Bitwarden Duo

On this page:

Bitwarden_rs Duo
Bitwarden Mfa

Overview

If you stick to the Free plan, you can use Bitwarden’s Authenticator app for your 2FA. If you upgrade to Premium, you have more options – Duo, YubiKey, and FIDO U2F. When it comes to biometric login, I like the fact that both Touch ID and Face ID are available for this password manager. These features save your time – instead of typing. Two-Step Login (Duo) provides an additional layer of security when you log in at IU. Also known as two-factor authentication, this helps protect sensitive data and guard against increasingly sophisticated email and online scams (for example, phishing attacks) that can leave you vulnerable to identity theft. For Bitwarden, short of using a hardware key, Duo is probably the best 'easiest' option since it allows push notifications so all you have to do is tap Accept when you try to login from a new device.

Two-Step Login (Duo) provides an additional layer of security when you log in at IU. Also known as two-factor authentication, this helps protect sensitive data and guard against increasingly sophisticated email and online scams (for example, phishing attacks) that can leave you vulnerable to identity theft. IU has partnered with Duo to provide this service.

Logins for all IU students, faculty, staff, retirees, affiliates, and those with Academic (ACNP) status require Two-Step Login (Duo), including group or departmental accounts (but not IU Guest accounts).

Two-Step Login does not protect your passphrase from being hacked, phished, or otherwise compromised. Think of it as a safety net that protects your accounts on IU services if your passphrase is compromised.

Even though Two-Step Login can help protect your account, you should still choose a strong passphrase and take steps to protect it. If there is reason to believe your passphrase has been compromised, UITS will scramble it as a precaution.

Use Two-Step Login (Duo)

Like similar services offered by Google and Facebook, with Two-Step Login, you log in by:

Entering your username and passphrase.
Confirming your login with an enrolled device.

To see how this works, view a video about Two-Step Login in action.

UITS recommends using the Duo Mobile app on your smartphone or tablet, but if you don't have such a device, regular cell phones, landlines, Google Voice phone numbers, MacBooks with Touch ID, and USB security keys are also supported. Single-button hardware tokens are also available.

For step-by-step instructions for all options, see Get started with Two-Step Login (Duo) at IU.

Enroll multiple devices and telephone numbers to ensure alternative methods of two-step login, in case you are separated from your main device. For more, see If your Two-Step Login (Duo) device is not with you, or is lost or stolen.

To lessen the number of times you need to complete a login with Duo, select Remember me for 7 days when completing a login; this will keep you from having to Two-Step for logins for seven days in the browser from which you initiated your login:

If you have autopush enabled, you first must click Cancel to cancel the autopush before you can select Remember me for 7 days:

After canceling the autopush and selecting Remember me for 7 days, resend the push to complete your login.

Bitwarden is an open-source password manager. Using Bitwarden_rs, it is possible to create a self-hosted server, using little resources, enabling you to use all its features.

Bitwarden_rs Duo

Bitwarden makes it possible to share and sync usernames and passwords across all devices and webbrowsers.

In this example I’ll be using two pc’s: One for compiling and one for hosting, because the VPS I run this on isn’t powerful enough to compile the binaries.

On compile machine

Install dependencies

Compile bitwarden_rs

Compile vault

Clone and checkout repository

Patch web vault to work with Bitwarden RS

Download the most recent Bitwarden_RS patch for the Bitwarden web vault. This can be done using one of two ways:

A. Download and apply a patch based on the version that you just checked out using git.

B. Does this give a 404 Not Found error? In that case there might not be new changes in the most recent Bitwarden web release that need to be patched in order to work with Bitwarden RS.

Go to https://github.com/dani-garcia/bw_web_builds/tree/master/patches.
Click on the patch that is closest to the version you checked out in git (visible by executing the command git tag --sort=v:refname | tail -n1).
Click on “raw” to get a direct link to the patch file.
Download with wget and use git apply.

For example:

Build the web vault

NB: Do not run the following commands as root. Building the web vault will fail.

Copy

on remote host

Use this file as a template. Alter all uncommented variables to match your environment.

Add nginx vault.conf. The following config assumes that you have already installed and configured certbot / letsencrypt and retrieved a certificate.

Set up Fail2ban

If you are using Fail2Ban, you can add this configuration to keep out unwanted guests:

Set up logrotation

Over time, the Bitwarden_RS log file can grow to a significant size. Using logrotate, we can periodically rotate logs.

NB: To view a compressed log file without manually decompressing:

Backup

If you’d like to backup the bitwarden server, please use the following steps to do so

Export the sqlite database:

If you have already set up backups for other services, add these paths to your list of backup targets:

Upgrade Bitwarden RS and web vault

On build machine

Update system packages

Remove old build and sources

Upgrade Rust

Build Bitwarden RS

Bitwarden Mfa

Build Bitwarden web vault

Clone Bitwarden web vault repository

Download the most recent Bitwarden_RS patch for the Bitwarden web vault

This can be done using one of two ways: