Bitwarden Fido2

  
  • Yubico.com is the source for top-rated secure element two factor authentication security keys and HSMs. Buy YubiKey 5, Security Key with FIDO2 & U2F, and YubiHSM 2.
  • A little part of me dies every time I log in with Yubikey OTP. FIDO2/Webauthn is supported by pretty much every major platform at this point. I would have expected Bitwarden to jump on this given how security-focused the team seems to be.

FIDO2 and U2F Security Keys FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Token2 FIDO2 Security keys enable organizations and users to use a USB key sign in without the need of entering a password (i.e. With Azure Passwordless ) or can be used as a second factor (i.e. Losing access to your Yubikey can permanently lock you out of your Vault, unless you write down and keep your Two-step Login Recovery Code in a safe place or have an alternate Two-step Login method enabled and available.

Managing and using passwords can be cumbersome, less secure, and more time-consuming.

Computer passwords date all the way back to the 1960s, with the invention being credited to computer scientist Fernando Corbato. Flash forward 60 years and the computer password is more common than the constant dread of our inevitable demise (although the latter may have something to do with sitting at home 24/7).

A quick check of my password vault shows that I have 193 sets of credentials for different websites, apps, and services. Even though many people now use password managers with password generators and automated checks for breached credentials, staying on top of everything is going to be difficult either way.

As far as I know, I’m fortunate enough to have never had my credentials compromised – at the very least ones that I care about. However, if the floods of data breaches from major companies have taught us anything it’s that no matter how good your security practices are, you still have to trust the service you give your information to.

Enter passwordless authentication. In 2004, Bill Gates proclaimed that passwords are going to die off.

“Another major issue for identity systems… the weakness is the password,” Gates said. “We aren’t going to be able to rely on passwords…We’re moving towards to biometrics and smart cards.”

READ MORE: 3 Common Password Misconceptions and how to Keep Your Accounts Secure

It may have taken longer than expected, but he was right – the move to passwordless authentication is gathering speed. It will be a process that may take a decade or even two but it’s a process that is necessary in a world more interconnected than ever.

Bitwarden Fido U2f

The problem with passwords has always been the human element – there’s a reason phishing scams are so prevalent. Socially engineering information from people is much easier than hacking an international conglomerate.

The latest guidance from the National Cyber Security Centre states that where possible, you should “reduce reliance on passwords and implement passwordless authentication, such as Windows Hello.”

Not only does going passwordless make life much easier for both the users and the system administrators, but it also eradicates one of the weakest authentication factors; AKA something you know. How to clean up my storage. You can then use other factors to authenticate such as biometrics (something you are) or hardware tokens (something you have) – both of which would be much more difficult (if not, impossible) to obtain with a basic phishing attack.

Of course, these methods aren’t without their flaws but it’s undeniable that they are much harder to steal by the very kind Mr Michael Smith from Microsoft Technical Support calling you about the virus he spotted on your PC.

READ MORE: A guide to setting up Pi-hole – a free network-level ad blocker

In the case of hardware tokens, imagine a USB FIDO2 key for instance. When initialised, a key pair is generated. The private key is stored on the device while the public key is registered for authentication. This means there is no benefit to obtaining the authentication key as it cannot be used without its private key that is stored securely on your token. Pair a FIDO2 token with your fingerprint and you have more security than a password could ever realistically provide.

Not many services support passwordless authentication yet. In fact, not all services even support multi-factor authentication (dammit, some sites don’t even allow passwords with more than 12 characters).

However, a big service that does allow you to lose your password is Windows 10. Since Windows 10 version 2004 (released May 2020), you can now use passwordless sign-in with Windows Hello as long as you are using a Microsoft account to log into your PC. To enable passwordless authentication go to Settings > Accounts > Sign-in options and select On under Make your device passwordless.

Bitwarden Fido

Bitwarden Fido2

What’s more, Windows Hello is now also supported as a FIDO2 authenticator across major browsers including Chrome and Firefox.

For business users within the Microsoft ecosystem, the company has announced earlier this month that passwordless sign-in is now available in public preview in Azure AD.

Latest Posts

Some time ago, I replaced LastPass with the Bitwarden password manager for personal use. I wanted something that had the features of LastPass, but could be self hosted. Bitwarden checks all of those boxes with a really slick set of clients, a Docker based server package and a super responsive developer.

The Docker container comes with a really easy to use script to launch it, configure it…and update it. I have a scheduled job that runs every night to update the Docker containers. Unfortunately, I woke up this morning to an inaccessible Bitwarden web vault. This one took a while to figure out.

Starting with a little background about my setup. I have Bitwarden (and many other services) running behind a NetScaler Content Switch running on a NetScaler VPX appliance. The main reason is to allow multiple services to share port 443 on my single public IP. Although, it does also let me use all kinds of fun NetScaler security features on my public facing services.

PRTG monitoring showed that the Bitwarden web valut went down at the same time that the update script installed the recent 1.23.0 update. Trying to access the site with a browser just timed out with no response. The site was available by directly hitting the backend web server.

Digging through the update notes, I found this commit. Ok, that’s a pretty secure cipher suite. The DEFAULT_BACKEND cipher suite that the NetScaler assigns to all services by default doesn’t include any of those ciphers.

Ok, easy enough to fix… I create a new Cipher group and include all of the fancy new ciphers that Bitwarden wants to use. Assign the new group to my load balancer service and….nothing.

After a lot of digging around in logs and traces, I think to take a look at the NetScaler supported ciphers list. Read close, and you’ll find these notes:

  1. The following curves are supported for ECDHE key exchange algorithms:
    • ECDHE 521 curve
    • ECDHE 384 curve
    • ECDHE 256 curve
    • ECDHE 224 curve For more information about the ECDHE ciphers supported on a NetScaler appliance, see Configuring ECDHE Ciphers.
  2. AES-GCM/SHA2 ciphers are supported on both the front end and back end SSL entities on an MPX appliance. On an SDX appliance, an SSL chip must be assigned to the VPX instance for this support. AES-GCM/SHA2 ciphers are supported only on the front end SSL entities on a VPX appliance.
  3. All ChaCha20-Poly1035 ciphers use a TLS pseudo random function (PSF) with the SHA-256 hash function.

If you combine numbers 2 and 3, that means that all of the ciphers in Bitwarden’s new Nginx configuration are not supported for backend services by a NetScaler VPX.

To fix, you need to edit the default.conf file in the Bitwarden Docker persistent location (/opt/bitwarden/bwdata/nginx/default.conf). After backing up the file, look for the following line:

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

Replace that line with the original cipher set:

ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH';

Then restart the bitwarden-nginx docker container. Everything should be back up and running.

Since, Bitwarden is only accessible through the NetScaler, having a weaker cipher on the backend server should not weaken the overall security. You should have a solid SSL configuration on your front end already.

EDIT

Bitwarden’s developer, Kyle, was kind enough to point out that the ciphers in the default.conf file will be reset each time the docker update script is run. To deal with this, I have added a line to my cron script that runs the updates. Below is the entire script I use with cron to update Bitwarden and reset the ciphers for NetScaler compatibility.

#!/bin/sh

# Update Docker container
cd /opt/bitwarden
./bitwarden.sh updateself > /root/updateself.log
./bitwarden.sh update > /root/update.log

# Replace new Nginx ciphers with old ones to maintiain NetScaler compatibility
sed -i '/ssl_ciphers/c ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH';' /opt/bitwarden/bwdata/nginx/default.conf

./bitwarden.sh restart

exit 0