Add an option to rotate the two-step login recovery code from the web vault

Right now, the only way of rotating the recovery code is by using it. Which disables each and every one of the two-step login methods.

So, after that you have to reconfigure all of them again.

Which, in some cases, can be quite a hassle (eg. if you have a security key stored in a remote location).

And in case of a compromise of that code (or an account compromise), rotating it is critically important.

That’s why I think it could be useful to be able to just rotate it from the web vault; the same way that you now can rotate your API Key.

Thanks.

2 Likes

I fully agree with this, but I unfortunately have no more votes.

For users whose accounts have been compromised, it is absolutely essential that the 2FA recovery code be rotated. However, because of the lack of any UI elements for doing so, most users would not be aware that they need to rotate the code. In addition, as you have noted, it can be quite cumbersome to do so, even if one knows it should be done.

A clever attacker who has gained access to the vault of a user who did not have 2FA enabled would (after exfiltrating the vault contents) enable and then disable 2FA, after which they can copy the 2FA recovery code. When the user subsequently enables 2FA (without rotating the recovery code), the attacker will be able to use their copy of the recovery code to bypass the user’s 2FA.

1 Like

This is, indeed, true.

It is also true that when the attacker used that saved recovery code, the victim would be notified by email:

A second takeover using this method could be a bit exotic, but it should be, of course, prevented by rotating that recovery code.

Account recovery is newly discussed in the current draft of NIST 800-63B. Amongst other things, it states:

At any point following enrollment, the subscriber MAY request a replacement recovery code

So, if Bitwarden desires to maintain NIST 800-63 compliance they will at some point need to implement this suggestion. I also think that the draft may cause a bit of a rethink because it states:

Account recovery is when a subscriber recovers from losing control of the authenticators … by presenting one or more recovery codes … Once this is completed, the subscriber can bind one or more new authenticators to their subscriber account.

In other words, I think the recovery code will change from removing MFA to instead logging into the two-step-login portion of the webvault.

1 Like

Agreed.

But with the actual system (one single code that is invalidated when used), there would be the risk of permanent lockout if the user did not generate and save a new code right away after using it.

Without question. The draft accommodates that:

There does not seem to be a prohibition against issuing a table of recovery codes, although it is not clearly mentioned beyond the use of plurals.

I don’t interpret the draft language in the way that you have. Note that it says “can bind” (emphasis added), not “must/shall bind”, and that the word “Once” does not imply “Immediately after”. Therefore, I think that the current behavior is already in compliance with the requirement quoted above.

I did not claim, nor do I believe that Bitwarden’s recovery mechanism is noncompliant with the draft language. Instead, I think that the draft foretells the direction of an evolution that the mechanism needs to take.

You, I and others have observed that the current mechanism (disable MFA) does not interact well with a future that requires MFA for device verification. The draft’s approach of offering a few different recovery mechanisms and focusing on reestablishing/repairing the 2nd factor seems to fit well with the that future.

That said, I did claim that the draft obliges Bitwarden to provide a way to rotate the recovery code. Although one may argue that using the code meets the requirement, that seems a bit disingenuous and per @kpris’s suggestion, I would hope the draft results in a dedicated button.

Your prediction of the future is different from my prediction of the future, I suppose.