bitwarden/help
1
0
Fork 0
mirror of https://github.com/bitwarden/help synced 2025-12-06 00:03:30 +00:00
Code Issues Releases Wiki Activity

Twostep updates (#304)

Browse Source 
* twostep category

* move twostep articles to separate folder, & initial rewrites

* vault timeout updates

* totp update

* post-bootstrap update - figcaption style fix

* twostep images

* Final(ish) edits.

* TOTP edits

* sso cheatsheets
This commit is contained in:
fred_the_tech_writer
2020-11-20 17:11:29 -05:00
committed by GitHub
parent d433d70908
commit bd520158cd
81 changed files with 909 additions and 548 deletions
Download Patch File Download Diff File Expand all files Collapse all files

177
_articles/account/bitwarden-field-guide-two-step-login.md
View File

@@ -1,177 +0,0 @@
---
layout: article
title: Field Guide for Two-Step Login
categories: [account-management]
featured: false
popular: false
hidden: false
tags: [tutorial, two-step login, 2fa, two factor authentication]
---
## Introducing Two-Step Login
Two-step Login, a type of two-factor authentication, is a technique used to increase the security of websites and apps that contain sensitive data. During the login process, when a user accesses an application or website, they are required to enter another credential beyond just a username and password, usually from a different device, to verify their identity.
{% image two-step/field-guide/two-step-login-basic-setup.png %}
A common consumer example is adding a payee to your online bank account. Here the bank will often send you a text message code to ensure it is actually you adding the new payee. Alternatively, sometimes the verification might be to confirm the change via the banks app on your phone.
Another example is signing in to websites where having a 2nd touchpoint can offer an additional layer of security and protect from unwanted attacks. GitHub offers several two-step login mechanisms for their accounts including:
- SMS number - a text message to your mobile phone
- Authenticator app - linking with an app such as Authy or FreeOTP
- Security keys - using a physical security key such as a YubiKey
Every day, these two-step login options become more common across consumer and business websites.
Password managers can help with two-step login, including sharing login credentials that have two-step login enabled.
In this post, well examine how to use Bitwarden with different implementations of two-step login.
Keep in mind that security often involves a tradeoff between protection and convenience. While we will share different approaches, you can always choose only the ones that are appropriate for you.
### Securing Your Password Manager with Two-step Login
Of course, we recommend that you secure your password manager itself with two-step login.
Two-step login (or two-factor authentication, sometimes abbreviated 2FA) greatly increases the security of your account by requiring you to complete a secondary step while logging into Bitwarden (in addition to your master password). Even if someone were to discover your master password, they could not log into your Bitwarden account without access to the secondary step.
We recommend that all users activate and use two-step login with their Bitwarden account.
Bitwarden supports two-step login using the following methods:
Within the Bitwarden free account
- Authenticator app such as Authy or Google Authenticator
- Email
Within the Bitwarden Premium account
- Duo Security with Duo Push, SMS, phone call, and U2F security keys
- YubiKey (any 4/5 series device or YubiKey NEO/NFC)
- FIDO U2F (any FIDO U2F certified key)
Visit [bitwarden.com/help/article/setup-two-step-login]({% link _articles/account/setup-two-step-login.md %}){:target="\_blank"} for direct links to all of the above two-step login setup methods.
You can also enable multiple two-step login methods.
If you have multiple two-step login methods enabled, the order of preference for the default method that is displayed while logging in is as follows:
FIDO U2F > YubiKey > Duo > Authenticator app > Email.
You can manually switch to and use any method during login, however.
## Using your Password Manager with Websites supporting Two-step Login
As you add more and more applications and websites to your password manager, you have a couple of options for how you implement two-step login.
One option is to use SMS or an authenticator app like Authy or Google Authenticator.
Another option is to use the built in authenticator application within Bitwarden.
### Two-step Login with a third party application
Lets use an example with Reddit. Under the profile icon, you can choose
User Settings > Privacy and Security > Advanced Security > Use two-factor authentication
Reddit will prompt you for your password, and then present this dialog
{% image two-step/field-guide/reddit-2fa-setup.png %}
{% callout info %}
**About Authy and Google Authenticator**<br>
Both of these applications serve the authenticator function well. However, ONLY Authy has the ability to backup your two-factor authentication pairings.
This means that if you rely on Google Authenticator and you lose your phone, you may end up locked out of accounts if you do not have recovery codes for each account.
With Authy, as long as you have your Authy password, you can install Authy on a new device and recover all of your two-step login pairings. [Update May 7, 2020. Google introduced portability of Google Authenticator 2-Step Verification codes across Android devices]
{% endcallout %}
In this case, well use the Authy application as the authenticator. We open it, add an account, scan the barcode and then Authy presents a 6 digit token.
{% image two-step/field-guide/reddit-token.png %}
With that token, we can complete the two-factor authentication setup for Reddit!
{% callout warning %}
Reddit will now offer an option next to the two-factor authentication setting to Get your backup codes. This is a critical step. Should you ever lose the ability to complete two-factor authentication with Authy, you can use one of your backup codes to access Reddit.
{% endcallout %}
While two-factor authentication adds an extra layer of protection to our accounts, it also makes it harder to recover should things go awry. Therefore always approach with attention and secure your backup codes in a place you will remember...maybe even in Bitwarden, unless the 2FA is being used to get into Bitwarden itself.
{% image two-step/field-guide/two-step-login-bitwarden-authy-reddit.png %}
{% callout info %}
**How Authenticators Work**<br>
Authy, Google Authenticator, and Bitwarden all operate similarly for authentication using TOTP which stands for Time-based One-Time Password algorithm. At the initiation such as the QR code scan, both the website and the authenticator app share an authentication key. That key is then used to generate time-based tokens which change every several seconds. Without that original authentication key, it is not possible to create the right token at the right time, thereby providing extra protection.
{% endcallout %}
### Two-step Login with the Bitwarden Authenticator Application
Another option to simplify the use of two-factor authentication is to use the built in authenticator application within Bitwarden.
Understandably, some might ask, “why would I use my password manager for both the main login, and the two-step login? Doesnt that defeat the purpose of having a separate device?”
The answer is nuanced but in the end its up to you - you can choose. Heres why some people choose to incorporate this function directly into Bitwarden:
- It provides a convenience of having extra protection at the website account level without a large inconvenience to a user who needs to regularly login
- It allows for sharing an account with two-factor authentication turned on, which would not be possible otherwise
Of course, some people think that the two-step login process should be kept completely separate, and that is always an option.
The process for setting up Reddit to use Bitwarden for two-step login is similar to the earlier steps.
#### Bitwarden mobile app and QR code scan
Using the Bitwarden mobile app, you can scan the same QR code Reddit presented.
Select the login for Reddit in your Bitwarden Vault, then Edit, then use the camera icon next to the item Authenticator Key (TOTP) to scan the Reddit-presented QR code.
Once you save the item, you now have an entry within your Reddit Login in Bitwarden for Verification Code (TOTP). This is the 6 digit number Reddit needs to complete the two-factor authentication setup.
#### Bitwarden browser extension and manual Authentication key
Directly within the browser extension, you can manually add an Authentication Key to enable two-step login.
When Reddit displays the dialogue with the barcode, it offers two options:
> Step 2: Use your authenticator app to scan the barcode below or **get a token to enter manually instead**.
You can click get a token to enter manually instead to copy the long string of numbers and digits.
Within your browser extension, you can view and edit the Reddit Login, and manually enter the Authenticator Key (TOTP).
- Click the checkmark
- Save the item
- Hit the copy icon next to the Verification Code (TOTP)
- Paste that into the Reddit dialogue
{% image two-step/field-guide/two-step-login-bitwarden-authenticator.png %}
### Using Keyboard Shortcuts with Two-step Login
Once you have your Verification Code within your Reddit login, you can use keyboard shortcuts to smooth the login process.
When you approach the Reddit Login dialogue, use Windows:`Ctrl + Shift + L` or macOS: `Cmd + Shift + L` to enter your username and password. Following that, the Verification Code (TOTP) is automatically added to your clipboard. Use Windows: `Ctrl + V` or macOS: `Cmd + V` to paste it in!
While one can debate whether this process has a different security profile compared to sending a code to a separate physical device, it does offer more protection while also being fast and convenient.
### Sharing Credentials with Two-Step Login Enabled
One benefit of coupling two-step login within Bitwarden is the ability to share that credential with other team members while keeping the two-step login intact.
You can imagine a scenario where two-step login was enabled to the primary users mobile phone. Then if a second user wanted to share that credential, it would require coordinating with the first user via a phone call or text message to share the Verification Code on each login, and doing so within a few seconds.
Through the Bitwarden sharing capabilities, two users can be part of the same organization, and within a collection they can share any number of logins, including those that have two-step login enabled.
As an example, this capability can be extremely useful in cases where two-step login provides extra protection, such as the primary login for a social media site, and you still want to be able to share that login across multiple social media managers.
## Stay safe with Two-step Login
Whichever path you choose, remember the basics
- Use two-step login for your password manager
- Use two-step login for your critical website logins - With a 3rd party app like Authy or FreeOTP; or - Within your password manager such as Bitwarden
Heres to happy logins!
To get your own personal Bitwarden Vault visit [bitwarden.com](https://bitwarden.com). Add Premium Features for full access to the Authenticator built into Bitwarden.

41
_articles/account/lost-two-step-device.md
View File

@@ -1,41 +0,0 @@
---
layout: article
title: I lost my two-step login (2FA) device
categories: [account-management]
featured: false
popular: false
tags: [two-step login, 2fa, two factor authentication, account]
---
If you have lost access to the device or method that you use for two-step login (2FA) you can recover your account using your two-step login **recovery code**.
The recovery code is a 32 character alpha-numeric code. You can get your two-step login recovery code in the [web vault](https://vault.bitwarden.com) under **Settings** &rarr; **Two-step Login**, then click the **View Recovery Code** button. We recommend that you print your recovery code and keep it in a safe place.
{% callout warning %}
Without your recovery code, two-step login can permanently lock you out of your Bitwarden account. It is very important to have your recovery code if you plan to use two-step login. Bitwarden support will not be able to assist you if you lose access to your account.
{% endcallout %}
{% callout success %}
If you still have an active login session open in the browser extension or a mobile application you can export your data from **Tools** &rarr; **Export Vault** so that you can import it back in after the account has been deleted and you have registered again.
{% endcallout %}
## Recovering Your Account
Please use this link to enter your 2FA recovery code: <https://vault.bitwarden.com/#/recover-2fa>
The recovery process will deactivate two-step login on the account so that you can log in without requiring the normal two-step login verification code. You will need to re-enable two-step login in the web vault if you wish to continue using it after recovering the account.
{% callout warning %}
The recovery process also resets your account's recovery code. Make sure that you take note of your new recovery code when re-enabling two-step login.
{% endcallout %}
If you do not have your recovery code, unfortunately there is no way to fully recover the account. The only option to gain access to the account again is to delete the account so that you can register again and start over. Note that deleting the account will also delete all of your stored login data associated with the account.
## Deleting the account
1. Navigate to <https://vault.bitwarden.com/#/recover-delete>
2. Enter your account's email address
3. Go to your email inbox and click the verification link that was sent to you
4. Confirm the delete
You can now register a new account using the same email address. If you have an active subscription use our [contact page](https://bitwarden.com/contact/) to let us know, and we will re-instate it to your newly created account.

33
_articles/account/setup-two-step-login-authenticator.md
View File

@@ -1,33 +0,0 @@
---
layout: article
title: Set up two-step login with an authenticator app
categories: [account-management]
featured: false
popular: false
tags: [two-step login, 2fa, two factor authentication, account, google authenticator, authy, totp]
---
Bitwarden supports two-step login by using a third-party authenticator app such as [Authy](https://authy.com/){:target="_blank"}, [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en){:target="_blank"}, or [FreeOTP](https://freeotp.github.io/){:target="_blank"}.
## Enable Two-step Login with Authenticator App
{% callout warning %}
Two-step login can permanently lock you out of your account. It is very important that you write down and keep your [two-step login recovery code]({% link _articles/account/lost-two-step-device.md %}) in a safe place in the event that you lose access to your authenticator app.
{% endcallout %}
1. Log in to the web vault at <https://vault.bitwarden.com>
2. Click **Settings** in the top navigation bar, then click **Two-step Login** from the side menu.
3. Select the **Manage** button for the **Authenticator** option and then type in your master password to continue.
4. Follow the steps that appear
- Download an authenticator app (usually on your mobile device). We recommend [Authy](https://authy.com/){:target="_blank"}.
- Scan the QR code with the app.
- Enter the verification code from the app.
5. Click the **Enable** button. A green alert will appear at the top stating that two-step login has been enabled.
6. Click the **Close** button and confirm that the **Authenticator** option now shows as **Enabled**.
## Test
1. **IMPORTANT:** Ensure that you have copied down your [two-step login recovery code]({% link _articles/account/lost-two-step-device.md %}) in case something goes wrong.
2. Log out of the Bitwarden web vault.
3. Log back into the Bitwarden web vault. You should now be prompted with an authenticator two-step login option.
4. Authenticator protection works with all Bitwarden applications (web, mobile, desktop, browser). Log out of and back in to any other Bitwarden applications that you are using to confirm that two-step login via authenticator app is properly working. You will eventually be logged out automatically.

76
_articles/account/setup-two-step-login-duo.md
View File

@@ -1,76 +0,0 @@
---
layout: article
title: Set up two-step login with Duo Security
categories: [account-management]
featured: false
popular: false
tags: [two-step login, 2fa, two factor authentication, account, duo, sms]
---
Bitwarden has partnered with Duo Security to bring two-factor authentication to Bitwarden logins, complete with [inline self-service enrollment](https://guide.duo.com/enrollment){:target="_blank"} and [authentication prompt](https://guide.duo.com/prompt){:target="_blank"} (offering SMS, phone call, U2F security keys, and push notifications with the Duo Mobile app).
## Overview
This article takes you through configuring your Bitwarden Premium or Enterprise Organzation account to use Duo two-factor authentication services. You'll sign up for a Duo account, configure Bitwarden to use your new Duo account, and enroll your Bitwarden account and your device for use with Duo's service.
Once you complete this process, Duo Security's two-factor authentication platform protects access to your Bitwarden data by requiring two-step approval when logging in to your Bitwarden vault. If you are using this Duo integration with your Bitwarden enterprise organization, all users in your organization will be required to complete two-factor authentication with Duo when logging into their Bitwarden vault.
## Create a Duo Security Account
A Duo account is required to use this feature. A Duo account [for up to 10 users](https://duo.com/pricing){:target="_blank"} can be created for free.
1. If you do not already have one, sign up for a new Duo account at [https://signup.duo.com/](https://signup.duo.com/){:target="_blank"}
2. Log in to the Duo Admin panel with your Duo account at [https://admin.duosecurity.com/login](https://admin.duosecurity.com/login){:target="_blank"}
3. In the left menu, navigate to **Applications**, then click the **Protect an Application** button.
4. Find/search for the **Bitwarden** application and click the **Protect this Application** button.
5. Note the **Integration Key**, **Secret Key**, and **API Hostname** details. We will need to reference these later when configuring Bitwarden.
{% image two-step/duo/application-details.png %}
## Get the Duo Mobile App
It is recommended to install the free [Duo Mobile](https://duo.com/product/trusted-users/two-factor-authentication/duo-mobile){:target="_blank"} app if you want to take advantage of quickly logging in with push notifications. This is optional since Duo also supports SMS, phone calls, and U2F security keys.
- iOS: [Download on the App Store](https://itunes.apple.com/us/app/duo-mobile/id422663827?mt=8){:target="_blank"}
- Android: [Download on Google Play](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile){:target="_blank"}
## Enable Two-step Login with Duo
{% callout warning %}
Two-step login can permanently lock you out of your account. It is very important that you write down and keep your [two-step login recovery code]({% link _articles/account/lost-two-step-device.md %}) in a safe place in the event that you lose access to your normal two-step login methods.
{% endcallout %}
1. Log in to the web vault at <https://vault.bitwarden.com>.
2. Depending on your account type:
- Premium Users: Click **Settings** in the top navigation bar, then click **Two-step Login** from the side menu.
- Enterprise Organizations: Visit the admin area for your organization. Select **Settings** in the sub-menu and then click **Two-step Login** from the side menu.
3. Select the **Manage** button for the **Duo** option and then type in your master password to continue.
{% image two-step/duo/select.png %}
4. Enter the configuration information provided from the Duo Admin **Bitwarden** application that was set up earlier: **Integration Key**, **Secret Key**, and **API Hostname**.
{% image two-step/duo/config.png %}
5. Click the **Enable** button. A green alert will appear at the top stating that two-step login has been enabled.
6. Click the **Close** button and confirm that the **Duo** option now shows as **Enabled**.
{% image two-step/duo/enabled.png %}
## Enroll and Test
1. **IMPORTANT:** Ensure that you have copied down your [two-step login recovery code]({% link _articles/account/lost-two-step-device.md %}) in case something goes wrong.
2. Log out of the Bitwarden web vault (or to be safe in case something is misconfigured, just use a new browser tab so that you can keep your currently logged in browser tab session active).
3. Log back into the Bitwarden web vault. You should now be prompted with a Duo two-step login option.
4. Upon your first login using Duo you may be prompted to enroll your Bitwarden account and device(s) with Duo. Complete the Duo enrollment process following the on-screen instructions.
{% image two-step/duo/enroll1.png %}
{% image two-step/duo/enroll2.png %}
5. After enrolling you can log in with Duo.
{% image two-step/duo/login.png %}
6. Duo security protection works with all Bitwarden applications (web, mobile, desktop, browser). Log out of and back in to any other Bitwarden applications that you are using to confirm that two-step login via Duo is properly working. You will eventually be logged out automatically.
Desktop
{% image two-step/duo/desktop.png %}
Browser extension
{% image two-step/duo/browser.png %}
Mobile
{% image two-step/duo/android.png %}
Congratulations! Your Bitwarden account is now protected by two-step login with Duo Security.

31
_articles/account/setup-two-step-login-email.md
View File

@@ -1,31 +0,0 @@
---
layout: article
title: Set up two-step login with email
categories: [account-management]
featured: false
popular: false
tags: [two-step login, 2fa, two factor authentication, account, email, totp]
---
Bitwarden supports two-step login via email. A verification code will be emailed to you during login.
## Enable Two-step Login with Email
{% callout warning %}
Two-step login can permanently lock you out of your account. It is very important that you write down and keep your [two-step login recovery code]({% link _articles/account/lost-two-step-device.md %}) in a safe place in the event that you lose access to your email.
{% endcallout %}
1. Log in to the web vault at <https://vault.bitwarden.com>
2. Click **Settings** in the top navigation bar, then click **Two-step Login** from the side menu.
3. Select the **Manage** button for the **Email** option and then type in your master password to continue.
4. Enter an email address that you would like to use that will receive verification codes during login. You can use the same email address that you use for your Bitwarden account or any other email address. Click the **Send Email** button to send a test verification code to that email address.
5. Check your email inbox for the verification code and then enter it into Bitwarden for confirmation.
6. Click the **Enable** button. A green alert will appear at the top stating that two-step login has been enabled.
7. Click the **Close** button and confirm that the **Email** option now shows as **Enabled**.
## Test
1. **IMPORTANT:** Ensure that you have copied down your [two-step login recovery code]({% link _articles/account/lost-two-step-device.md %}) in case something goes wrong.
2. Log out of the Bitwarden web vault.
3. Log back into the Bitwarden web vault. You should now be prompted with an email two-step login option.
4. Email protection works with all Bitwarden applications (web, mobile, desktop, browser). Log out of and back in to any other Bitwarden applications that you are using to confirm that two-step login via email is properly working. You will eventually be logged out automatically.

51
_articles/account/setup-two-step-login-u2f.md
View File

@@ -1,51 +0,0 @@
---
layout: article
title: Set up two-step login with FIDO U2F
categories: [account-management]
featured: false
popular: false
tags: [two-step login, 2fa, two factor authentication, account, u2f, fido]
---
Bitwarden supports two-step login via [FIDO U2F](https://www.yubico.com/solutions/fido-u2f/){:target="_blank"}. Any FIDO U2F certified device will work. We recommend a [YubiKey](https://www.yubico.com/products/yubikey-hardware/){:target="_blank"}.
{% callout info %}
Due to platform limitations, FIDO U2F cannot be used on all Bitwarden applications. You should enable another two-step login provider so that you can access your account when FIDO U2F cannot be used.
Supported platforms:
- Web vault on a desktop/laptop with a U2F enabled browser (Chrome, Opera, Vivaldi, or [Firefox with FIDO U2F enabled](https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/){:target="_blank"}).
- Browser extensions on Chrome, Opera, Vivaldi, or [Firefox with FIDO U2F enabled](https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/){:target="_blank"}.
{% endcallout %}
## Enable Two-step Login with FIDO U2F
{% callout warning %}
Two-step login can permanently lock you out of your account. It is very important that you write down and keep your [two-step login recovery code]({% link _articles/account/lost-two-step-device.md %}) in a safe place in the event that you lose access to your FIDO U2F security key.
{% endcallout %}
1. Log in to the web vault at <https://vault.bitwarden.com>
2. Click **Settings** in the top navigation bar, then click **Two-step Login** from the side menu.
3. Select the **Manage** button for the **FIDO U2F Security Key** option and then type in your master password to continue.
{% image two-step/u2f/select.png %}
4. Follow the instructions shown:
- Give the security key a friendly name to identify it.
- Plug the security key into your computer's USB port and click the **Read Key** button.
- If the security key has a button, touch it. You will receive a success message when your key has been properly read. Click the **Read Key** button to try again if it fails.
{% image two-step/u2f/config.png %}
5. Click the **Save** button. A green alert will appear at the top stating that two-step login has been enabled. You can add up to five security keys to your account.
6. Click the **Close** button and confirm that the **FIDO U2F Security Key** option now shows as **Enabled**.
{% image two-step/u2f/enabled.png %}
## Test
1. **IMPORTANT:** Ensure that you have copied down your [two-step login recovery code]({% link _articles/account/lost-two-step-device.md %}) in case something goes wrong.
2. Log out of the Bitwarden web vault.
3. Log back into the Bitwarden web vault. You should now be prompted with a FIDO U2F two-step login option. Insert your FIDO U2F security key (if it has a button, touch it) to complete logging in.
4. Log out of and back in to any other Bitwarden applications that you are using to confirm that two-step login via FIDO U2F is properly working. You will eventually be logged out automatically. If the application (or device) your are using does not support FIDO U2F you will be presented with other two-step login options that you have configured (if any).
Web
{% image two-step/u2f/web.png %}
Browser extension
{% image two-step/u2f/browser.png %}

78
_articles/account/setup-two-step-login-yubikey.md
View File

@@ -1,78 +0,0 @@
---
layout: article
title: Set up two-step login with YubiKey
categories: [account-management]
featured: false
popular: false
tags: [two-step login, 2fa, two factor authentication, account, yubikey, yubi, yubico]
---
Bitwarden supports two-step login via [YubiKey](https://www.yubico.com){:target="_blank"}. Any YubiKey that supports [OTP capabilities](https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/){:target="_blank"} can be used. This includes all YubiKey 4 and 5 series devices as well as YubiKey NEO and YubiKey NFC.
{% callout info %}
Due to platform limitations, YubiKeys cannot be used on all Bitwarden applications. You should enable another two-step login provider so that you can access your account when YubiKeys cannot be used.
Supported platforms:
- Web vault on a device with a USB port that can accept your YubiKey.
- Browser extensions on a device with a USB port that can accept your YubiKey.
- Desktop app on a device with a USB port that can accept your YubiKey.
- CLI on a device with a USB port that can accept your YubiKey.
- Android on a device with [NFC capabilities](https://en.wikipedia.org/wiki/List_of_NFC-enabled_mobile_devices){:target="_blank"} or a USB port that can accept your YubiKey. Read more [here](https://forum.yubico.com/viewtopic1c5f.html?f=26&t=1302){:target="_blank"}.
- iOS on a device with [NFC capabilities](https://en.wikipedia.org/wiki/List_of_NFC-enabled_mobile_devices){:target="_blank"} or via lightning port with YubiKey 5Ci.
{% endcallout %}
## Enable Two-step Login with YubiKey
{% callout warning %}
Two-step login can permanently lock you out of your account. It is very important that you write down and keep your [two-step login recovery code]({% link _articles/account/lost-two-step-device.md %}) in a safe place in the event that you lose access to your YubiKey.
{% endcallout %}
1. Log in to the web vault at <https://vault.bitwarden.com>
2. Click **Settings** in the top navigation bar, then click **Two-step Login** from the side menu.
3. Select the **Manage** button for the **YubiKey OTP Security Key** option and then type in your master password to continue.
{% image two-step/yubikey/select.png %}
4. Follow the instructions shown:
- Plug the YubiKey (NEO, 4, or 5 series) into your computer's USB port.
- Select in the first empty Key input field.
- Touch the YubiKey's button.
Repeat this process for each YubiKey you wish to add to your account. You can add up to five YubiKeys to your account.
{% image two-step/yubikey/config.png %}
5. If you are using a YubiKey that has NFC capabilities (YubiKey NEO or YubiKey 5 NFC), check the **One of my keys supports NFC** checkbox. This option enables the use of your YubiKey on Android and iOS devices that support NFC.
6. Click the **Enable** button. A green alert will appear at the top stating that two-step login has been enabled.
7. Click the **Close** button and confirm that the **YubiKey OTP Security Key** option now shows as **Enabled**.
{% image two-step/yubikey/enabled.png %}
## Test
1. **IMPORTANT:** Ensure that you have copied down your [two-step login recovery code]({% link _articles/account/lost-two-step-device.md %}) in case something goes wrong.
2. Log out of the Bitwarden web vault.
3. Log back into the Bitwarden web vault. You should now be prompted with a YubiKey two-step login option. Insert your YubiKey and touch its button to complete logging in.
4. Log out of and back in to any other Bitwarden applications that you are using to confirm that two-step login via YubiKey is properly working. You will eventually be logged out automatically. If the application (or device) your are using does not support YubiKey you will be presented with other two-step login options that you have configured (if any).
Web
{% image two-step/yubikey/web.png %}
Desktop
{% image two-step/yubikey/desktop.png %}
Browser extension
{% image two-step/yubikey/browser.png %}
Android
{% image two-step/yubikey/android.png %}
iOS
{% image two-step/yubikey/ios.png %}
## Android
If you are having trouble getting the YubiKey NEO or YubiKey 5 NFC to work on your Android device, confirm the following:
1. You have checked the **One of my keys supports NFC** checkbox from step 5 above.
2. Your Android device [supports NFC](https://en.wikipedia.org/wiki/List_of_NFC-enabled_mobile_devices){:target="_blank"} and is [known to work properly](https://forum.yubico.com/viewtopic1c5f.html?f=26&t=1302){:target="_blank"} with YubiKey NEO or YubiKey 5 NFC.
3. You have NFC enabled on your Android device. Enable NFC by going to Android **Settings** &rarr; **More** and enable the **NFC** option.
4. Your keyboard layout/format/mode is set to QWERTY.
If the YubiKey NEO or YubiKey 5 NFC can be used on your Android device you will be prompted with a YubiKey option while logging in to Bitwarden. Simply place the YubiKey on the back of your Android device near the NFC receiver. If you do not know where your NFC receiver is located, you may need to move it around some, trying different areas. Once Bitwarden detects the YubiKey it will automatically validate and log you in.

25
_articles/account/setup-two-step-login.md
View File

@@ -1,25 +0,0 @@
---
layout: article
title: Set up two-step login (2FA)
categories: [getting-started, account-management]
featured: false
popular: true
tags: [two-step login, 2fa, two factor authentication, account]
---
Two-step login (or two-factor authentication) greatly increases the security of your account by requiring you to complete a secondary step while logging into Bitwarden (in addition to your master password). Even if someone were to discover your master password, they could not log into your Bitwarden account without access to the secondary step. You can read more about [two-step login here](https://en.wikipedia.org/wiki/Multi-factor_authentication){:target="_blank"}. We recommend that all users activate and use two-step login with their Bitwarden account.
Bitwarden supports two-step login using the following methods:
**Free**
- Authenticator app such as [Authy](https://authy.com/){:target="_blank"} or [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en){:target="_blank"}, [&rarr; setup]({% link _articles/account/setup-two-step-login-authenticator.md %})
- Email, [&rarr; setup]({% link _articles/account/setup-two-step-login-email.md %})
**Premium**
- Duo Security with Duo Push, SMS, phone call, and U2F security keys, [&rarr; setup]({% link _articles/account/setup-two-step-login-duo.md %})
- YubiKey (any 4/5 series device or YubiKey NEO/NFC), [&rarr; setup]({% link _articles/account/setup-two-step-login-yubikey.md %})
- FIDO U2F (any FIDO U2F certified key), [&rarr; setup]({% link _articles/account/setup-two-step-login-u2f.md %})
You can enable multiple two-step login methods. If you have multiple two-step login methods enabled, the order of preference for the default method that is displayed while logging in is as follows: FIDO U2F &rarr; YubiKey &rarr; Duo &rarr; Authenticator app &rarr; Email. You can manually switch to and use any method during login, however.

35
_articles/account/vault-timeout.md
View File

@@ -1,38 +1,35 @@
---
layout: article
title: Vault timeout options
title: Vault Timeout Options
categories: [account-management]
featured: false
popular: false
tags: [account, vault, timeout, 2FA, two-step]
---
## Vault timeout
Vault Timeout behavior will determine how your Vault will behave after a customizable period of inactivity. Timeout is configured individually from and for each Bitwarden client application that you use (Mobile, Web, Desktop, Browser Extension, etc.).
Vault timeout is an option within your Bitwarden client (mobile, web, desktop, browser, etc) that allows you to stop your vault from being accessed on that client after a configured event or time.
## Options
All clients will support basic time-bound options such as:
- Immediately
- 15 minutes
- 30 minutes
- 1 hour, etc.
You can configure the following options from the **Settings** menu of any Bitwarden client application:
Some clients may support specific functions, such as:
- On system idle
- On browser refresh, etc.
### Vault Timeout (time-constraint)
There are **two options** available to configure what occurs when those time limits or events occur.
Configuring this option will dictate how long Bitwarden will be inactive before timing-out.
{% image /vault-timeout/timeout-options.png %}
Each client application will have unique options (e.g. On System Idle, or On App Restart), however all applications include standard time-based options (e.g. 1 minute, 15 minutes, 1 hour).
## Lock
### Vault Timeout Action
Locking your vault is the default behavior. This will maintain vault data on the device and will only prompt for your master password to decrypt and re-allow access to your vault. Two-factor authentication (2FA) is **not** required when unlocking.
Configuring this option will dictate what Bitwarden will do once the Vault Timeout time-constraint has lapsed. Bitwarden can either:
This is the option most users prefer, as it is usually the fastest and does **not** require the Bitwarden client to be online or able to connect to a Bitwarden server.
- **Lock** (*default*).
## Log Out
Locking your Vault will maintain Vault data on the device. You will only be prompted to enter your Master Password to decrypt your Vault, however no [Two-step Login]({% link _articles/two-step-login/setup-two-step-login.md %}) method will be required to unlock your Vault.
Logging out is the most secure option. This completely removes the Bitwarden data from the device and requires reauthentication to access your vault.
Bitwarden client applications don't need to be online to unlock.
- **Log Out**.
This option will prompt a user for their email and master password, as well as any two-step authentication tokens that may be configured. The Bitwarden client **must** be online to accommodate access to your vault when this option is selected.
Logging Out of your Vault completely removes all Vault data from your device, and will therefore require you to re-authenticate to access your Vault. You will be required to enter your Email Address, Master Password, and any enabled [Two-step Login]({% link _articles/two-step-login/setup-two-step-login.md %}) method in order to access your Vault.
Bitwarden client applications must be online to log in.

55
_articles/features/authenticator-keys.md
View File

@@ -1,40 +1,65 @@
---
layout: article
title: Authenticator key (TOTP) storage and use
title: Bitwarden Authenticator (TOTP)
categories: [features]
featured: true
popular: false
tags: [autofill, auto-fill, totp, 2fa, two-step login, two factor authentication, authenticator]
---
{% callout info %}Authenticator key (TOTP) storage is available to all accounts. TOTP code generation requires a premium membership or paid organization account.{% endcallout %}
The Bitwarden Authenticator is an alternative solution to dedicated authentication apps like Authy, which you can use to verify your identity for websites and apps that use Two-step Login. The Bitwarden Authenticator generates 6-digit [Time-based One-time Passwords](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) (TOTPs) using SHA-1 and rotates them every 30 seconds.
Each website that supports [Time-based One-time Password](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) (TOTP) or [Two-factor Authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) (2FA) with an "Authenticator" handles configuration slightly differently. You will need to start the setup from each individual website or service that you are accessing (e.g. google.com, github.com). The option to configure this will commonly be found under the "Security" options of your account.
{% callout info %}Authenticator key (TOTP) storage is available to all accounts. TOTP code generation requires Premium or membership to a Paid Organization (Families, Teams, or Enterprise).{% endcallout %}
The Bitwarden [Android](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) and [iOS](https://apps.apple.com/us/app/bitwarden-password-manager/id1137397744) applications can make adding your TOTP key's easy by scanning a [QR code](https://en.wikipedia.org/wiki/QR_code) to populate the field automatically.
If you're new to using TOTPs for Two-step Login, refer to the [Field Guide to Two-step Login](https://bitwarden.com/help/article/bitwarden-field-guide-two-step-login/#securing-important-websites) for more information.
## Web Vault & Other Applications
## Generate TOTP Codes
Create or edit a login item you wish to store your TOTP key with. In the field labeled "**Authenticator Key (TOTP)**", input the secret key that you are provided with and select save.
Each website that supports TOTPs or [Two-factor Authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) (2FA) with an authenticator handles configuration differently. Start the setup from each individual website or service that you are accessing (e.g. google.com, github.com).
## Mobile Applications
In Bitwarden, you can generate TOTPs using two methods:
Create or edit a login item you wish to store your TOTP key with. In the field labeled "**Authenticator Key (TOTP)**", select the "camera" icon. Scan the QR code you have been presented with and the field will be automatically populated. You can then save the changes.
- From a Bitwarden mobile app by [**Scanning a QR Code**](#scan-a-qr-code)
- From any Bitwarden app by [**Manually Entering a Secret**](#manually-enter-a-secret)
## Using Generated Codes
### Scan a QR Code
The Bitwarden mobile applications and browser extension have the ability to automatically copy a TOTP code to your device clipboard after auto-fill. Auto-fill any item that has a TOTP key stored and submit the information. The service you are logging into will ask for a verification code. Use the paste function of your device to input the code and submit it.
Complete the following steps to setup the Bitwarden Authenticator from the iOS or Android app:
{% callout success %}This feature can be toggled off under Settings &rarr; Options &rarr; Disable Automatic TOTP Copy.{% endcallout %}
1. **Edit** the Vault item for which you want to generate TOTPs.
2. Tap the {% icon fa-camera %} camera icon in the **Authenticator Key (TOTP)** field.
3. Scan the QR code and tap **Save** to begin generating TOTPs.
{% callout warning %} TOTP codes will not automatically copy to the system clipboard when "Enable Auto-fill On Page Load" is enabled in the browser extension.{% endcallout %}
Once setup, Bitwarden Authenticator will continuously generate 6-digit TOTPs rotated every 30 seconds, which you can use as a secondary step for Two-step Login to connected websites or apps.
### Manually Enter a Secret
Setup the Bitwarden Authenticator from any Bitwarden app by copying the secret key (*typically available as an alternative to a QR Code*) from the website or app and pasting it into the **Authenticator Key (TOTP)** field for the corresponding Vault item.
Once setup, Bitwarden Authenticator will continuously generate 6-digit TOTPs rotated every 30 seconds, which you can use as a secondary step for Two-step Login to connected websites or apps.
## Use Generated Codes
Bitwarden Mobile applications and Browser Extensions will automatically copy the TOTP code to your device's clipboard after Auto-fill, unless the **Enable Auto-fill on Page Load** option is active. Paste from your clipboard immediately after successful Auto-fill to use your TOTP.
{% callout success %}This feature can be toggled off under **Settings** &rarr; **Options** &rarr; **Disable Automatic TOTP Copy**.{% endcallout %}
All Bitwarden applications display your rotating TOTP code inside the Vault item, which can be copied and pasted just like a Username or Password.
{% image two-step/totpcode.png Copy a TOTP code %}
## Support for More Parameters
Some services will use different parameters for their TOTP codes. Bitwarden will generate 6-digit codes using SHA-1 and rotate them every 30 seconds by default. Bitwarden can suport parameters digits (1-10), algorithm (SHA-1, SHA-256, and SHA-512), period (> 0) and secret (base32 key).
By default, Bitwarden will generate 6-digit TOTPs using SHA-1 and rotate them every 30 seconds, however some websites or services will expect different parameters. Parameters can be customized in Bitwarden by manually editing the `otpauth://totp/` URI for your Vault item.
Example:
|Parameter|Description|Values|Sample Query|
|---------|-----------|------|------------|
|Algorithm|Cryptographic algorithm used to generate TOTPs.|-sha1<br>-sha256<br>-sha512|`algorithm=sha256`|
|Digits|Number of digits in the generated TOTP.|1-10|`digits=8`|
|Period|Number of seconds with which to rotate the TOTP.|Must be > 0|`period=60`|
For example:
`otpauth://totp/Test:me?secret=JBSWY3DPEHPK3PXP&algorithm=sha256&digits=8&period=60`
Learn more about using otpauth:// uri's here: <https://github.com/google/google-authenticator/wiki/Key-Uri-Format>
Learn more about using `otpauth://` URIs [here](https://github.com/google/google-authenticator/wiki/Key-Uri-Format).

7
_articles/login-with-sso/configure-sso-oidc.md
View File

@@ -10,6 +10,13 @@ order: 04
This article will guide you through the steps required to configure Login with SSO for OpenID Connect (OIDC) authentication.
{% callout info %}
**Configuration will vary provider-to-provider.** Refer to the following Provider Samples as you configure Login with SSO:
- [Okta Sample]({% link _articles/login-with-sso/oidc-okta.md %})
{% endcallout %}
## Step 1: Enabling Login with SSO
Complete the following steps to enable Login with SSO for OIDC authentication:

18
_articles/login-with-sso/configure-sso-saml.md
View File

@@ -9,6 +9,22 @@ order: 03
---
This article will guide you through the steps required to configure Login with SSO for SAML 2.0 authentication.
{% callout info %}
**Configuration will vary provider-to-provider.** Refer to the following Provider Samples as you configure Login with SSO:
- [ADFS Sample]({% link _articles/login-with-sso/saml-adfs.md%})
- [Azure Sample]({% link _articles/login-with-sso/saml-azure.md %})
- [Duo Sample]({% link _articles/login-with-sso/saml-duo.md %})
- [Google Sample]({% link _articles/login-with-sso/saml-google.md %})
- [JumpCloud Sample]({% link _articles/login-with-sso/saml-jumpcloud.md %})
- [Keycloak Sample]({% link _articles/login-with-sso/saml-keycloak.md %})
- [Okta Sample]({% link _articles/login-with-sso/saml-okta.md %})
- [OneLogin Sample]({% link _articles/login-with-sso/saml-onelogin.md %})
Or, refer to the [Field Mappings Reference](#field-mappings-reference) on this page.
{% endcallout %}
## Step 1: Enabling Login with SSO
Complete the following steps to enable Login with SSO for SAML 2.0 authentication:
@@ -85,8 +101,6 @@ Check this checkbox when using trusted and valid certificates from your IdP thro
Before you can continue, you must configure your IdP to receive requests from and send responses to Bitwarden using values from [Step 2: Service Provider Configuration](#step-2-service-provider-configuration).
Configuration can vary provider-to-provider. Refer to the [Field Mappings Reference](#field-mappings-reference) on this page to see how Bitwarden fields correspond to fields in your IdP's GUI.
Depending on your IdP, you may need to create an additional API key or Application ID. We recommend maintaining a distinct Application ID or Reference for Bitwarden.
{% comment %}

29
_articles/login-with-sso/oidc-okta.md Normal file
View File

@@ -0,0 +1,29 @@
---
layout: article
title: Okta OIDC Implementation
categories: []
featured: false
popular: false
hidden: true
tags: [sso, oidc, okta]
order:
---
This article contains sample configurations for Bitwarden **Login with SSO** (OIDC) implementations with Okta.
Use this as reference material for the [Configure Login with SSO (OIDC)]({% link _articles/login-with-sso/configure-sso-oidc.md%}) article.
## Okta Portal
The following is a sample OIDC implementation with Bitwarden in the Okta Portal:
{% image sso/cheatsheets/oidc-okta/oidc-okta1.png %}
{% image sso/cheatsheets/oidc-okta/oidc-okta2.png %}
## Bitwarden Business Portal
The following is a sample OIDC implementation with Okta in the Bitwarden Business Portal:
{% image sso/cheatsheets/oidc-okta/oidc-okta4.png %}
{% image sso/cheatsheets/oidc-okta/oidc-okta3.png %}

42
_articles/login-with-sso/saml-adfs.md Normal file
View File

@@ -0,0 +1,42 @@
---
layout: article
title: ADFS SAML Implementation
categories: []
featured: false
popular: false
hidden: true
tags: [sso, saml, adfs]
order:
---
This article contains sample configurations for Bitwarden **Login with SSO** (SAML 2.0) implementations with ADFS.
Use this as reference material for the [Configuring Login with SSO (SAML 2.0)]({% link _articles/login-with-sso/configure-sso-saml.md%}) article.
## ADFS Client Application
The following is a sample SAML 2.0 implementation with Bitwarden in the ADFS client application:
{% image sso/cheatsheets/saml-adfs/saml-adfs2.png %}
{% image sso/cheatsheets/saml-adfs/saml-adfs3.png %}
{% image sso/cheatsheets/saml-adfs/saml-adfs3.png %}
{% image sso/cheatsheets/saml-adfs/saml-adfs4.png %}
{% image sso/cheatsheets/saml-adfs/saml-adfs5.png %}
{% image sso/cheatsheets/saml-adfs/saml-adfs6.png %}
{% image sso/cheatsheets/saml-adfs/saml-adfs7.png %}
{% image sso/cheatsheets/saml-adfs/saml-adfs8.png %}
{% image sso/cheatsheets/saml-adfs/saml-adfs9.png %}
## Bitwarden Business Portal
The following is a sample SAML 2.0 implementation with ADFS in the Bitwarden Business Portal:
{% image sso/cheatsheets/saml-adfs/saml-adfs1.png %}

25
_articles/login-with-sso/saml-azure.md Normal file
View File

@@ -0,0 +1,25 @@
---
layout: article
title: Azure SAML Implementation
categories: []
featured: false
popular: false
hidden: true
tags: [sso, saml, azure]
order:
---
This article contains sample configurations for Bitwarden **Login with SSO** (SAML 2.0) implementations with Microsoft Azure.
Use this as reference material for the [Configure Login with SSO (SAML 2.0)]({% link _articles/login-with-sso/configure-sso-saml.md%}) article.
## Azure Single Sign-on Portal
The following is a sample SAML 2.0 implementation with Bitwarden in the Microsoft Azure Portal:
{% image sso/cheatsheets/saml-azure/saml-azure.png %}
## Bitwarden Business Portal
The following is a sample SAML 2.0 implementation with Microsoft Azure in the Bitwarden Business Portal:
{% image sso/cheatsheets/saml-azure/saml-azure-bitwarden.png %}

28
_articles/login-with-sso/saml-duo.md Normal file
View File

@@ -0,0 +1,28 @@
---
layout: article
title: Duo SAML Implementation
categories: []
featured: false
popular: false
hidden: true
tags: [sso, saml, duo]
order:
---
This article contains sample configurations for Bitwarden **Login with SSO** (SAML 2.0) implementations with Duo.
Use this as reference material for the [Configuring Login with SSO (SAML 2.0)]({% link _articles/login-with-sso/configure-sso-saml.md%}) article.
## Duo Portal
The following is a sample SAML 2.0 implementation with Bitwarden in the Duo Portal:
{% image sso/cheatsheets/saml-duo/saml-duo1.png %}
{% image sso/cheatsheets/saml-duo/saml-duo2.png %}
## Bitwarden Business Portal
The following is a sample SAML 2.0 implementation with Duo in the Bitwarden Business Portal:
{% image sso/cheatsheets/saml-duo/saml-duo-bitwarden.png %}

27
_articles/login-with-sso/saml-google.md Normal file
View File

@@ -0,0 +1,27 @@
---
layout: article
title: Google SAML Implementation
categories: []
featured: false
popular: false
hidden: true
tags: [sso, saml, google]
order:
---
This articles contains sample configurations for Bitwarden **Login with SSO** (SAML 2.0) implementations with Google.
Use this as reference material for the [Configuring Login with SSO (SAML 2.0)]({% link _articles/login-with-sso/configure-sso-saml.md %}) article.
## Google Admin Portal
The following is a sample SAML 2.0 implementation with Bitwarden in the Google Admin Portal:
{% image sso/cheatsheets/saml-google/saml-google1.png %}
{% image sso/cheatsheets/saml-google/saml-google2.png %}
## Bitwarden Business Portal
The following is a sample SAML 2.0 implementation with Google in the Bitwarden Business Portal:
{% image sso/cheatsheets/saml-google/saml-google-bitwarden.png %}

26
_articles/login-with-sso/saml-jumpcloud.md Normal file
View File

@@ -0,0 +1,26 @@
---
layout: article
title: JumpCloud SAML Implementation
categories: []
featured: false
popular: false
hidden: true
tags: [sso, saml, jumpcloud]
order:
---
This article contains sample configurations for Bitwarden **Login with SSO** (SAML 2.0) implementations with JumpCloud.
Use this as reference material for the [Configuring Login with SSO (SAML 2.0)]({% link _articles/login-with-sso/configure-sso-saml.md%}) article.
## JumpCloud Portal
The following is a sample SAML 2.0 implementation with Bitwarden in the JumpCloud Portal:
{% image sso/cheatsheets/saml-jumpcloud/saml-jumpcloud.png %}
## Bitwarden Business Portal
The following is a sample SAML 2.0 implementation with JumpCloud in the Bitwarden Business Portal:
{% image sso/cheatsheets/saml-jumpcloud/saml-jumpcloud-bitwarden.png %}

28
_articles/login-with-sso/saml-keycloak.md Normal file
View File

@@ -0,0 +1,28 @@
---
layout: article
title: Keycloak SAML Implementation
categories: []
featured: false
popular: false
hidden: true
tags: [sso, saml, keyclock]
order:
---
This article contains sample configurations for Bitwarden **Login with SSO** (SAML 2.0) implementations with Keyclock.
Use this as reference material for the [Configuring Login with SSO (SAML 2.0)]({% link _articles/login-with-sso/configure-sso-saml.md%}) article.
## Keycloak Portal
The following is a sample SAML 2.0 implementation with Bitwarden in the Keycloak Portal:
{% image sso/cheatsheets/saml-keycloak/saml-keycloak2.jpg %}
{% image sso/cheatsheets/saml-keycloak/saml-keycloak1.jpg %}
## Bitwarden Business Portal
The following is a sample SAML 2.0 implementation with Keyclock in the Bitwarden Business Portal:
{% image sso/cheatsheets/saml-keycloak/saml-keycloak-bitwarden.jpg %}

26
_articles/login-with-sso/saml-okta.md Normal file
View File

@@ -0,0 +1,26 @@
---
layout: article
title: Okta SAML Implementation
categories: []
featured: false
popular: false
hidden: true
tags: [sso, saml, okta]
order:
---
This article contains sample configurations for Bitwarden **Login with SSO** (SAML 2.0) implementations with Okta.
Use this as reference material for the [Configuring Login with SSO (SAML 2.0)]({% link _articles/login-with-sso/configure-sso-saml.md%}) article.
## Okta Portal
The following is a sample SAML 2.0 implementation with Bitwarden in the Okta Portal:
{% image sso/cheatsheets/saml-okta/saml-okta.png %}
## Bitwarden Business Portal
The following is a sample SAML 2.0 implementation with Okta in the Bitwarden Business Portal:
{% image sso/cheatsheets/saml-okta/saml-okta-bitwarden.png %}

32
_articles/login-with-sso/saml-onelogin.md Normal file
View File

@@ -0,0 +1,32 @@
---
layout: article
title: OneLogin SAML Implementation
categories: []
featured: false
popular: false
hidden: true
tags: [sso, saml, onelogin]
order:
---
This article contains sample configurations for Bitwarden **Login with SSO** (SAML 2.0) implementations with OneLogin.
Use this as reference material for the [Configuring Login with SSO (SAML 2.0)]({% link _articles/login-with-sso/configure-sso-saml.md%}) article.
## OneLogin Portal
The following is a sample SAML 2.0 implementation with Bitwarden in the OneLogin Portal:
{% image sso/cheatsheets/saml-onelogin/saml-onelogin1.png %}
{% image sso/cheatsheets/saml-onelogin/saml-onelogin2.png %}
{% image sso/cheatsheets/saml-onelogin/saml-onelogin3.png %}
{% image sso/cheatsheets/saml-onelogin/saml-onelogin4.png %}
## Bitwarden Business Portal
The following is a sample SAML 2.0 implementation with OneLogin in the Bitwarden Business Portal:
{% image sso/cheatsheets/saml-onelogin/saml-onelogin5.png %}

127
_articles/two-step-login/bitwarden-field-guide-two-step-login.md Normal file
View File

@@ -0,0 +1,127 @@
---
layout: article
title: Field Guide to Two-Step Login
categories: [two-step-login]
featured: false
popular: false
hidden: false
tags: [two-step login, 2fa, two factor authentication]
order: 01
---
## What is Two-Step Login?
Two-step Login (also called *Two-factor Authentication* or *2FA*) is an increasingly common security technique used by websites and apps to protect your sensitive data. Websites that use Two-Step Login will require you to verify your identity by entering an additional "token" (also called *Verification Code* or *One-time Password (OTP*)) besides Username and Password, typically retrieved from a different device.
Without physical access to the token from your **Secondary Device**, a malicious actor would be unable to access the Website, even if they discover your Username and Password:
{% image two-step/field-guide/two-step-login-basic-setup.png Basic Two-step Login flow %}
Commonly, websites or apps with sensitive data (for example, your online bank account) will attempt verify your identity outside of the login screen by:
- Sending a token in an SMS / Text message to the mobile device on-file.
- Asking for a token generated by an Authenticator app (for example, Authy) on your mobile device.
- Looking for a token from a physical security key (for example, Yubikey).
### How should I use Two-step Login?
Security often involves a tradeoff between protection and convenience, so ultimately it's up to you! Generally, the two most critical ways to use Two-step Login are:
1. [**To Secure Bitwarden**](#securing-bitwarden)
Bitwarden supports a variety of Two-step Login methods that you can use to secure Vault data. Enabling Two-step Login will require you to complete a secondary step each time you **Log In**, in addition to entering your Master Password.
2. [**To Secure Important Websites**](#securing-important-websites)
There are a variety of Two-step Login solutions you can use to verify your identity after logging in to a website with a Bitwarden Vault item. In this article we'll discuss using both Authy and **Bitwarden's Built-in Authenticator** for Two-step Login.
## Securing Bitwarden
Since your Password Manager stores all your logins, we highly recommend that you secure it with Two-step Login. Doing so protects *all* your logins by preventing a malicious actor from accessing your Vault, even if they discover your Master Password.
Enabling Two-step Login will require you to complete a secondary step each time you **Log In**, in addition to entering your Master Password.
{% image two-step/field-guide/two-step-login-bitwarden.png Two-step Login to access Bitwarden %}
**Bitwarden offers several Two-step Login methods for free,** including:
- via an Authenticator app (for example, Authy or Google Authenticator)
- via Email
**For Premium users**, Bitwarden offers several advanced Two-step Login methods:
- Duo Security with Duo Push, SMS, phone call, and U2F security keys
- YubiKey (any 4/5 series device or YubiKey NEO/NFC)
- FIDO U2F (any FIDO U2F certified key)
To learn more about your options, and for help setting up any method, see [Two-step Login Methods]({% link _articles/two-step-login/setup-two-step-login.md %}).
You can enable any number of methods you'd like, for more information see [Using Multiple Two-step Login Methods]({% link _articles/two-step-login/setup-two-step-login.md %}).
## Securing Important Websites
Bitwarden probably isn't the only website or app you use that has Two-step Login options, which is especially useful for websites that store sensitive information (for example, Credit Card or Bank Account numbers). Most websites with a Two-step Login option will locate it in the **Settings**, **Security**, or **Privacy** menus.
Activating Two-step Login will typically open a QR code, like this one from Reddit:
{% image two-step/field-guide/reddit-2fa-setup.png %}
Scanning this code with an authenticator app will enable the app to generate rotating 6-digit tokens you can use to verify your identity, like this one generated by Authy:
{% image two-step/field-guide/reddit-token.png %}
### Use Authy
To setup Two-step Login for Reddit using Authy, tap the **Add Account** button and scan the QR code presented by your website or app. Scanning the QR code will generate your 6-digit token. Enter this code in the Verification Code input box to finish setting up Two-step Login with Authy.
{% image two-step/field-guide/two-step-login-bitwarden-authy-reddit.png Two-step Login using Authy %}
Typically, you will be given the option to download **Recovery Codes**. Downloading Recovery Codes is critical to prevent you from losing access to your Two-step Login tokens, even if you lose the device Authy is installed on.
Next time you login to Reddit, you'll be required to verify your identity by entering a Verification Code from Authy. Verification Codes rotate every 30 seconds, so it will be impossible for a malicious actor to discover your code without physical access to your device.
{% callout info %}
Authy is Bitwarden's recommended authenticator app because it includes Authenticator Backups for any device. Backups prevent you from losing access to your Two-step Login tokens, even if you lose the device Authy is installed on. Flip the **Authenticator Backups** toggle on the **Accounts** screen of the Authy app to use this feature.
Other authenticator apps include [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en){:target="_blank"} and [FreeOTP](https://freeotp.github.io/){:target="_blank"}, and *as of May 7, 2020 Google Authenticator includes Verification Code portability across Android devices.*
{% endcallout %}
### Use Bitwarden Authenticator
**As an alternative to Authy,** Bitwarden offers a built-in authenticator for Premium users, including members of Paid Organizations (Families, Teams, or Enterprise).
Bitwarden for iOS and Android can scan QR codes and generate 6-digit tokens just like other authenticator apps. Using Bitwarden Authenticator to secure a website will save a rotating 6-digit token with that login Vault item. You can also manually save your verification code secret to a Vault item from any Bitwarden app.
{% image two-step/field-guide/two-step-login-bitwarden-authenticator.png Two-step Login using Bitwarden %}
For more help setting up and using the Bitwarden Authenticator, see [Bitwarden Authenticator]({% link _articles/features/authenticator-keys.md %}).
#### Why Use Bitwarden Authenticator?
Understandably, some users are skeptical about using Bitwarden for token authentication. Remember, security often involves a tradeoff between protection and convenience, so the best solution is up to you. Generally, folks that use Bitwarden Authenticator do so for two reasons:
1. **Convenience**
Bitwarden Mobile apps and Browser Extensions provide Auto-fill capabilities for verification codes. When you use Bitwarden to Auto-fill a Username and Password, it will automatically copy the verification code to your clipboard for easy pasting.
If you're using a Browser Extension, you can chain together the [Login Keyboard Shortcut](https://bitwarden.com/help/article/auto-fill-browser/#keyboard-shortcuts-hot-keys) (Windows: `Ctrl + Shift + L` / macOS: `Cmd + Shift + L` ), following by the Paste shortcut (Windows: `Ctrl + V` / macOS: `Cmd + V`) for lightning-fast logins.
2. **Sharing**
For Organizations, a large benefit of using Bitwarden Authenticator for token verification is the ability to share the token generation among team members. This allows Organizations to protect their accounts with Two-step Login without sacrificing the ability for multiple users to access that account or requiring coordination between two employees to share tokens in an unsafe way.
## Stay Safe with Two-step Login
Whichever path you choose, remember the basics:
- [Secure Bitwarden with Two-step Login](#securing-bitwarden)
- [Secure Important Websites with Two-step Login](#securing-important-websites)
And now that you're a Two-step Login Expert, we recommend that you:
- [Signup for a Bitwarden Account](https://vault.bitwarden.com/#/register)
- [Setup Two-step Login]({% link _articles/two-step-login/setup-two-step-login.md %})
- [Get Premium for access to advanced Two-step Login methods](https://vault.bitwarden.com/#/?premium=purchase)
- [Setup the Bitwarden Authenticator]({% link _articles/features/authenticator-keys.md %})
- [Customize your Vault Timeout behavior]({% link _articles/account/vault-timeout.md %})
Heres to many happy logins!

60
_articles/two-step-login/lost-two-step-device.md Normal file
View File

@@ -0,0 +1,60 @@
---
layout: article
title: Lost Two-step Login Device
categories: [two-step-login]
featured: false
popular: false
tags: [two-step login, 2fa, two factor authentication, account]
order: 08
---
If you lose access to the device or method that you use for Two-step Login, you can recover your account using a Two-step Login **Recovery Code**.
{% callout warning %}
**Without your Recovery Code, losing access to your device or method will permanently lock you out of your Vault.**
Get your Recovery Code from the Two-step Login screen before enabling any method.
{% endcallout %}
## Get Your Recovery Code
The Recovery Code is a 32 character alpha-numeric code. To retrieve your Recovery Code:
1. Log in to your [Web Vault](https://vault.bitwarden.com/){:target="\_blank"}.
2. Select **Settings** from the top navigation bar.
3. Select **Two-step Login** from the left-side menu.
4. Select the **View Recovery Code** button at the top of the screen.
You will be prompted to enter your Master Password in order to retrieve your Recovery Code.
5. Print your Recovery Code and put it somewhere safe.
## Use your Recovery Code
Using your Recovery will deactivate all Two-step Login methods from your account. You will be required to enter all of the following to use your Recovery Code:
- Email Address
- Master Password
- Recovery Code
Once you use your Recovery Code, you will be required to manually re-activate any Two-step Login methods. Using your Recovery code will also **reset your Recovery Code**. We recommend re-printing your code and to replace the previous one before re-activating any Two-step Login methods.
Follow this link to use your Recovery Code: [https://vault.bitwarden.com/#/recover-2fa](https://vault.bitwarden.com/#/recover-2fa){:target="\_blank"}.
### If you don't have your Recovery Code
If you don't have your Recovery Code, there is no way to fully recover the account. To access Bitwarden with that email address, you will need to delete the account and re-register.
Before deleting your account, check to see whether you have an active **Locked** session (for example, in a Browser Extension or Mobile app). Sessions that are Locked will not require your Two-step Login method. If you do have an active session, export your vault data before deleting the account.
{% callout warning %}
Deleting your account will delete all stored Logins, Identities, Cards, and Secure Notes.
{% endcallout %}
Complete the following steps to delete your account:
1. Navigate to [https://vault.bitwarden.com/#/recover-delete](https://vault.bitwarden.com/#/recover-delete){:target="\_blank"}.
2. Enter your account's Email Address.
3. Open your inbox and click the verification link that was sent to you.
4. Confirm the deletion of your account.
You can now register a new account using the same email address. If you had an active subscription at the time of deletion, [Contact Us](https://bitwarden.com/contact/) and we will re-instate it to your newly created account.

54
_articles/two-step-login/setup-two-step-login-authenticator.md Normal file
View File

@@ -0,0 +1,54 @@
---
layout: article
title: Two-step Login via Authenticator
categories: [two-step-login]
featured: false
popular: false
order: 03
tags: [two-step login, 2fa, two factor authentication, account, google authenticator, authy]
---
Two-step Login using a third-party authenticator app (for example, [Authy](https://authy.com/){:target="_blank"}, [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en){:target="_blank"}, or [FreeOTP](https://freeotp.github.io/){:target="_blank"}) is available for free to all Bitwarden users.
## Setup an Authenticator
Complete the following steps to enable Two-step Login using an authenticator app:
{% callout warning %}
**Losing access to your authenticator app can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place.
[Get your Recovery Code]({% link _articles/two-step-login/lost-two-step-device.md %}) from the **Two-step Login** screen before enabling any method.
{% endcallout %}
1. Log in to your [Web Vault](https://vault.bitwarden.com/){:target="\_blank"}.
2. Select **Settings** from the top navigation bar.
3. Select **Two-step Login** from the left-side menu.
4. Locate the **Authenticator App** option and select the **Manage** button:
{% image /two-step/twostep-options-authoverlay.png Select the Manage button %}
You will be prompted to enter your Master Password to continue.
5. Scan the QR code with your authenticator app of choice.
If you don't have an authenticator app on your mobile device yet, download one and scan the QR code. We recommend [Authy](https://authy.com/){:target="_blank"}.
6. Once scanned, your authenticator app will return a 6-digit verification code. Enter the code in the dialog box in your Web Vault and select the **Enable** button.
A green `Enabled` message will indicate that Two-step Login via Authenticator App has been enabled.
6. Select the **Close** button and confirm that the **Authenticator App** option now is enabled, as indicated by a green checkbox ( {% icon fa-check %} ).
{% callout info %}
When you setup Two-step Login, you should logout of all your Bitwarden apps to immediately activate Two-step Login for each app. You will eventually be logged out automatically.
{% endcallout %}
## Use an Authenticator
The following assumes that **Authenticator** is your [highest-priority enabled method](https://bitwarden.com/help/article/setup-two-step-login/#using-multiple-methods). Complete the following steps to access your Vault using Two-step Login:
1. Log in to your Bitwarden Vault on any app and enter your Email Address and Master Password.
You will be prompted to **Enter the 6 digit verification code from your authenticator app**.
2. Open your authenticator app and find the 6 digit verification code for your Bitwarden Vault. Enter this code on the Vault login screen.
Typically, verification codes will change every 30 seconds.
3. Select **Continue** to finish logging in.
You will not be required to complete your secondary Two-step Login step to **Unlock** your Vault once logged in. For help configuring Log Out vs. Lock behavior, see [Vault Timeout Options]({% link _articles/account/vault-timeout.md %}).

82
_articles/two-step-login/setup-two-step-login-duo.md Normal file
View File

@@ -0,0 +1,82 @@
---
layout: article
title: Two-step Login via Duo
categories: [two-step-login]
featured: false
popular: false
tags: [two-step login, 2fa, two factor authentication, account, duo, sms]
order: 05
---
Two-step Login using Duo is available for Premium users, including members of a Paid Organization (Families, Teams, or Enterprise).
Enabling Duo for your Organization will prompt all enrolled members to register a device for Duo Two-step Login on their next login. Users with user type **Owner** can enable Two-step Login via Duo for the Organization. For more information, see [User Types and Access Control]({% link _articles/organizations/user-types-access-control.md%}).
## Activate Bitwarden in Duo
In order to use Two-step Login to access Bitwarden using Duo, you'll need a Duo account. [Sign up for free](https://signup.duo.com/){:target="_blank"}, or log in to your existing [Duo Admin Panel](https://admin.duosecurity.com/login){:target="_blank"}, and complete the following steps:
1. In the left menu, navigate to **Applications**.
2. Select the **Protect an Application** button.
3. Find or search for **Bitwarden** in the Applications list, and select the **Protect** button. You will be redirected to a Bitwarden Application page:
{% image two-step/duo/duoportal.png Bitwarden Application page %}
Take note of the **Integration Key**, **Secret Key**, and **API Hostname**. You will need to reference these values when you [Setup Duo](#setup-two-step-login) within Bitwarden.
## Setup Duo
Complete the following steps to enable Two-step Login using Duo:
{% callout warning %}
**Losing access to your Duo-enabled device can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place.
[Get your Recovery Code]({% link _articles/two-step-login/lost-two-step-device.md %}) from the **Two-step Login** screen before enabling any method.
{% endcallout %}
1. Log in to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"}.
2. If you're an Individual User, select **Settings** from the top navigation bar.
If you're an Organization Owner, open your Organization and select the **Settings** tab.
3. Select **Two-step Login** from the left-side menu.
4. Locate the **Duo** or **Duo (Organization)** option and select the **Manage** option.
{% image two-step/twostep-options-duooverlay.png Select the Manage button %}
You will be prompted to enter your Master Password to continue.
5. Enter the **Integration Key**, **Secret Key**, and **API Hostname** provided in your Duo Admin portal (see [Activate Bitwarden in Duo](#activate-bitwarden-in-duo)).
6. Select the **Enable** button. A green `Enabled` message will indicate that Two-step Login using Duo has been enabled.
7. Select the **Close** button and confirm that the **Duo** option is now enabled, as indicated by a green checkmark ( {% icon fa-check %} ).
{% callout info %}
When you setup Two-step Login, you should logout of all your Bitwarden apps to immediately activate Two-step Login for each app. You will eventually be logged out automatically.
{% endcallout %}
### Register a Device
In a new tab, navigate to the [Web Vault](https://vault.bitwarden.com){:target="\_blank"}. If Duo is your highest-priority Two-step Login method, you will be prompted by a Duo setup screen. Organization members will be prompted by this screen on their next login.
{% image two-step/duo/enroll1.png Duo Setup Screen %}
Follow the on-screen prompts to finish configuring Two-step Login using Duo (for example, *type of device to register* and *send SMS or send push notification*). If you haven't already downloaded the [Duo Mobile App](#get-the-duo-mobile-app), you will be prompted to do so.
### Get the Duo Mobile App
To take advantage of quick Two-step Login with Duo Push, download the Duo Mobile app for free. You can alternatively use Duo for SMS, phone call, or U2F security key verification.
- [Download for iOS](https://itunes.apple.com/us/app/duo-mobile/id422663827?mt=8){:target="_blank"}
- [Download for Android](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile){:target="_blank"}
## Use Duo
The following assumes that **Duo** is your [highest-priority enabled method](https://bitwarden.com/help/article/setup-two-step-login/#using-multiple-methods). Complete the following steps to access your Vault using Two-step Login:
1. Login to your Bitwarden Vault on any app and enter your Email Address and Master Password.
A Duo screen will appear to begin your Two-step Login verification.
3. Depending on how you've configured Duo, complete the authentication request by:
- Approving the **Duo Push** request from your registered device.
- Finding the 6 digit verification code in your **Duo Mobile** app or **SMS** messages, and enter the code on the Vault login screen.
You will not be required to complete your secondary Two-step Login step to **Unlock** your Vault once logged in. For help configuring Log Out vs. Lock behavior, see [Vault Timeout Options]({% link _articles/account/vault-timeout.md %}).

50
_articles/two-step-login/setup-two-step-login-email.md Normal file
View File

@@ -0,0 +1,50 @@
---
layout: article
title: Two-step Login via Email
categories: [two-step-login]
featured: false
popular: false
order: 04
tags: [two-step login, 2fa, two factor authentication, account, email]
---
Two-step Login using email is available for free to all Bitwarden users.
## Setup Email Verification
Complete the following steps to enable Two-step Login using email:
{% callout warning %}
**Losing access to your Two-step Login linked email can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place.
[Get your Recovery Code]({% link _articles/two-step-login/lost-two-step-device.md %}) from the **Two-step Login** screen before enabling any method.
{% endcallout %}
1. Log in to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"}.
2. Select **Settings** from the top navigation bar.
3. Select **Two-step Login** from the left-side menu.
4. Locate the **Email** option and select the **Manage** button:
{% image /two-step/twostep-options-emailoverlay.png Select the Manage button %}
You will be prompted to enter your Master Password to continue.
5. Enter the email that you wish you receive verification codes and click the **Send Email** button.
6. Check your inbox for the 6 digit verification code. Enter the code in the dialog box in your Web Vault and select the **Enable** button.
A green `Enabled` message will indicate that Two-step Login via Email has been enabled.
7. Select the **Close** button and confirm that the **Email** option is enabled, as indicated by a green checkbox ( {% icon fa-check %} ).
{% callout info %}
When you setup Two-step Login, you should logout of all your Bitwarden apps to immediately activate Two-step Login for each app. You will eventually be logged out automatically.
{% endcallout %}
## Use Email Verification
The following assumes that **Email** is your [highest-priority enabled method](https://bitwarden.com/help/article/setup-two-step-login/#using-multiple-methods). Complete the following steps to access your Vault using Two-step Login:
1. Log in to your Bitwarden Vault on any any app and enter your Email Address and Master Password.
You will be prompted to **Enter the 6 digit verification code that was emailed to your configured email**.
2. Check your inbox for the 6 digit verification code. Enter this code on the Vault login screen.
3. Select **Continue** to finish logging in.
You will not be required to complete your secondary Two-step Login step to **Unlock** your Vault once logged in. For help configuring Log Out vs. Lock behavior, see [Vault Timeout Options]({% link _articles/account/vault-timeout.md %}).

67
_articles/two-step-login/setup-two-step-login-u2f.md Normal file
View File

@@ -0,0 +1,67 @@
---
layout: article
title: Two-step Login via FIDO U2F
categories: [two-step-login]
featured: false
popular: false
tags: [two-step login, 2fa, two factor authentication, account, u2f, fido]
order: 07
---
Two-step Login using [FIDO U2F](https://www.yubico.com/solutions/fido-u2f/){:target="_blank"} is available for Premium users, including members of Paid Organizations (Families, Teams, or Enterprise).
Any FIDO U2F certified device can be used, however we recommend a [YubiKey](https://www.yubico.com/products/yubikey-hardware/){:target="_blank"}.
{% callout info %}
**FIDO U2F cannot be used on all Bitwarden applications.** Enable another Two-step Login method in order to access your vault on unsupport applications.
Supported applications:
- Web Vault on a computer with a U2F-enabled Browser (Chrome, Opera, Vivaldi, or [Firefox with FIDO U2F enabled](https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/){:target="_blank"}).
- Browser Extensions for a U2F-enabled Browser (Chrome, Opera, Vivaldi, or [Firefox with FIDO U2F enabled](https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/){:target="_blank"}).
{% endcallout %}
## Setup FIDO U2F
Complete the following steps to enable Two-step Login using FIDO U2F:
{% callout warning %}
**Losing access to your FIDO U2F device can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place.
[Get Your Recovery Code]({% link _articles/two-step-login/lost-two-step-device.md %}) from the **Two-step Login** screen before enabling any method.
{% endcallout %}
1. Log in to the [Web Vault](https://vault.bitwarden.com){:target="\_blank"}.
2. Select **Settings** from the top navigation bar.
3. Select **Two-step Login** from the left-side menu.
4. Locate the **FIDO U2F Security Key** option and select the **Manage** button.
{% image two-step/twostep-options-u2foverlay.png Select the Manage button %}
You will be prompted to enter your Master Password to continue.
5. Give your security key a friendly **Name**.
6. Plug the security key into your computer's USB port and select **Read Key**.
If your security key has a button, touch it.
7. Select **Save**. A green `Enabled` message will indicate that Two-step Login using FIDO U2F has been successfully enabled and your key will appear with a green checkbox ( {% icon fa-check %} ).
8. Select the **Close** button and confirm that the **FIDO U2F Security Key** option is not enabled, as indicated by a green checkbox ( {% icon fa-check %} ).
Repeat this process to add up to 5 FIDO U2F security keys to your account.
{% callout info %}
When you setup Two-step Login, you should logout of all your Bitwarden apps to immediately activate Two-step Login for each app. You will eventually be logged out automatically.
{% endcallout %}
## Use FIDO U2F
The following assumes that **FIDO U2F** is your [highest-priority enabled method](https://bitwarden.com/help/article/setup-two-step-login/#using-multiple-methods). Complete the following steps to access your Vault using Two-step Login:
1. Log in to your Bitwarden Vault (*Web Vault* or *Browser Extension*) and enter your Email Address and Master Password.
You will be prompted to insert your security key into your computer's USB port. If it has a button, touch it.
{% image two-step/u2f/web.png %}
You will not be required to complete your secondary Two-step Login setup to **Unlock** your Vault once logged in. For help configuring Log Out vs. Lock behavior, see [Vault Timeout Options]({% link _articles/account/vault-timeout.md %}).

68
_articles/two-step-login/setup-two-step-login-yubikey.md Normal file
View File

@@ -0,0 +1,68 @@
---
layout: article
title: Two-step Login via YubiKey
categories: [two-step-login]
featured: false
popular: false
tags: [two-step login, 2fa, two factor authentication, account, yubikey, yubi, yubico]
order: 06
---
Two-step Login using [YubiKey](https://www.yubico.com){:target="\_blank"} is available for Premium users, including members of Paid Organizations (Families, Teams, or Enterprise).
Any [YubiKey that supports OTP](https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/){:target="_blank"} can be used. This includes all YubiKey 4 and 5 series devices, as well as YubiKey NEO and YubiKey NFC. You can add up to 5 YubiKeys to your account.
## Setup YubiKey
Complete the following steps to enable Two-step Login using Yubikey:
{% callout warning %}
**Losing access to your Yubikey can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place.
[Get your Recovery Code]({% link _articles/two-step-login/lost-two-step-device.md %}) from the **Two-step Login** screen before enabling any method.
{% endcallout %}
1. Log in to the [Web Vault](https://vault.bitwarden.com){:target="\_blank"}.
2. Select **Settings** from the top navigation bar.
3. Select **Two-step Login** from the left-side menu.
4. Locate the **YubiKey OTP Security Key** option and select the **Manage** button.
{% image two-step/twostep-options-yubioverlay.png Select the Manage button %}
You will be prompted to enter your Master Password to continue.
5. Plug the YubiKey into your computer's USB port.
6. Select the first empty YubiKey input field in the dialog in your Web Vault.
7. Touch the Yubikey's button.
If you will be using the YubiKey for a NFC-enabled mobile device, check the **One of my keys supports NFC** checkbox.
8. Select **Save**. A green `Enabled` message will indicate that Two-step Login using YubiKey has been enabled.
9. Select the **Close** button and confirm that the **YubiKey OTP Security Key** option is now enabled, as indicated by a green checkbox ( {% icon fa-check %} ).
Repeat this process to add up to 5 YubiKeys to your account.
{% callout info %}
When you setup Two-step Login, you should logout of all your Bitwarden apps to immediately activate Two-step Login for each app. You will eventually be logged out automatically.
{% endcallout %}
## Use YubiKey
The following assumes that **YubiKey** is your [highest-priority enabled method](https://bitwarden.com/help/article/setup-two-step-login/#using-multiple-methods). Complete the following steps to access your Vault using Two-step Login:
1. Log in to your Bitwarden Vault on any app and enter your Email Address and Master Password.
You will be prompted to insert your YubiKey into your computer's USB port or hold your YubiKey against the back of your NFC-enabled device:
{% image two-step/yubikey/using-yubi.png %}
2. Select or tap **Continue** to finish logging in.
You will not be required to complete your secondary Two-step Login step to **Unlock** your Vault once logged in. For help configuring Log Out vs. Lock behavior, see [Vault Timeout Options]({% link _articles/account/vault-timeout.md %}).
### Troubleshooting Android
If you do not know where your NFC receiver is located, you may need to move it around some, trying different areas. Once Bitwarden detects the YubiKey it will automatically validate and log you in. If a YubiKey NEO or YubiKey 5 NFC continues to not work on your Android device, check the following:
- That you checked the **One of my keys supports NFC** checkbox during setup.
- That your Android device supports [NFC](https://en.wikipedia.org/wiki/List_of_NFC-enabled_mobile_devices){:target="_blank"} and is [known to work properly](https://forum.yubico.com/viewtopic1c5f.html?f=26&t=1302){:target="_blank"} with YubiKey NEO or YubiKey 5 NFC.
- That you have NFC enabled on your Android device (**Settings** &rarr; **More**).
- That your keyboard layout/format/mode is set to QWERTY.

49
_articles/two-step-login/setup-two-step-login.md Normal file
View File

@@ -0,0 +1,49 @@
---
layout: article
title: Two-step Login Methods
categories: [two-step-login]
featured: false
popular: true
order: 02
tags: [two-step login, 2fa, two factor authentication, account]
---
Using Two-step Login (also called *Two-factor Authentication*, or *2FA*) to access your Bitwarden Vault protects *all* your logins by preventing a malicious actor from accessing Vault items, even if they discover your Master Password. Since your Password Manager stores all your logins, we highly recommend that you secure it with Two-step Login.
Enabling Two-step Login will require you to complete a secondary step each time you **Log In**, in addition to entering your Master Password. You will not be required to complete the secondary step to **Unlock** your Vault. For help configuring Log Out vs. Lock behavior, see [Vault Timeout Options]({% link _articles/account/vault-timeout.md %}).
## Available Methods
In the [Web Vault](https://vault.bitwarden.com/){:target="\_blank"}, enable Two-step Login methods from the **Settings** menu.
### Free Methods
Bitwarden offers several Two-step Login methods for free, including:
|Method|Setup Instructions|
|------|------------------|
|via an Authenticator app (for example, [Authy](https://authy.com/){:target="_blank"} or [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en){:target="_blank"})|Click [**here**]({% link _articles/two-step-login/setup-two-step-login-authenticator.md %}).|
|via Email|Click [**here**]({% link _articles/two-step-login/setup-two-step-login-email.md %}).|
### Premium Methods
For Premium users (including members of Paid Organizations), Bitwarden offers several advanced Two-step Login methods:
|Method|Setup Instructions|
|------|------------------|
|via Duo Security with Duo Push, SMS, phone call, and U2F security keys|Click [**here**]({% link _articles/two-step-login/setup-two-step-login-duo.md %}).|
|via YubiKey (any 4/5 series device or YubiKey NEO/NFC)|Click [**here**]({% link _articles/two-step-login/setup-two-step-login-yubikey.md %}).|
|via FIDO U2F (any FIDO U2F certified key)|Click [**here**]({% link _articles/two-step-login/setup-two-step-login-u2f.md %}).|
## Using Multiple Methods
You can choose to enable multiple Two-step Login methods. Logging in to Bitwarden will prompt for your highest-priority enabled Two-step Login method, according to the following order of preference:
1. FIDO U2F
2. YubiKey
3. Duo
4. Authenticator App
5. Email
You can swap to a lower-preference method by selecting the **Use another two-step login method** button:
{% image two-step/twostep-diffmethod.png Use another two-step login method %}