The Easiest (and MOST SECURE) Way to Log into Bitwarden
Vložit
- čas přidán 7. 07. 2024
- Bitwarden is winning the security game against other password managers. They recently updated their security settings to allow anyone (paid or free) to implement FIDO2 WebAuthn as 2FA.
This makes it easier to log in AND more secure.
Update your settings today!
📝 Sign up for my free weekly security newsletter: weekendbyte.teachmecyber.com/
Links
Bitwarden: bitwarden.com/
Passkeys Overview: • What are Passkeys? | A...
📝 Sign up for my free weekly security newsletter: weekendbyte.teachmecyber.com/
❤️ Leave a comment and hit the like button because it helps spread cyber security knowledge to more people.
Table of Contents
00:00 - Intro
00:19 - FIDO2 / WebAuthN
00:40 - Passkey Overview
01:56 - Flexible Security
03:11 - Phishing Resistant
04:12 - Setup Instructions
06:31 - Login Test
07:04 - Best Practices
08:20 - Closing
🔔If you found this helpful, subscribe to the channel!
www.youtube.com/@teachmecyber...
🚀 Connect with me on LinkedIn
/ jrebholz
FREE Bitwarden Security Update | Do This TODAY! | FIDO2 WebAuthN - Věda a technologie
Thanks for sharing!
Thanks for watching!
This is awesome!
Glad you like it!
Thanks, but when I try to set up WebAuthn on my Mac in Safari, and press the Read Key buttom, it gives me a choice of the Safari Passwords page or a Hardware key - no mention of BitWarden Vault. Am I doing something wrong?
Great tutorial, I just subscribed but I am very puzzled by this. It sounds great but when I try to do it on my Win11 PC it seems the Bitwarden setup requires me to use a security key such as Yubikey which I don't have and which doesn't appear to have happened for you.
The GOAT
💪💪💪
Really nice video. I just had a couple of questions. Which authenticator app would you recommend? I am currently using Authy. Secondly, how safe are passkeys? If they are device-bound, wouldn't it be possible for someone to gain access if the device gets compromised?. Also is it safe to use it in iphone ? Again, this might be a really dumb questions, but I just wanted to know.
Excellent, thanks. Is it possible to use a Yubikey on one device (e.g. on my iMac which doesn't have biometrics) and a passkey on another (e.g. on my tablet)?
Yes, you can set up multiple methods! What you outlined will work for you
The passkey in this example is associated with Chrome and no other device, right? Only from that device can I use it until I add another one. So it doesn't support multi device passkey? If I saved that passkey to a password manager like 1password I wouldn't be able to use it from all the devices that have the 1 password vault synced. There is a bit of confusion about these new passkeys and they seem promising but they should become the only way to log in because if they are an alternative the risks are the same. Sorry for the novel 😆
Hello. You could make a short explainer video on how to store passkeys in Bitwarden (if this option is already enabled); something similar to the video from a few days ago where you explained how to do it with 1Password.
Greetings and blessings from Cuba, learning many from your videos 🙏🏼
Hola. Puede hacer un breve video explicativo sobre cómo almacenar claves de acceso en Bitwarden (si esta opción ya está habilitada); algo similar al vídeo de hace unos días donde explicabas cómo hacerlo con 1Password.
Saludos y bendiciones desde Cuba, aprendiendo muchas de sus videos 🙏🏼
Bitwarden hasn't released this functionality yet, but once they do I'll release a video for it! Thanks for following!
If a passkey is linked to a specific domain, won't that cause a lot of hassle in setting up new passkeys whenever a site decides to change their domain? I've had it happen rarely, but every time it happens, it's a pain in the backside.
Also, device-bound passkeys are a pain when you get a new phone and have to set up new keys for all the sites that had a key linked to your old phone...
I would say the domain change is so rare that it's almost not a concern. For device bound Passkeys, it will be a pain when you get a new device. It's the more secure way. There are synced passkeys that can alleviate this but a trade off of security
if you did have 3 mfa pathways setup for backup, then what happens if you do lose your mfa on a lost or stolen phone? wouldn't that defeat your stronger mfa when the hacker now has your phone? Would it be better not to have mfa on your phone now?
If you're putting a password on your phone or using biometrics, that will help in this scenario.
but what if your email was already has malwer and that email has already the bait of phishing and you go get passkeys and the person or owner dosent know anthing that the email has virus,hacker,scammers...got all info that will be game over to the owner of the gadgets? like me i dont know if my email has virus and my facebook got hacked...
The passkey is still tied to the bitwarden and the device you own. Even if an attacker had access to your email, it wouldn't degrade the security of this.
I have several gmail accounts for personnel, business and two organizations. I use MacBook (10 years old, iPad Pro (4 years old) desktop PC (1 year) and android phone (less than 6 months). Do I need separate accounts for each gmail account?
You can use a single Bitwarden account and just create different vaults for each use case (e.g. one for personal, business, and for each of your organizations). It's an easier way to logically separate them out.
No. Just one Bitwarden account.
Jason what is the naming convention of the passkey for the vault? Is it a password or phrase? Enjoy your videos, thanks
Can you expand on what you mean by naming convention? I'm not clear on what you're asking.
Watching your latest video, "Hackers targeting your vault", you created a passkey for your Bitwarden vault, was that a password or phrase or something else that you input as your passkey? I'm new to this, so I don't completely understand some of it.
Ah okay! The passkey is different from a password or passphrase. It's a more secure way to log into applications. It uses cryptography to do this (check out my video on passkeys that goes deeper into what that is).
For Bitwarden, you will first need to create a master password (this will be a password or passphrase, just make sure it's long and complex!). After that, you can create a passkey which you can then use to login.
Already have bitwarden installed and master password created, just trying to understand this additional security. So Is the passkey something I can see and do I need to remember it, or will Bitwarden remember it automatically? thanks for the patience.
You can't see the passkey nor do you need to! It all happens behind the scene. When you go to log into Bitwarden and get prompted for your fingerprint, it unlocks the passkey and does all the work for you. Nothing for your to remember or type it.
That's what makes it so fast!
My desktop has no Bio-metric capabilities. The WebAuthN is asking for a USB to continue. Is a Yubi Key required to setup? I don't see an option to just enter a password to authorize the public key.
You are going to have to have a device that can securely store your passkey. Are you using a Windows system? If it supports Windows Hello, you should be able to use a PIN or even face recognition for it to work.
I'm on Windows 11pro for my desktop. I'll have to do some more research on setting this up. Thanks, @@teachmecyber
bitwaren firefox WebAuthn???
I don't have security usb key, it asks me to enter win pin, it is 4 digits, is it ok to use it?
It's still okay to use with the PIN, though even better if you use something like a finger print or face ID to unlock (depends on what your system supports)
Hello Bitwarden won't recognize a login page that only asks for the username (once the username is entered, the NEXT page asks for the password). How to get Bitwarden to recognize this situation? It works ok if the page asks for both the username and password.
Make sure the URL for the website is present in Bitwarden
@@teachmecyber Thanks for the reply. What if it's not a website but an Android app?
Can Bitwarden ask for login/password AND otp app code AND hardware key ?
It will only prompt for just one form of MFA today. Are you looking to secure access to the vault even more?
@@teachmecyber i would love to be able to do what I asked, login/pass + otp + hardware key
Gotcha. I'm not sure of any online apps that supports this today. From a security perspective, the hardware key + creds will be the most secure option
Why did you not show how to set your phone as a second webauth passkey?
Just because of challenges with recording on a mobile device.
Thanks for the great video. I have Bitwarden Premium. I have two YubiKeys. A master key and a backup key. Is the premium version worth it if Fido is also available in the free version?
Currently the hardware keys are still a premium feature. This update is for FIDO2 WebAuthN, which is passkeys.
Given your current configuration, you'll want to keep the paid version.
how not to loose YUBICO physical key..?🤔what if I do?
If l will delete browser. what will happen cuz browser have MFA
The Passkeys are stored on your device, so even if you delete the browser you'll still be able to use the passkeys (assuming your browser supports it).
@@teachmecyber
Thanks sir 🙏
And where is it stored? Or is a hash algorithm that bitwarden does with my computer info?@@teachmecyber
Will only read one key. Still, one beats none.
In other words, they implemented a feature that does NOTHING to improve passwords.
They abandoned their actual functionality in favor of supporting some new type of malware instead.
It's time to abandon Bitwarden and choose a capable password manager instead, although I suspect there are very few of them left.
Unfortunately, they are not the only one to promote nonsensical "passkey technology".
Passkeys are more secure and provide an easier login experience
@@teachmecyber but they're not passwords and thus not relevant to a password manager.
Bitwarden still stores password as before. Passkeys are an added feature if you want to use them. They are a type of public/private keys that have been used for almost 30 years. I've found no information that passkeys are malware, I don't know where you got that from.
What are you on about?
Locking a login to a specific device is horrifying. No thanks.
You can set up multiple devices so you have backups. It's the most secure way to protect your bitwarden vault.
@@teachmecyber... and you should write down your "2FA recovery code", so even losing "the one specific device" wouldn't be a disaster. You still can use the 2FA recovery code to log in - and set up 2FA again / new.