2FA Disable Button in the Admin Interface

[MagnavoxTG]

Hi everyone,

I am currently migrating from KeepassXC to Vaultwarden because of the synchronization and other qol improvements.

I noticed that there is the option to remove the 2fa of any vault/account in the admin interface. Is there a way to make 2fa non removable because that creates a security risk.
Even if you disable the admin interface if somebody where to get access to your server or to your vault data they could just remove the 2fa from the vault which would make it easier to brute force. I would really like to use my yubikeys as 2fa like I do with keepass and have my vault permanently encrypted with the yubikeys.
Is there a way I can do that with vaultwarden or is that just not an option?

[kpfleming]

if somebody where to get access to your server or to your vault data

In that situation you have much more serious concerns than the attacker disabling 2FA for login :-)

Also the 2FA mechanism is not involved in the encryption of your data; it's a second factor used to authenticate logins, but the vault data is encrypted using only the master password/passphrase.

[MagnavoxTG]

Thanks! That means there is no way to actually use 2FA in the vault encryption got it.
And yes ofc you got other problems when somebody got access to your server/vault data but even in these situations you want it to be as secure as possible so if there was a way to encrypt it with a hardware key why not do it :)

Edit: Actually I would argue that especially in a situation where an attacker gets access to your vault data though server access or a leak of the cloud host provider if you were to use one you would want that extra bit of encryption. That would take a vault with a strong master password from very unlikely to be decrypted to nobody on earth is gonna decrypt that (provided the encryption mechanism used does not have vulnerabilities/backdoors)

[kpfleming]

If it was encrypted with a hardware key then you'd lose the ability to decrypt it if that key was lost or damaged beyond usability. Providing redundancy would then complicate the encryption/decryption mechanism substantially.

It may be worth your time to read the Bitwarden whitepaper about how encryption is implemented in Bitwarden clients; it's quite secure as it is. The mechanism is already close to 'nobody will ever decrypt it' if a suitably strong master password is used.

[MagnavoxTG]

I will take a look at that whitepaper!
For the multiple keys thing - keepass uses a HMAC-SHA1 challenge response and that can be synced between multiple physical keys. This has its own security implications since its not unique to each physical key but still an improvement over just having a password.
And just to clarify I very much think that in most real world application nobody is ever gonna crack that vault unless they get the password somehow (which is where 2fa would help protect against) but its still interesting to discuss edge-cases and when security can be improved why not do so :)