Account access history

I am also eagerly waiting for this feature to come to Premium users!

I think this is a very basic security feature that should have already been implemented.

2 Likes

Can anyone point me to the Milestone or feature branch in Github for this functionality?

I also agree, that account access history is something that, at a minimum, the Web UI should be able to display at the footer of every page. Or optionally, a “recent logins” type page. That lists all logins for X amount of time.

Thanks!

3 Likes

For privacy reasons, it would be good to be able to turn IP logging on and off.

Otherwise, great feature request IMO.

3 Likes

This is definitely a feature I feel is sorely lacking!

I got an email about an unauthorized login on one of my accounts, and started tightening security on that account. After a second unauthorized login attempt on the same account within a short timeframe I started wondering if anything else is compromised as well, like for instance my Bitwarden Vault.

I find that unlikely, but even so it seems like I can’t actually find out if anyone has logged in to my Vault since there’s no login history. I would definitely feel an extra sense of security by being able to see a log of my various logins to the Vault.

You know whats funny about this feature request? They have this feature for the Bit Warden Forums. But not BitWarden itself.

Isnt this the same request as Session management

4 Likes

What about this request and this one?

Both are quite basic and useful.

Bitwarden Community Forums is actually made by Discourse https://www.discourse.org/, a complete open source forum platform. So Bitwarden only like host this platform, the rest are pretty much done by the community.

Bitwarden does send emails to you when a new device logs in. The Ip address and some other info are also provided.

1 Like

This is still pending, yet a very useful feature for all users, and knowing that enterprise clients get it but we premium users do not, it feels off. Almost all other cloud services for password managers have this feature, wich is pretty critical for a user to be able to asses a security breach.

Is this gonna be addressed at any point?

We don’t have it on a development timeline at this point, but one option for the time being would be to use our Teams Organization. We recently added full event logging and API access to it, as well as including Premium access for users.

This feature request seems pretty similar to:

Hope this important security feature will be implemented soon!

1 Like

Is there a way to implement an account history option which could show the logins and events that occurred?

The account history feature would allow users to view all logins and events for your account, and the IP addresses associated with them. History is particularly useful if you’re concerned about unauthorized access to your account.

Logins – This login history could display the following for logins:
Date: The date login was used.
Name: Name of the domain accessed and/or failed login attempts.
Group: Name of Folder (if any).
IP address: From which the login was used.
DNS: From which the login was used.
Method: Method by which it was used (e.g., web browser name, device type, etc.).

Events – This events history could display the following for events:
Date: The date the event occurred.
Name: The name of the domain accessed.
Group: Name of folder (if any).
IP address: From which the event took place.
Action: Action taken within the account (e.g., change of Master Password, failed login attempts, enable/disable of multifactor authentication, etc.).

2 Likes

Yes i agree, display stuff like that if there ever were to be a feature like that added to bitwarden. But just to be clear If you want to display information like that, it should be accurate all of the time, if possible of corse (for example. an ip address should be displayed above everything at the top and it should be displayed using ipv4 address’s and NOT ipv6 address’s. (unless, of course you are un-able to do so witch in that case sure but it’s not recommended.) ) and it also should be easy to use and understand for the non technical people out there.

With Kind Regards,
Ebay,
A Bitwarden Customer,

Full access history logging/alerts/etc. may be overkill but being able to observe and selectively deauthorize current sessions seems like a pretty elementary feature. I am a bit annoyed with myself for jumping into a premium subscription before realizing it isn’t available. The deauthorize all sessions shotgun isn’t adequate in my opinion.

1 Like

Well it depends on what most people want doesn’t it? @davistom

Of course!

I did not opine on “nice to have”. I just noted what I think is pretty elementary but doesn’t seem to attract much (any?) interest given the multi year trail of user requests.

Yeah your right. But there are always so many thing people want added to bitwarden that it’s hard to get a topic up there. you see. @davistom

This is really important to have. Today I received a two-factor code text to my cell phone from my bank (they don’t support other two-factor methods). This could have either been the bank system sending the code in error, someone (or thing) trying to log into my account, or something else I am unaware of.

Well I logged into my bank account and checked my logon history (same as account access history) and was able to view a set of IP Addresses. One IP address was associated with the time that I received the two-factor text. So I was able to see that the code was tied to the event of an actual login attempt.

I called the bank and asked a series of questions. There wasn’t a history of any failed login attempts with an incorrect password. So whatever method my bank account was being signed into with had the correct username and password.

My password was randomly generated in Bitwarden. This means either someone somehow got access to my Bitwarden account or one of my devices was compromised and in away allowing my Bitwarden data to get compromised or something else.

I would love to check my Bitwarden login history but can’t.

@DATA You could “Deauthorize all vaults” in the web vault and change the master password, if you believe that your Bitwarden account Has been compromised.

You can also check the email address that you used with Bitwarden. The email address should include all the new login together with the IP address and the time of the login. But as a precaution, do NOT store the complete password of that email address in the Vault, or else the hacker could easily erase the login record from your email.

I’m really surprised access auditing isn’t already implemented. In my opinion, the feature is essential to any security-critical system. I really want to know ASAP if my master PW is ever used by anyone to get through to the 2FA challenge, but I don’t want to have to use email 2FA to enable that.

2 Likes