Admin ConsoleSingle Sign-On

Trusted Device Decryption

SSO with trusted devices allows users to authenticate using SSO and decrypt their vault using a device-stored encryption key, eliminating the need to enter a master password. Trusted devices must either be registered in advance of the login attempt, or approved through a few different methods.

SSO with trusted devices gives business end users a passwordless experience that is also zero-knowledge and end-to-end encrypted. This prevents users from getting locked out due to forgotten master passwords and allows them to enjoy a streamlined login experience.

Start using trusted devices

To get started using SSO with trusted devices:

  1. Setup SSO with trusted devices for your organization.

  2. Provide administrators with information on how to approve device requests.

  3. Provide end-users with information on how to add trusted devices.

How it works

The following tabs describe encryption processes and key exchanges that occur during different trusted devices procedures:

When a new user joins an organization, an Account Recovery Key (learn more) is created by encrypting their account encryption key with the Organization Public Key. Account recovery is required to enable SSO with trusted devices.

The user is then asked if they want to remember, or trust, the device. When they opt to do so:

Create a trusted device
Create a trusted device
  1. A new Device Key is generated by the client. This key never leaves the client.

  2. A new RSA key pair, called the Device Private Key and Device Public Key, is generated by the client.

  3. The user's account encryption key is encrypted with the unencrypted Device Public Key and the resultant value is sent to the server as the Public Key-Encrypted User Key.

  4. The Device Public Key is encrypted with the user's account encryption key and the resultant value is sent to the server as the User Key-Encrypted Public Key.

  5. The Device Private Key is encrypted with the first Device Key and the resultant value is sent to the server as the Device Key-Encrypted Private Key.

The Public Key-Encrypted User Key and Device Key-Encrypted Private Key will, crucially, be sent from server to client when a login is initiated.

The User Key-Encrypted Public Key will be used should the user need to rotate their account encryption key.

Keys used for trusted devices

This table provides more information about each key used in the procedures described above:

Impact on master passwords

While SSO with trusted devices eliminates the need for a master password, it doesn't in all cases eliminate the master password itself:

  • If a user is onboarded before SSO with trusted devices is activated, their account will retain its master password.

  • If a user is onboarded after SSO with trusted devices is activated and they select Log in Enterprise SSO from the organization invite for JIT provisioning, their account will not have a master password. Should you change to the master password member decryption option, these users will be prompted to create a master password when they log in as long as they are still a member of the organization (learn more).

    warning

    For member accounts that do not have master passwords as a result of SSO with trusted devices:

    • Removing them from your organization eliminates all access to their Bitwarden account unless they were previously assigned a master password using account recovery and they log in with that master password at least once before being removed.

      These users will not be able to re-join your organization unless the above steps are taken before they are removed from the organization. If they aren't, each removed user will be required to delete their account and be issued a new invitation to create an account and join your organization.

    • Revoking access to the organization, but not removing them from the organization, will still allow them to log in to Bitwarden and access only their individual vault.

  • If a user account is recovered using account recovery, their account will necessarily be assigned a master password. A master password cannot currently be removed from an account once it has one, so to avoid this outcome we recommend that you (i) instruct the user to export their data to a backup, (ii) completely delete the lost account, (iii) ask the user to re-onboard to your organization using trusted devices and (iv) once they've done so instruct them to import their backup.

Impact on other features

Depending on whether a master password hash is available in memory for your client, which is dictated by how your client application is initially accessed, it may exhibit the following behavior changes: