I have 2FA enabled at vault.bitwarden.com. My provider is an authenticator app, and clicking on the Manage button confirms that the provider is active on my account.
When I go to vault.bitwarden.com, it asks for my email and then asks me to enter my master password. There is an option to login with device, which operates as I expect with the authenticator. But if I choose login with master password and enter the master password, I am not asked to provide a 2FA TOTP. Why not? Can anyone enter my Bitwarden vault just by providing my email and master password?
Also, if I log out and then use the desktop app there is no option to 2FA login, just master password. Can anyone with the Bitwarden desktop app log into my account by providing the master pasword?
Finally, I have Window Hello enabled in the desktop app. But if I provide my master password, I get logged in without asking to scan my fingerprint.
Clearly there is something in the process here I am not understanding. Thank you for any explanations.