Account Security: 3FA (TOTP + choice of email token, passphrase or security question)

Feature name

Three Factor Authentication for all new devices

Feature function

The difference would be that if you logged into your Bitwarden account with a new device, it would ask for TOTP from your Authenticator, as well as either email token, a passphrase or a security question.

As this is a password manager with a TOTP generator built in, it is pretty important to keep the account as secure as possible. Just like many cryptocurrency sites do, I would like Bitwarden to ask for these when logging into my account from a new device:

  1. Master Password
  2. 2FA TOTP (Google Authenticator, etc.)
  3. token sent to my email address, OR a passphrase, OR a security question

It would greatly enhance the security and lower the chance of someone getting into your customer’s account. To be quite honest, this is what is keeping me from upgrading to Premium for sure.

I hope more people find this useful, thanks

I like that idea. While not everybody uses 2FA, sending an email token(I guess to the e-mail used for your BW registration) when logging from a new device sounds really good. Adds an extra layer of protection. At the moment, I can’t think of a way someone might be able to bypass this, unlike other proposed security features.

Even better, make it so you could turn this feature on/off. But how doable is all this? No clue.

Edit: However, I think that the only option should be an email token

  • What exactly do you mean by passphrase. Like a second password or something?
  • Security question is the worst thing people have ever come up with regarding authentication. If you answer honestly to the “what’s your favourite animal”, the answer is most likely very bad in terms of security. If you lie, it becomes like a 2nd password which you have to remember. (majority of people can’t even remember their main password, therefor choosing weak ones)
2 Likes

Absolutely, agreed! An option to turn this on/off in settings is an absolute must, in case bitwarden does end up implementing this.

By passphrase, I meant either:

  • A randomly generated sequence of words in format: “this-is-a-randomly-generated-string-of-words-to-access-your-account” (similar to what cryptowallets use for recovery when you loose access)
  • Or, a completely random set of characters, just like 1Password uses, in format: “AA-A1B2C3 A1B2C3 A1B2C A1B2C A1B2C A1B2C”

I agree that a ‘security question’ is not actually a very good idea just like you suggested so that suggestion should not be implemented.

1 Like

I don’t think I am familiar with this kind of authentication. Can you explain it?

Let’s say I want to login to my 1Password vault from a new device. How, where and when do I get this “passphrase”? How do I use it to authenticate myself?

No worries, of course I can explain.
The first time you create your account on 1Pass, it requires you to download an ‘emergency toolkit’ which contains your email and the passphrase. It is nothing but a simple PDF file containing your ‘secret key’ (aka passphrase), as well as your email address. It looks like this:


This pretty much acts as your second password, but you only need to enter it for the first time on a new device.

Now, let’s say that you are logging in from a new device; the picture below shows the sign-in information that you need to fill out.

If you set up 2FA (Email, Google Authenticator, Authy, etc.) as well, you will be prompted to enter it right after this step.

Once you have been logged into the device and your credentials are stored from last login, only your master password will be needed just like shown below.

I hope this made my feature request much clearer :blush:

2 Likes

That’s actually very well thought! After a very quick google search, I learned that if you lose the “secret key” for whatever reason, you can simply generate a new one. If someone steals it (unlikely), they can’t do anything with it (at least not without your e-mail and password). I can definitely see myself using this feature or a similar one.

3 Likes

Indeed, I would love to have this in Bitwarden. Let’s hope it ends up on the roadmap :wink::pray:

2 Likes

The Secret Key feature was already requested in Add (optional) Secret Key functionality (Like 1Password) or keyfile (Like Keepass), but the idea of a 3FA is definitely new!

1 Like

This is a good idea especially if it’s optional.

I’m not against the security question idea because if you allow us to pick our own security question and enter whatever you want you could enter a random password if you wanted to. It would be similar to a secret key but doesn’t encrypt.

I know a security question is not ideal, but it’s better than nothing or even a geo-block if you ask me.
The number of possibilities to make your own questions and your own answer is vastly more.

Plus, it’s something some people might understand easier compared to TOTP or an Email 2FA. I’m not a fan of email 2FA because most users put their email password in the password manager and if you’re locked out of your password manager you’re also locked out of your email. But a security question is not tied to something else. It’s basically another password that can have its benefits especially if Bitwarden changes the email alert to when a correct master password is entered and not a successful login.

Then the ability to have a master password, TOTP 2FA, and a security question sound good to me for new device logins. Even master password plus security questions alone could be beneficial to some users who are afraid to use certain 2FA.

1 Like

That is precisely the weak point of “security questions”. How often do you have to sign in to your vault from a new device? For majority of people it might be months/years. If you didn’t write the answer to that “security question” somewhere, you are screwed because a normal human can’t remember a password after many months/years without using it. However, the part of being able to ask your own questions and answer them - gives a tiny bit of hope, but not much.

Haven’t heard anybody say that, anywhere. I really hope it isn’t true.

Most people put their email password in their password manager, is this not common? That is what a password manager is for. When I set new people up I always have them write down their master password and email password just for this reason.

1 Like

Maybe use barcode/qrcode scan from mobile bitwarden app…

Could you elaborate on that? Not sure what you mean.