Ability to Disable User-Added 2FA When SSO Is Enforced

I’d like to request a feature enhancement to better support organizations using SSO as their identity and access management solution.

Request:
Please consider introducing an administrative control or policy that allows organizations to disable the ability for users to configure additional two-step login (2FA) methods when SSO is enabled and used as the sole authentication method.

Business Justification:

We recently experienced a case where a user added a TOTP-based 2FA method to their SSO-enabled company-provided and owned Bitwarden account. The user then lost access to their TOTP device and had not retained the recovery code. Despite using SSO for login, Bitwarden enforced the additional 2FA, effectively locking the user out of their vault. Due to Bitwarden’s zero-knowledge architecture and the inability for admins to override or remove 2FA, this situation rendered the vault inaccessible and required account deletion causing significant delays in service delivery to our clients.

This outcome is problematic in enterprise SSO environments where the SSO/IdP already handles all multi-factor authentication.

In these scenarios, additional user-configured 2FA creates an unnecessary risk of user lockout with no administrative recourse. While we understand and value Bitwarden’s zero-knowledge model, the lack of a control to prevent or disable user-configured 2FA in SSO environments is a significant gap.

Thank you for considering this feature request.

1 Like

100% agreed. This is a severe issue that also occurred with one of our users.

This is why we should be evangelizing emergency sheets to our users. Data loss happens.

Although your focus is recovering the employee’s enterprise account, there is more to it. Enterprise accounts come with free family plans. Users need training in disaster preparedness because there is no ability for the enterprise to recover a spouse’s account despite the fact that the enterprise was complicit in providing the license.

1 Like

I would also like to note that after provisioning a new Bitwarden account for the user, an administrator had to reassign hundreds of collections to the user manually.