Auth/PM-8113 - 2FA Components Consolidation and UI Refresh

[JaredSnider-Bitwarden]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-8113
Associated Server PR: bitwarden/server#5120

📔 Objective

To consolidate all the cross client 2FA components into single implementation components delegating all client specific logic into services while updating the UIs to match the new design.

This PR is unfortunately quite large, but a ton of the file changes are renames or moves.

📸 Screenshots

To avoid slowing down the PR loading massively, each of the below videos are linked using a thumbnail which downloads the videos instead of directly rendering them inline.

Web

Web - Standard MP Login Scenarios

Email	Authenticator	Duo	WebAuthn	Yubikey	Select Other Method + Recovery Code Demo

Web - SSO Scenarios

Note: remember me does not currently work with SSO, but that is being addressed separately.

SSO + MP Decryption + Standard 2FA Flow works	SSO + MP Decryption + Require 2FA Policy - JIT works	SSO + TDE + Require 2FA Policy - JIT works	SSO + TDE + Standard 2FA Flow works

Desktop

Desktop - Standard MP Login Scenarios

Email	Authenticator	Duo	WebAuthn	Yubikey	Select Other Method + Recovery Code Demo

Extension

Extension - Chrome - Standard MP Login Scenarios

Note: WebAuthn is now done inline in Chrome instead of in a new tab like we have to do for other Browsers until we rebuild the WebAuthn flows with better support.

Email	Authenticator	Duo	WebAuthn	Yubikey	Select Other Method + Recovery Code Demo

Extension - Firefox - Standard MP Login Scenarios

Email	Authenticator	Duo	WebAuthn	Yubikey	Select Other Method + Recovery Code Demo

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

Attention: Patch coverage is 46.30996% with 291 lines in your changes missing coverage. Please review.

Project coverage is 35.47%. Comparing base (f827b97) to head (84323f3).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...gular/two-factor-auth/two-factor-auth.component.ts	39.15%	98 Missing and 31 partials ⚠️
...uth-webauthn/two-factor-auth-webauthn.component.ts	6.89%	26 Missing and 1 partial ⚠️
apps/web/src/connectors/webauthn.ts	0.00%	26 Missing ⚠️
...ctor-auth-email/two-factor-auth-email.component.ts	12.00%	22 Missing ⚠️
...o-factor-auth-duo/two-factor-auth-duo.component.ts	22.22%	13 Missing and 1 partial ⚠️
apps/web/src/connectors/webauthn-fallback.ts	0.00%	12 Missing ⚠️
apps/browser/src/popup/services/services.module.ts	0.00%	5 Missing ⚠️
...-auth/default-two-factor-auth-component.service.ts	0.00%	5 Missing ⚠️
libs/auth/src/angular/two-factor-auth/index.ts	0.00%	5 Missing ⚠️
...ar/two-factor-auth/two-factor-options.component.ts	28.57%	5 Missing ⚠️
... and 26 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #12087      +/-   ##
==========================================
+ Coverage   35.31%   35.47%   +0.16%     
==========================================
  Files        3128     3148      +20     
  Lines       92601    92591      -10     
  Branches    16826    16814      -12     
==========================================
+ Hits        32702    32850     +148     
+ Misses      57439    57267     -172     
- Partials     2460     2474      +14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Checkmarx One – Scan Summary & Details – 4e4d9c88-bff9-4de2-b064-9eee59aaf643

New Issues (4)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2025-0995	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0996	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0997	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0998	Npm-electron-34.0.0	Vulnerable Package

[JaredSnider-Bitwarden]

@rr-bw , I've added TDE offboarding support to the flows.

Here's my tests:
Web:

Extension:

Desktop:

[coroiu]

No platform changes, approving

[sonarqubecloud]

Quality Gate passed

Issues
13 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.9% Duplication on New Code

See analysis details on SonarQube Cloud

[rr-bw]

Suggested change

	<div class="tw-flex tw-flex-col tw-space-y-3 tw-mb-3">
	<div class="tw-flex tw-flex-col tw-space-y-3">

AnonLayout already has padding built-in.

[rr-bw]

Is inSsoFlow used anywhere? It's assigned in ngOnInit() but I don't think it's ever used.

[rr-bw]

.linux-webauthn is an SCSS class. Do we want this in a Tailwind file?

[rr-bw]

I don't think the onProviderSelected and onRecoverSelected outputs are actually being used in the new flow. Also, I'd think you can remove the concept of "recover" entirely from this component (and the TwoFactorOptionsDialogResult enum) since the recovery code button is now being shown as an option directly on the 2FA screen. If I'm correct, address also the reference to TwoFactorOptionsDialogResult in selectOtherTwoFactorMethod() on TwoFactorAuthComponent.

[rr-bw]

Is there a reason for the 4 uses of any in this file?

[rr-bw]

Suggested change

	async selectOtherTwofactorMethod() {
	async selectOtherTwoFactorMethod() {

[rr-bw]

Suggested change

	(click)="selectOtherTwofactorMethod()"
	(click)="selectOtherTwoFactorMethod()"