Recently upgraded to Enterprise. Also recently had a high level exec ask me to reset their BitWarden 2FA. They’ve been using the Extension on the same desktop for months - and only now have realized they have no idea where their 2F is going. Unfortunately the user’s Takeover relationship was with 2 former employees, so no luck there. For handling FUTURE situations, I’ve made everyone setup a recovery relationship, enabled the recovery policy, and had everyone join it. But from testing, it doesn’t seem that the Account Recovery function resets the 2F, and account takeover is a pretty intense step.
Hey there, just to confirm, you’re referring to using Bitwarden 2FA rather than 2FA as part of SSO for example?
IMO there should be an enterprise policy preventing users from setting up 2SV in Bitwarden.
If we enforce it at the IdP there is no point in setting it up in Bitwarden.
And in a case like this one: needing to recover an account, it makes it impossible.
I guess that enabling such a policy would also have to disable the “new device login protection”… (?)
Yes, BitWarden logins are not part of our IdP SSO. We login to bitwarden separately. Most of us use Microsoft authenticator for the 2FA.
But I actually just had a 2nd user come to me and say their 2F wasn’t working. Similar to the 1st - they’ve got an entry in Ms Authenticator, but codes don’t work. And this guy is a dev, so I can’t even point at him as the problem. 
@ben.jenkins I’m not sure what your exact request is… Is it to be able to reset 2FA more easily? Then there might already be a similar feature request:
So, please clarify.
No, if enabling that enterprise policy was dependent on having SSO login enabled (which would be the logical thing, IMO) it wouldn’t be necessary at all.
New Device Login Protection does not apply to enterprise SSO login.
1 Like