I have 2FA enabled at vault.bitwarden.com. My provider is an authenticator app, and clicking on the Manage button confirms that the provider is active on my account.
When I go to vault.bitwarden.com, it asks for my email and then asks me to enter my master password. There is an option to login with device, which operates as I expect with the authenticator. But if I choose login with master password and enter the master password, I am not asked to provide a 2FA TOTP. Why not? Can anyone enter my Bitwarden vault just by providing my email and master password?
Also, if I log out and then use the desktop app there is no option to 2FA login, just master password. Can anyone with the Bitwarden desktop app log into my account by providing the master pasword?
Finally, I have Window Hello enabled in the desktop app. But if I provide my master password, I get logged in without asking to scan my fingerprint.
Clearly there is something in the process here I am not understanding. Thank you for any explanations.
See if this FAQ answers your question (click the link below to go directly to the relevant section, titled Why is Bitwarden not asking for my enabled two-step login method?):
Yes, that FAQ was very helpful. Thank you for sending it. I deauthorized sessions, and now both the website and the desktop app are asking for 2FA logins as I would expect.
Also, Windows Hello is working to unlock my desktop app account, but not to login. Is that the intended behavior?
What’s not clear to me now is what “Remember Me” actually does. Is “Remember Me” active only on a per device basis? Does it mean that need for 2FA is removed ONLY on the device on which I select “Remember Me” so that anyone attempting to get into my account from a foreign device will be required to use 2FA?
Yes. Therefore, you should use the “remember me” option only for trusted devices that have strong physical security (e.g., a desktop computer in a locked personal office in a locked building).
