Home

Bitwarden/Yubikey peculiar behavior - security risk?

%3CLINGO-SUB%20id%3D%22lingo-sub-916932%22%20slang%3D%22en-US%22%3EBitwarden%2FYubikey%20peculiar%20behavior%20-%20security%20risk%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916932%22%20slang%3D%22en-US%22%3E%3CP%3EI%20use%20Bitwarden%20as%20a%20password%20manager%2C%20and%20have%20configured%20Yubikey%20as%20a%20two-factor%20authentication%20method%20with%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20some%20reason%2C%20when%20I%20log%20in%20to%20the%20web%20vault%2C%20or%20the%20extension%2C%20in%20Chromium%20Edge%20(currently%26nbsp%3B%3CSPAN%3E79.0.301.2)%20launched%20normally%2C%20after%20entering%20the%20master%20password%20it%20doesn't%20prompt%20for%20confirmation%20from%20the%20Yubikey%2C%26nbsp%3B%3CEM%3Ebut%20the%20login%20succeeds%20anyway%3C%2FEM%3E.%20(This%20is%20not%20the%20case%20if%20I%20open%20an%20InPrivate%20or%20Application%20Guard%20window%2C%20in%20which%20case%20the%202FA%20prompt%20appears%20and%20the%20login%20procedure%20goes%20as%20expected.)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAnyone%20else%20seeing%20this%20one%3F%20And%20is%20the%20security%20bug%20it%20rather%20appears%20to%20be%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Visitor

I use Bitwarden as a password manager, and have configured Yubikey as a two-factor authentication method with it.

 

For some reason, when I log in to the web vault, or the extension, in Chromium Edge (currently 79.0.301.2) launched normally, after entering the master password it doesn't prompt for confirmation from the Yubikey, but the login succeeds anyway. (This is not the case if I open an InPrivate or Application Guard window, in which case the 2FA prompt appears and the login procedure goes as expected.)

 

Anyone else seeing this one? And is the security bug it rather appears to be?

 

Related Conversations