TL;DR: Physical security keys strengthen login assurance by binding two-step authentication to WebAuthn hardware rather than SMS or app-only prompts, according to Bitwarden. The governance question is not whether 2FA exists, but whether recovery, fallback, and device handling preserve the trust boundary when access to credentials is consolidated.
NHIMG editorial — based on content published by Bitwarden: using physical security keys with Bitwarden
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should teams govern physical security keys for password manager access?
A: Treat physical keys as high-assurance authenticators that still need lifecycle governance.
Q: When does a backup authenticator method reduce security instead of helping recovery?
A: A backup authenticator weakens security when it is easier to phish, export, or socially engineer than the primary factor it is meant to supplement.
Q: What do security teams get wrong about password manager two-factor authentication?
A: They often focus on whether 2FA exists and ignore how it behaves across enrollment, replacement, and recovery.
Practitioner guidance
- Treat hardware-key enrolment as a governed event Require explicit approval or step-up verification before adding a new physical key to a high-value password manager account, and log who enrolled the key, when, and from which device.
- Review all fallback authentication paths Assess whether the authenticator app, email verification, or recovery key creates a weaker route than the physical key, and align the fallback with the account’s actual risk profile.
- Inventory registered authenticators and remove stale ones Track every enrolled key, replace lost devices immediately, and revoke old keys during device refresh or account offboarding so unused authenticators do not remain valid.
What's in the full article
Bitwarden's full article covers the step-by-step setup detail this post intentionally leaves for the source:
- Exact WebAuthn registration workflow in the Bitwarden web interface, including the menus and prompts users see.
- Device-specific guidance for USB-C and NFC key use on mobile devices, which matters when you are standardising support.
- Practical notes on managing multiple registered keys across free and paid accounts, including the stated enrollment limits.
- The secondary authenticator app setup flow, including QR-code enrollment and the login experience when the primary key is unavailable.
👉 Read Bitwarden's guide to using physical security keys with Bitwarden →
Security keys for password managers: are your controls keeping up?
Explore further
Physical keys solve password reuse, not identity governance. This article is really about assurance at the point where human identity meets concentrated credential storage. The physical key raises the bar for interactive login, but the programme risk remains in recovery design, enrollment control, and the lifecycle of trusted authenticators. Identity teams should read this as an authentication hardening pattern, not as a complete access governance model.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who should own recovery-key and authenticator lifecycle controls?
A: Ownership should sit with the identity or security function, not left entirely to end users. Recovery keys and registered authenticators are access artifacts, so they need inventory, revocation, and auditability just like other privileged credentials. That is especially true for accounts that protect many downstream secrets.
👉 Read our full editorial: Physical security keys improve password manager login assurance