Comprehensive software reviews to make better IT decisions
Password and Secrets Management: Why Bitwarden Is All Into Passwordless!
If you’re in the market for a password manager or are interested in secrets management, Bitwarden has a powerful suite of products for you. These products deliver a thoughtful and intuitive UI, which Bitwarden Password Manager users will recognize. Bitwarden ranks as top of the Leader Quadrant in SoftwareReviews under the Password Management category, and the company believes its optimized, wide-range passwordless solution set will address most organizations’ needs.
I recently met with Bitwarden and spent an hour talking about their leadership team, Passwordless.dev effort, and Secrets Manager platform. During our conversation, it was clear that Bitwarden has been deliberate about its products and developed a customer-centric risk-based approach to solving customers’ top passwordless needs. Bitwarden ranks as a Champion in our Emotional Footprint Quadrant and was founded in 2016, intent on putting security into the hands of everyone. It has since moved the needle significantly, raising $100 million in 2022 to accelerate product and company growth. Bitwarden plans on using that growth to focus on optimizing user and customer support. Founder and CTO Kyle Spearrin built the first open-source password management solution that offered unlimited passwords across platforms and is complemented by a seasoned C-level staff.
- Michael Crandell, CEO
- Kyle Spearrin, Founder and CTO
- Stephen Morrison, CFO
- Gary Orenstein, CCO
Bitwarden asserts its Secrets Manager platform is lightweight, more so than Hashicorp’s offering, as well as cost effective and secure, leveraging true end-to-end encryption. During our conversation on Secrets Manager, the Bitwarden team explained service accounts represent non-human machine users, like applications or deployment pipelines, that require programmatic access to a discrete set of secrets. They went on to describe service accounts as being used to:
- Appropriately scope the selection of secrets a machine user has access to.
- Issue access tokens to facilitate programmatic access to and the ability to decrypt secrets.
Access tokens are issued to a particular service account and will give any machine they are applied to the ability to access only the secrets associated with that service account. Secrets can be imported via JSON files, and importing of .env files will be supported in future releases. Password Manager and Secrets Manager are administered from the same admin console with multifactor authentication (MFA) capabilities, and both support automatic provisioning via directory sync and SCIM. Single sign-on is also supported with SAML 2.0 or OIDC.
When asked about personal vs. enterprise use, a feature LastPass users are accustomed to, the Bitwarden team said all accounts have an individual vault by default, regardless of whether the email used for account creation is a work or personal email. When users join an organization, they gain access to the organization vault. When saving a login, they can choose to save to the organization or to their individual vault. By implementing an enterprise policy, you can remove individual members from an organization’s vault. A user can have both a personal and work account and they can switch between accounts in mobile and desktop apps, with a browser version coming soon.
When it comes to data security, Bitwarden says all vault data is encrypted, not just specific fields. This safeguards users’ personal information such as email, address, phone number, and metadata. Bitwarden’s Azure databases are encrypted with transparent data encryption (TDE), and column-level encryption keys are secured by key management services (KMS). Lastly, Bitwarden enforces tight governance practices, with its privacy policy ensuring users’ administrative data is secured.
Bitwarden didn’t stop with password and secrets management – the team is optimistic about delivering a passwordless trifecta with their Passwordless.dev product. Bitwarden Passwordless.dev is now generally available and provides an extensive, easy-to-deploy API for integrating FIDO2 WebAuthN-based passkeys into websites and applications. With the growing interest in phishing-resistant MFA and passkeys, this solution should reduce the need for engineering resources and the complexities of deploying Face ID, fingerprint biometrics, and Windows Hello.
Our Take
Bitwarden is a Leader in our Password Management Data Quadrant and a Champion in our Emotional Footprint quadrant. Bitwarden was ranked as best password manager by CNET in 2023 as well as taking top billing as the safest password manager by Make Use Of (MUO). Bitwarden has extended the scope of its product suite based on customer needs and plans to build on its Password Manager success with Secrets Manager and Passwordless.dev. I’m confident Bitwarden knows how to deliver a secure and effective solution to abstract and manage passwords and secrets and also provides you a turn-key developer solution to passkeys with little complexity.
Want to Know More?
- Identity & Access Management | Security Technology & Operations | Info-Tech Research Group
- Password Management | SoftwareReviews
- Q&A with Bitwarden Founder and CTO | Bitwarden
- Bitwarden Security Whitepaper | Bitwarden
- The Bitwarden Secrets Manager | Bitwarden
- Administrative Data | Bitwarden Help Center
- Bitwarden Review | PCMag
- What Is the Safest Password Manager to Use? | MSN
Source: Interview with Kasey Babcock, Vivian Shic, and Ryan Luibrand from Bitwarden