Home

Bitwarden/Yubikey peculiar behavior - security risk?

%3CLINGO-SUB%20id%3D%22lingo-sub-916932%22%20slang%3D%22en-US%22%3EBitwarden%2FYubikey%20peculiar%20behavior%20-%20security%20risk%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916932%22%20slang%3D%22en-US%22%3E%3CP%3EI%20use%20Bitwarden%20as%20a%20password%20manager%2C%20and%20have%20configured%20Yubikey%20as%20a%20two-factor%20authentication%20method%20with%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20some%20reason%2C%20when%20I%20log%20in%20to%20the%20web%20vault%2C%20or%20the%20extension%2C%20in%20Chromium%20Edge%20(currently%26nbsp%3B%3CSPAN%3E79.0.301.2)%20launched%20normally%2C%20after%20entering%20the%20master%20password%20it%20doesn't%20prompt%20for%20confirmation%20from%20the%20Yubikey%2C%26nbsp%3B%3CEM%3Ebut%20the%20login%20succeeds%20anyway%3C%2FEM%3E.%20(This%20is%20not%20the%20case%20if%20I%20open%20an%20InPrivate%20or%20Application%20Guard%20window%2C%20in%20which%20case%20the%202FA%20prompt%20appears%20and%20the%20login%20procedure%20goes%20as%20expected.)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAnyone%20else%20seeing%20this%20one%3F%20And%20is%20the%20security%20bug%20it%20rather%20appears%20to%20be%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Cerebrate
Frequent Visitor

I use Bitwarden as a password manager, and have configured Yubikey as a two-factor authentication method with it.

 

For some reason, when I log in to the web vault, or the extension, in Chromium Edge (currently 79.0.301.2) launched normally, after entering the master password it doesn't prompt for confirmation from the Yubikey, but the login succeeds anyway. (This is not the case if I open an InPrivate or Application Guard window, in which case the 2FA prompt appears and the login procedure goes as expected.)

 

Anyone else seeing this one? And is the security bug it rather appears to be?

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Dev channel update to 80.0.355.1 is live
josh_bodner in Discussions on
67 Replies