I’d like to request a feature enhancement to better support organizations using SSO as their identity and access management solution.
Request:
Please consider introducing an administrative control or policy that allows organizations to disable the ability for users to configure additional two-step login (2FA) methods when SSO is enabled and used as the sole authentication method.
Business Justification:
We recently experienced a case where a user added a TOTP-based 2FA method to their SSO-enabled company-provided and owned Bitwarden account. The user then lost access to their TOTP device and had not retained the recovery code. Despite using SSO for login, Bitwarden enforced the additional 2FA, effectively locking the user out of their vault. Due to Bitwarden’s zero-knowledge architecture and the inability for admins to override or remove 2FA, this situation rendered the vault inaccessible and required account deletion causing significant delays in service delivery to our clients.
This outcome is problematic in enterprise SSO environments where the SSO/IdP already handles all multi-factor authentication.
In these scenarios, additional user-configured 2FA creates an unnecessary risk of user lockout with no administrative recourse. While we understand and value Bitwarden’s zero-knowledge model, the lack of a control to prevent or disable user-configured 2FA in SSO environments is a significant gap.
Thank you for considering this feature request.