only to login to new devices