Bitwarden Secured with Yubico Yubikey!

Totally agree. We did a video on all the 2FA methods including FIDO2 WebAuthn ua-cam.com/video/f3pY9LJAHPk/v-deo.html. Thanks for commenting & subscribing!

Thanks for commenting and subscribing. Did you get a chance to check out the other Bitwarden video. Let us know if you have any questions.

Thanks for the feedback!

Thank you too

Happy the video was helpful. We have a lot of content on device & account security. Let us know if you have any particular interest. Thanks for commenting & subscribing.

Thanks for coming

Great!

Awesome thank you! Thanks for the feedback.

Thank you too

So nice of you

Great question. In order to select yubikey you have to have a paid subscription. The process with yubikey is actually simpler, since you just plug in the key and phyically touch the key. It is like the process shown on our other email vídeos for yubikey authentication. Thanks for the feedback.

Keep in mind that of your email is secured with a yubikey having a yubikey on the Bit Warden vault is somewhat redundant. But if you have accounts that don't support yubikey then is wise to secure them in the vault with yubikey.

@@CyberMedics Thanks for your replies. I finally got 3 yubikeys setup with bitwarden, however, I'm only prompted for 2FA when I completely log out of bitwarden. It would be nice to have 2FA every time I log into Bitwarden with either pin or master password. Pin + 2fa would be best, as I don't like typing in master so often in case a key logger is present.
What do you think?

@@gibbons7047 Agree. I've been thinking about doing another video with bitwarden. Is there anything in particular you'd like to see? It's been the most popular video on the channel so far.

@@gibbons7047 I missed part of your question. If you want 2FA every time, Go to "Settings", "Vault Timeout", Select "Browser Restart", Under "Vault Timeout Action" Select "Log Out". This will force 2FA every time. Let me know if it works for you.

Super question. Thank you. You can, but we have not used it yet. If you do let us know your results bitwarden.com/blog/log-into-bitwarden-with-a-passkey/

Thank you too

Thank you! 🤗

Welcome aboard. Are you using windows?

@@CyberMedics yup

@@ikust007 This is an important video you might want to view. ua-cam.com/video/qnqnIuGEnH0/v-deo.html

It is not dumb and the process can be confusing. Short answer is yes. Longer answer; in order to provide help we need more information. One of the main reasons we started the channel to help people secure their online accounts. What specific key are you using? What phone (android/iphone)? What accounts are yo trying to secure on the phone? Do you wan to use the key as a hardware token (U2F/FIDO 2) with physical touch? Do you want to use the key for storing TOTP codes for the authentication app? Don't be overwhelmed. You've made an important decision to protect your online account identity. It would be our pleasure to walk you through the process.

My first response may have been more than you need. If you are just trying to add the key to BitWarden, via the phone then you just need to logon to your account in a browser on the phone. Complete details are included in our How to Secure Bitwarden with 2nd Factor Authentication ua-cam.com/video/f3pY9LJAHPk/v-deo.html.

Glad you enjoyed it.

You are so welcome

Nice feedback really appreciate the comment. Have you considered double blinding the passwords in the vault. That way if someone broke into the Vault they still would not have your account credentials. Especially if you've secured them with a strong second Factor Authentication method. Would appreciate your feedback on what you see as the risk factors with that approach.

Awesome thank you!

You bet

I fundamentally agree with you. If you secure this with an authenticator app or a hardware security key, it would be extremely difficult to break. The pro to the PW manager is you can have strong passwords, but the downside is you become reliant on it. Thanks for the feedback and subscribing!

Thank you Julius!

@Soulja Setting up Bitwarden multiple devices
Thanks for commenting and subscribing. Yes you would have to authenticate to bit Warden on each device, but you only have to set up the accounts one time. My recommendation is to set up all of the accounts on a keyboard computing device for ease of input.

@Soulja Setting up Authenticator multiple devices
Once you set up the authenticator app to work with your yubikey, that account information is stored on the Yubikey. Plugging the key into any device that works with the yubico authenticator app will have all of your accounts. Note that presently Yubico Authenticator does not work on Chromebook operating system, but does work on android phones!

@Soulja Backup Concerns
Yubikey Backup- You can add multiple yubico keys to your bitwarden for back up. Go to bitwarden.com, "Settings", "Two Step Login", then "Manage Providers".
Bitwarden Password backup- Under "Tools", "Export Vault", select format- ".json" or ".csv". .josn is plain text compatible, where .csv is spread sheet compatible. Put the file somewhere secure or encrypt on your device.

@Soulja Complex...screwed, something goes wrong
This was a great comment with multiple parts, so I broke up the responses and titled them so others can benefit from your comment.
Something can always go wrong, so exporting the password valut, adding multiple keys etc. minimizes this from happening. I suggest you setup a test account on both Bitwarden and your email (Tutanota, Gmail & Yahoo all support the hardware yubikey). Use this test account to follow the steps above. Once you are confident, then you can go about adding your real accounts and locking everything down. Thank you again for these questions. Hope it can help others. Please let me know if you need any help.

@@CyberMedics Thanks am doing that to check it all out ,tks

These are great questions! I'll try to break them down. First thanks for commenting & subscribing!

"if I would install bitwarden and secure it with a yubikey as suggested, and I also would use the same yubikey for 2FA on different websides, as also suggested in different videos. First would this be possible, how much space does a yubikey have?"
Our updated BitWarden 2FA video is here: ua-cam.com/video/f3pY9LJAHPk/v-deo.html Yes you can use the Yubikey (U2F/Web Authn) on as many sites as you want. Each private/public key pair is dynamically generated and takes up no memory in the key. If you use the Yubikey to store OTP there is a maximum of 32 accounts.

"Second would it make sense, or would that mean putting all eggs in one basket? "
Are you referring to putting all your PWs in the vault as to "putting all your eggs in one basket"? Yes, putting all your PWs in the vault does centralize them, but they are encrypted with your master password. The stronger your master the password the better. Securing the vault with a hardware key makes the vault practically un-hackable . You could also consider a double blind method for storing your passwords. Please see our video: ua-cam.com/video/pQ7ETiPfmqk/v-deo.html.

"Or if I secure bitwarden with a yubikey, I no longer have to use the options on different websides for 2FA because Bitwarden+Yubikey is already 2FA? Seems I didn’t understand it completely, can anyone help?"
When you secure Bitwarden with Yubikey, you are only protecting your passwords. Think of it as your passwords written in a notebook stored in a physical vault, where you need a key to open it and access the passwords.
Even though Bitwarden will automatically login with your password you will still need to be secured with 2FA...preferably a hardware key. For example: I always login to my vault first with a HW key, then I access my email. Bitwarden logs in my ID & PW....then my email account requests my 2FA method (a HW key). Once I provide the HW key, I'm logged into my email. Your questions are supper! Please let us know if this is clear or if you need any help.

@@CyberMedics First thank you for all your time and effort to answer my Questions! This last Example was exactly what I was thinking about and referring to. If I use a Hardwarekey, to fill in my ID and Passwort at a webside, would it technical be possible to use the same Hardwarekey for 2FA-of that same webside? And if so, would it be wise, from a security point of view, to use the same Hardwarekey? Wouldn’t that mean I put all eggs in one basket, meaning ID+Passwort+2FA all in/on/via the same Hardwarekey, could this be still smart?

It is possible to set it up to require 2fa on the computer. That's the way we have it set up to clear the cookies from the account so that every time you log in it requires you to add your second Factor Authentication. On the phone it always requires you to log in again with either your PIN code or your biometric / face ID. Thanks for commenting and subscribing please let us know if you need any help or have any other questions

That's the way we have it set up on the phone. Still have to attend a cake to the phone but it will autofill once you've attended Catoosa phone for the account

@@CyberMedics thank you very much, I ordered 2 yubikeys and I will See. I am not Sure if it was the right decision because now I read that passkeys (in the Devices) will male the yubikeys mostly obsolet

@mh7711 Passkeys are a device implementation of the functionality of a Hardware security key. The major concerns with passkeys: It is stored on the device. If for some the device fails the passkeys would be lost along with the device. This is also a risk with the hardware keys, but the hardware keys are more reliable than most electronic devices. We believe the passkey has a greater attack surface. Why? If someone gets access to an open device with passkeys there is a high probability that they will also now know all the accounts associated with the passkey, since most of those accounts will be on the device (most likely) the phone. If someone steals a security key all they have is the key, but no direct knowledge of the accounts associated with the security key. Device theft is much more likely than security key theft. Summary: We believe a properly secured/backed up hardware key is more secure than a passkey. You made the right choice. Authentrend's biometric key implementation is probably the most secure key available, since the key requires fingerprint authentication and does not lock up the key after 3 failed attempts.

I guess in that case would be wise to setup a backup yubikey for emergency use

Yes a backup key is recommended. Bitwarden also has a recovery code that you can use to gain account access if your key fails. That was covered in the video, in case you missed it. Thanks for watching and commenting.

Intelligent and well thought out questions! Super enjoy these types of queries.
Correct, you must have a second form of backup if you lose your key. But is does not have to be a less secure method of 2FA. Ideally it is a second key in a secure accessible location. Most accounts, when you secure them with a key give you a backup code for account recovery. No-one can get access to your account with a less secure method of 2FA. In this case, it is just the key & your backup code.
Authenticator apps are a good alternative, but if someone gets access to your device, they could possibly get access to your time based, one time passcodes (TOTP). Also, if you lose the device, you’ve lost access to the authenticator. However, before you scan the QR codes you can manually copy the software security key and back that up. This would allow you to reconstitute the account on a new authenticator device. A second vulnerability of authenticator TOTP is: you can possibly be tricked to inputting your TOTP into a fake site (called man in the middle attack). This vulnerability does not exist with hardware security keys.
But….any form of 2FA is more secure than just a password on the account. Cell phone txt messages are the least secure form of 2FA. These codes are transmitted in the clear based on 1970 technology with no built in security.
Please let us know what specific accounts are you considering for 2FA. We would love to help you out.
Please see our more detailed video on how to secure BitWarden with 2FA: ua-cam.com/video/f3pY9LJAHPk/v-deo.html Also consider hitting the “Like” & “Subscribe” to show support for us helping others with technology. Thank you!

@@CyberMedics Got it, thank you. Honestly as a student I just can't afford them, but I see your point.
I think I'll just wait for a few years hoping that more websites will support these keys

@@francescofra751 Please consider using the authenticator apps since they are free Let us know if you need any help.

@@francescofra751 Please see our video ua-cam.com/video/imgXU5ahTA8/v-deo.html. It covers everything you need for free authentication app protection on your accounts. No keys required.

Thank you Jessie, please let me know if you need help.

Thanks for coming

Good advice. Care to share any specific information on clipboard exploits. Thanks for commenting and subscribing. We appreciate the support

Thanks for the feedback. You’re probably right are you using yubikeys?

@@CyberMedics I am not happy with my current setup but am also underwhelmed by the offerings of current password managers. Ideally, I'd prefer Browser level password manager security (instead of injecting Java Script to pages, which can be overcome) together with a security key backed anthropy not a master password.
There's also a surprising lack of compatibility, e.g. Titan key + Windows Hello don't work. Windows Hello + Android is buggy. Yubikey was not looking to be too standard compliant, and I am guessing they still have their proprietary stuff.
Not sure if it's worth it to switch from my current insufficient setup.

@@DavidDLee good Info. Didn’t realize titan keys were not compatible with windows. Hello. We are using the yubi key with Windows Hello pin and it works.

A lot of moving parts there. So maybe we need to break them down one at time. I will try to focus on Yubico first, then you can follow up with what I missed. First thanks for responding & hope you "Liked" the video.
I believe that putting the codes on Yubico is probably the most secure & also potentially the most risky. If you lose the keys you lose the TOTP codes, unless you've backed up the "security text keys" represented by the scanned QR codes. We have an upcoming video on securing all your TOTP codes: ua-cam.com/video/imgXU5ahTA8/v-deo.html recommend viewing this before you migrate anything. This video will show you how to safely secure all the QR codes, so you could easily migrate everything to multiple Yubikeys or any other authenticator app.
I personally have stayed away from Authy, since they require a cell phone number. There was a recent breach through Twilio tied back to Authy accounts through SMS that stole TOTP codes. Authy says it was just a few accounts. One is too many!!!! Anything that requires a cell phone # is suspectable to being hacked.
Yubico (like Authy) runs on almost any platform (Windows, android, iOS, Linux). You download the app & plug in the key (or connect through NFC...you have your codes. Moving you code from Authy is going to be a manual process requiring you to disable then re-enable TOTP for all accounts. Again before you do this watch our upcoming video ref above.
Let me know what I missed. Really enjoyed your questions.

You may also want to view our other Bitwarden video: ua-cam.com/video/f3pY9LJAHPk/v-deo.html

@@CyberMedics Thank you for the kindness when answering!
So we could say then that the most intelligent in my situation would be to migrate to yubico authenticator app... but, after watching this video and the one being published in 4 days!
Even though it's a lazy work, I think it's worth it! But before doin it with all my accounts, I'm gonna try with one or two of the most used ones so I can feel the flow of the "having to do it" moment!
What I would have to have clear if possible is:
One of my doubts was if I had to do anything rare in order to use both of the yubicos in any device.
I mean, lets suppose I have at hand one and I want to use it by USB on the laptop or with NFC in the mobile phone... and after that I just want to use the other one.
I understood that the totp are safed in the hardware, so here comes my doubt!
Btw, its good to know I can count on you!
So thank you again!

@@ramiroangel8923 Please "Like" our other videos. Ask your friends and family to subscribe to our channel & "Like" our videos. This supports our efforts to help everyone.
The only thing special you have to do for 2 Yubikey access, is scan the QR code for the account you want to add at the same time, so both are generating the same TOTP codes. Once that is completed, no problem using either key on NFC, USB, windows, android, linux....your all set!
I'm really looking forward to your feedback on the upcoming video: ua-cam.com/video/imgXU5ahTA8/v-deo.html. Enjoy the questions and glad you are taking this so seriously.

@@ramiroangel8923 Did you get a chance to view & Like our ua-cam.com/video/imgXU5ahTA8/v-deo.html video. Really covers all the details to protect TOTP codes. Please let us know if you need any support.

Glad it was helpful! Thanks for commenting & Subscribing!

Thank you

So nice of you