0407739fec
* Promote to Staging (#567) * mobile launch in GS Guide * recovery code note -> when does it change * EA + forgot MP * Send in Feature tables * BE Badge Counter * Send hidden email option * weak passwords sort * safari biometrics * custom fields - keys * FIDO Updates * release notes * updates to user types article (not rel-related) * Folders Correction (interplay w/ shared items) (non rel-related) * Send Options Policy * Hide Custom Fields Update * rn updates * final release edits * safari-biometrics-updates * biometrics safari fix * fido list update * rn date * link fix * Update attachments.md * Update cli.md * Update 2020-plan-updates.md * Update about-bitwarden-plans.md * Update premium-renewal.md * Update what-plan-is-right-for-me.md * Update why-choose-bitwarden-for-your-team.md * Update about-send.md * Update create-send.md * Attachments note
8.5 KiB
layout, title, categories, featured, popular, hidden, tags, order
| layout | title | categories | featured | popular | hidden | tags | order | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| article | Field Guide to Two-Step Login |
|
false | false | false |
|
01 |
What is Two-Step Login?
Two-step Login (also called Two-factor Authentication or 2FA) is an increasingly common security technique used by websites and apps to protect your sensitive data. Websites that use Two-Step Login will require you to verify your identity by entering an additional "token" (also called Verification Code or One-time Password (OTP)) besides Username and Password, typically retrieved from a different device.
Without physical access to the token from your Secondary Device, a malicious actor would be unable to access the Website, even if they discover your Username and Password:
{% image two-step/field-guide/two-step-login-basic-setup.png Basic Two-step Login flow %}
Commonly, websites or apps with sensitive data (for example, your online bank account) will attempt verify your identity outside of the login screen by:
- Sending a token in an SMS / Text message to the mobile device on-file.
- Asking for a token generated by an Authenticator app (for example, Authy) on your mobile device.
- Looking for a token from a physical security key (for example, Yubikey).
How should I use Two-step Login?
Security often involves a tradeoff between protection and convenience, so ultimately it's up to you! Generally, the two most critical ways to use Two-step Login are:
-
Bitwarden supports a variety of Two-step Login methods that you can use to secure Vault data. Enabling Two-step Login will require you to complete a secondary step each time you Log In, in addition to entering your Master Password.
-
There are a variety of Two-step Login solutions you can use to verify your identity after logging in to a website with a Bitwarden Vault item. In this article we'll discuss using both Authy and Bitwarden's Built-in Authenticator for Two-step Login.
Securing Bitwarden
Since your Password Manager stores all your logins, we highly recommend that you secure it with Two-step Login. Doing so protects all your logins by preventing a malicious actor from accessing your Vault, even if they discover your Master Password.
Enabling Two-step Login will require you to complete a secondary step each time you Log In, in addition to entering your Master Password. You won't need to complete your secondary step to Unlock your Vault.
{% image two-step/field-guide/two-step-login-bitwarden.png Two-step Login to access Bitwarden %}
Bitwarden offers several Two-step Login methods for free, including:
- via an Authenticator app (for example, Authy or Google Authenticator)
- via Email
For Premium users, Bitwarden offers several advanced Two-step Login methods:
- Duo Security with Duo Push, SMS, phone call, and security keys
- YubiKey (any 4/5 series device or YubiKey NEO/NFC)
- FIDO (any FIDO2 WebAuthn certified key)
To learn more about your options, and for help setting up any method, see [Two-step Login Methods]({% link _articles/two-step-login/setup-two-step-login.md %}).
You can enable any number of methods you'd like, for more information see [Using Multiple Two-step Login Methods]({% link _articles/two-step-login/setup-two-step-login.md %}).
Securing Important Websites
Bitwarden probably isn't the only website or app you use that has Two-step Login options, which is especially useful for websites that store sensitive information (for example, Credit Card or Bank Account numbers). Most websites with a Two-step Login option will locate it in the Settings, Security, or Privacy menus.
Activating Two-step Login will typically open a QR code, like this one from Reddit:
{% image two-step/field-guide/reddit-2fa-setup.png %}
Scanning this code with an authenticator app will enable the app to generate rotating 6-digit tokens you can use to verify your identity, like this one generated by Authy:
{% image two-step/field-guide/reddit-token.png %}
Use Authy
To setup Two-step Login for Reddit using Authy, tap the Add Account button and scan the QR code presented by your website or app. Scanning the QR code will generate your 6-digit token. Enter this code in the Verification Code input box to finish setting up Two-step Login with Authy.
{% image two-step/field-guide/two-step-login-bitwarden-authy-reddit.png Two-step Login using Authy %}
Typically, you will be given the option to download Recovery Codes. Downloading Recovery Codes is critical to prevent you from losing access to your Two-step Login tokens, even if you lose the device Authy is installed on.
Next time you login to Reddit, you'll be required to verify your identity by entering a Verification Code from Authy. Verification Codes rotate every 30 seconds, so it will be impossible for a malicious actor to discover your code without physical access to your device.
{% callout info %} Authy is Bitwarden's recommended authenticator app because it includes Authenticator Backups for any device. Backups prevent you from losing access to your Two-step Login tokens, even if you lose the device Authy is installed on. Flip the Authenticator Backups toggle on the Accounts screen of the Authy app to use this feature.
Other authenticator apps include Google Authenticator{:target="_blank"} and FreeOTP{:target="_blank"}, and as of May 7, 2020 Google Authenticator includes Verification Code portability across Android devices. {% endcallout %}
Use Bitwarden Authenticator
As an alternative to Authy, Bitwarden offers a built-in authenticator for Premium users, including members of Paid Organizations (Families, Teams, or Enterprise).
Bitwarden for iOS and Android can scan QR codes and generate 6-digit tokens just like other authenticator apps. Using Bitwarden Authenticator to secure a website will save a rotating 6-digit token with that login Vault item. You can also manually save your verification code secret to a Vault item from any Bitwarden app.
{% image two-step/field-guide/two-step-login-bitwarden-authenticator.png Two-step Login using Bitwarden %}
For more help setting up and using the Bitwarden Authenticator, see [Bitwarden Authenticator]({% link _articles/features/authenticator-keys.md %}).
Why Use Bitwarden Authenticator?
Understandably, some users are skeptical about using Bitwarden for token authentication. Remember, security often involves a tradeoff between protection and convenience, so the best solution is up to you. Generally, folks that use Bitwarden Authenticator do so for two reasons:
-
Convenience
Bitwarden Mobile apps and Browser Extensions provide Auto-fill capabilities for verification codes. When you use Bitwarden to Auto-fill a Username and Password, it will automatically copy the verification code to your clipboard for easy pasting.
If you're using a Browser Extension, you can chain together the Login Keyboard Shortcut (Windows:
Ctrl + Shift + L/ macOS:Cmd + Shift + L), following by the Paste shortcut (Windows:Ctrl + V/ macOS:Cmd + V) for lightning-fast logins. -
Sharing
For Organizations, a large benefit of using Bitwarden Authenticator for token verification is the ability to share the token generation among team members. This allows Organizations to protect their accounts with Two-step Login without sacrificing the ability for multiple users to access that account or requiring coordination between two employees to share tokens in an unsafe way.
Stay Safe with Two-step Login
Whichever path you choose, remember the basics:
And now that you're a Two-step Login Expert, we recommend that you:
- Signup for a Bitwarden Account
- [Setup Two-step Login]({% link _articles/two-step-login/setup-two-step-login.md %})
- Get Premium for access to advanced Two-step Login methods
- [Setup the Bitwarden Authenticator]({% link _articles/features/authenticator-keys.md %})
- [Customize your Vault Timeout behavior]({% link _articles/account/vault-timeout.md %})
Here’s to many happy logins!