bitwarden/help
1
0
Fork 0
mirror of https://github.com/bitwarden/help synced 2025-12-15 15:53:53 +00:00
Code Issues Releases Wiki Activity
Files
92097f1c77c9249c66e27d19e98c58fa375e5bb7
help/_articles/two-step-login/setup-two-step-login-fido.md
fred_the_tech_writer 92097f1c77 Potpourri (#714) 
* enterprise policy typo

* more generic language in fido doc

* missing paren

* replace apr image with gif, profit

* fix language that ain't friendly to non-native english speakers (TY @Greenderella)

* faq item for mp hint

* windows firewall exclusion tip

* update cert article w/ powershell instructions for new letsencrypt cert

* improve collection header

* note on self-host server release lag

* duo bypass code tip

* revert
2021-08-19 13:56:49 -04:00

4.0 KiB
Raw Blame History

layout, title, categories, featured, popular, tags, order, redirect_from
layout title categories featured popular tags order redirect_from
article Two-step Login via FIDO2 WebAuthn
two-step-login
false false
two-step login
2fa
two factor authentication
account
u2f
fido
07
/article/setup-two-step-login-u2f/

Two-step Login using FIDO2 WebAuthn authenticators is available for Premium users, including members of Paid Organizations (Families, Teams, or Enterprise).

Any FIDO2 WebAuthn Certified authenticator can be used, including Security Keys like YubiKeys, SoloKeys, and Nitrokeys, as well as native biometrics options like Windows Hello and Touch ID.

{% callout success %} Existing FIDO U2F security keys will still be usable and will be marked (Migrated from FIDO) on the Two-step Login → Manage FIDO2 WebAuthn dialog. {% endcallout %}

FIDO2 WebAuthn cannot be used on all Bitwarden applications. Enable another Two-step Login method in order to access your vault on unsupported applications. Supported applications include:

Setup FIDO2 WebAuthn

Complete the following steps to enable Two-step Login using FIDO2 WebAuthn:

{% callout warning %} Losing access to your authenticator can permanently lock you out of your Vault, unless you write down and keep your Two-step Login Recovery Code in a safe place or have an alternate Two-step Login method enabled and available.

[Get Your Recovery Code]({% link _articles/two-step-login/two-step-recovery-code.md %}) from the Two-step Login screen immediately after enabling any method. {% endcallout %}

  1. Log in to the Web Vault{:target="_blank"}.

  2. Select Settings from the top navigation bar.

  3. Select Two-step Login from the left-side menu.

  4. Locate the FIDO2 WebAuthn option and select the Manage button.

    {% image two-step/twostep-options-fido2.png Select the Manage button %}

    You will be prompted to enter your Master Password to continue.

  5. Give your security key a friendly Name.

  6. Plug the security key into your device's USB port and select Read Key.

    If your security key has a button, touch it.

  7. Select Save. A green Enabled message will indicate that Two-step Login using FIDO2 WebAuthn has been successfully enabled and your key will appear with a green checkbox ( {% icon fa-check %} ).

  8. Select the Close button and confirm that the FIDO2 WebAuthn option is now enabled, as indicated by a green checkbox ( {% icon fa-check %} ).

Repeat this process to add up to 5 FIDO2 WebAuthn security keys to your account.

{% callout info %} When you setup Two-step Login, you should logout of all your Bitwarden apps to immediately activate Two-step Login for each app. You will eventually be logged out automatically. {% endcallout %}

Use FIDO2 WebAuthn

The following assumes that FIDO2 WebAuthn is your highest-priority enabled method. Complete the following steps to access your Vault using Two-step Login:

  1. Log in to your Bitwarden Vault (Web Vault or Browser Extension) and enter your Email Address and Master Password.

    You will be prompted to insert your security key into your device's USB port. If it has a button, touch it.

    {% image two-step/u2f/fido2.png %}

{% callout success %} Check the Remember Me box to remember your device for 30 days. Remembering your device will mean you won't be required to complete your Two-step Login step. {% endcallout %}

You will not be required to complete your secondary Two-step Login setup to Unlock your Vault once logged in. For help configuring Log Out vs. Lock behavior, see [Vault Timeout Options]({% link _articles/account/vault-timeout.md %}).