The difference would be that if you logged into your Bitwarden account with a new device, it would ask for TOTP from your Authenticator, as well as either email token, a passphrase or a security question.
As this is a password manager with a TOTP generator built in, it is pretty important to keep the account as secure as possible. Just like many cryptocurrency sites do, I would like Bitwarden to ask for these when logging into my account from a new device:
Master Password
2FA TOTP (Google Authenticator, etc.)
token sent to my email address, OR a passphrase, OR a security question
It would greatly enhance the security and lower the chance of someone getting into your customerâs account. To be quite honest, this is what is keeping me from upgrading to Premium for sure.
I like that idea. While not everybody uses 2FA, sending an email token(I guess to the e-mail used for your BW registration) when logging from a new device sounds really good. Adds an extra layer of protection. At the moment, I canât think of a way someone might be able to bypass this, unlike other proposed security features.
Even better, make it so you could turn this feature on/off. But how doable is all this? No clue.
Edit: However, I think that the only option should be an email token
What exactly do you mean by passphrase. Like a second password or something?
Security question is the worst thing people have ever come up with regarding authentication. If you answer honestly to the âwhatâs your favourite animalâ, the answer is most likely very bad in terms of security. If you lie, it becomes like a 2nd password which you have to remember. (majority of people canât even remember their main password, therefor choosing weak ones)
Absolutely, agreed! An option to turn this on/off in settings is an absolute must, in case bitwarden does end up implementing this.
By passphrase, I meant either:
A randomly generated sequence of words in format: âthis-is-a-randomly-generated-string-of-words-to-access-your-accountâ (similar to what cryptowallets use for recovery when you loose access)
Or, a completely random set of characters, just like 1Password uses, in format: âAA-A1B2C3 A1B2C3 A1B2C A1B2C A1B2C A1B2Câ
I agree that a âsecurity questionâ is not actually a very good idea just like you suggested so that suggestion should not be implemented.
I donât think I am familiar with this kind of authentication. Can you explain it?
Letâs say I want to login to my 1Password vault from a new device. How, where and when do I get this âpassphraseâ? How do I use it to authenticate myself?
No worries, of course I can explain.
The first time you create your account on 1Pass, it requires you to download an âemergency toolkitâ which contains your email and the passphrase. It is nothing but a simple PDF file containing your âsecret keyâ (aka passphrase), as well as your email address. It looks like this:
Once you have been logged into the device and your credentials are stored from last login, only your master password will be needed just like shown below.
Thatâs actually very well thought! After a very quick google search, I learned that if you lose the âsecret keyâ for whatever reason, you can simply generate a new one. If someone steals it (unlikely), they canât do anything with it (at least not without your e-mail and password). I can definitely see myself using this feature or a similar one.
This is a good idea especially if itâs optional.
Iâm not against the security question idea because if you allow us to pick our own security question and enter whatever you want you could enter a random password if you wanted to. It would be similar to a secret key but doesnât encrypt.
I know a security question is not ideal, but itâs better than nothing or even a geo-block if you ask me.
The number of possibilities to make your own questions and your own answer is vastly more.
Plus, itâs something some people might understand easier compared to TOTP or an Email 2FA. Iâm not a fan of email 2FA because most users put their email password in the password manager and if youâre locked out of your password manager youâre also locked out of your email. But a security question is not tied to something else. Itâs basically another password that can have its benefits especially if Bitwarden changes the email alert to when a correct master password is entered and not a successful login.
Then the ability to have a master password, TOTP 2FA, and a security question sound good to me for new device logins. Even master password plus security questions alone could be beneficial to some users who are afraid to use certain 2FA.
That is precisely the weak point of âsecurity questionsâ. How often do you have to sign in to your vault from a new device? For majority of people it might be months/years. If you didnât write the answer to that âsecurity questionâ somewhere, you are screwed because a normal human canât remember a password after many months/years without using it. However, the part of being able to ask your own questions and answer them - gives a tiny bit of hope, but not much.
Havenât heard anybody say that, anywhere. I really hope it isnât true.
Most people put their email password in their password manager, is this not common? That is what a password manager is for. When I set new people up I always have them write down their master password and email password just for this reason.
