That is what Bitwarden better to do, just like Google.
A cryptographic blob of your vault is stored with Bitwarden, but they donât have knowledge of your password. In order to implement this, wouldnât they have to know what your password is?
No, they donât. They store a heavily hashed version of the master password, and this is what is used as the first authentication factor (the hash of the user-entered password is compared to the stored hash).
1 Like
No? Why would this be the case? your master password is hashed through the KDF on your browser and this is what Bitwarden knows. Alerting a user that a hash doesnât match the hash they store would not allow Bitwarden to know that master password.
Why would Bitwarden need to know the password to alert for a failed login attempt?
They donât have master password I know and I am Not programmer but I know they figure out some how that your entered password is correct that sending you to 2Fa stage. they probably have hashed form of masterpasword to compare its correct or not all I am saying is that if some one attempt to login and bypass password stage and then didnt enter the correct 2FA code they sent a e-mail to warn the people I think this feature practical and Not too hard to add
1 Like
no, try incorrect password you will never see 2FA stage, they have probably hashed form of ur password to compare whats ur client send to determine show u the 2FA process
I think you misunderstand how MFA works. MFA is only applicable in the application stage. Your vault is encrypted using a hashed password using KDF (PBKDF2 in BItwardenâs case). That is all the vault needs to decrypt your data. All MFA does is require another form of identity before the Bitwarden application allows the start of the decrypting of your data. It doesnât use your Second Factor as part of the decryption.
Bitwarden the application should be able to recognise a passed first Factor attempt and then be able to see a failed second factor. All this feature requests is that the end user gets notified of this.
I know that , if someone have right masterpassword in their attempt to login they will create a hash form of it that match the serverside but then they will stuck with 2Fa authenticator. in this case i am sayin that bitwarden send a email that someone entered ur master password correctly but they couldnt bypass the 2FA
1 Like
Definitely a must have.
1 Like
IMHO many sites simply do MFA wrong.
I mean that, they will first authenticate a valid 1st factor of authentication (password), and only then proceed on to ask for a valid 2FA login method as a 2nd step.
This is not proper 2FA in my opinion, but more so 2nd step authentication.
A more proper approach to MFA would be to present 2FA upon any login password and then once receiving the 2nd factor of authentication validate both factors simultaneously and only proceed if both are presented correctly.
Albeit this might introduce the smaller concern of someone gaining knowledge to what form of MFA setup you have. Though this is better than the knowledge gained from verifying a correct login password, as an attacker simply wouldnât know if itâs the password, or 2FA that is not valid for login.
Rate limiting can so do much.
Iâm absolutely for this feature, if a valid master password is entered but the MFA factor failed this should send the user an alert 
2 Likes
Just clarifying what you mean. Are you suggesting to ask for the traditional second factor first? Iâm not 100% sure what you mean.
In other words, regardless of whether or not the password is correct, ask for the second factor. If the second factor is only asked for upon entering a correct password, this could be used maliciously to verify that the master password is correct.
2 Likes
No, Someone tried to login your account what they gonna do? first enter masterpassword then if it was valid bitwarden will ask for 2FA code just I am saying If someone tried to login and entered the valid password but then he/she canât to bypass 2FA. bitwarden send a e mail about this.
bitwarden asks for 2Fa code only when you entered valid masterpassword before.
This was meant as a reply to cksapp
Sorry if this wasnât clear. It is definitely different than most are used to, though it is as @BW_Michael points out
and even repeated
I donât fault Bitwarden for this, most common MFA authentication follows this flow, but this does essentially âverifyâ if an attacker has successfully used a correct master password if they are then presented with the 2FA prompt.
graph LR
subgraph "Alternative MFA Flow"
direction LR
u.a(User) -- Any Password --> 1.a(Validate Master Password)
u.a -- Any 2FA Code --> 2.a(Validate 2FA Token)
1.a & 2.a --Both must verify--> v.a(Vault)
end
subgraph Typical 2FA flow
direction LR
u(User) -- Password --> 1(Validate Master Password) -- 2FA --> 2(Validate 2FA Token) --> v(Vault)
end
In an alternative flow one would be presented with the MFA prompt regardless of using the correct password or not, and only upon validating both forms of authentication (password + 2FA) gain access to an account.
This would mean that an attacker would not know if it was the password, the 2FA token, or both simultaneously that was not valid and failed to gain access.
In the typically example once an attacker gets to the MFA prompt they have validated the password is correct and only the 2FA is needed.
All this being a tangent and my own thoughts on the matter unrelated to the core of this feature request, on a side note.
I absolutely agree with this and think it would be a great idea and should be something the user is notified about especially since this would advise a user that their master password is known and their vault is at risk.
2 Likes
Bitwarden could present a randomly chosen 2FA challenge if the master passsword is incorrect. That would have the benefit that if the master password is entered incorrectly by the authorized account owner (e.g., a typo), then they would realize that they mis-typed the password when they see a 2FA prompt that is not actually enabled for their account.
I agree with your recommendation, but the UX for the user who simply makes a mistake should be taken into consideration. They should have a way of revealing the master password to check for typos, which may be difficult when the 2FA prompt is on a new screen.
In any case, this discussion may be straying from the original request, but may merit its own Feature Request topic.
I completely understand now and agree with that statement. As a security stance this would be a whole lot better.
The only part that has me doubting is having to walk an end user through this. I work and I assume will always work with people who crumble when you ask them to create a password longer than 6 characters, never mind using MFA. This would make us both have nightmares for different reasons.
Of course ease of use is no excuse for bad security or weâd all just have usernames and that is it. A much better implementation of MFA and not something that has crossed my mind before.
If you donât mind those diagrams are excellent mind if I grab them?
Feel free, hopefully this should work?
1 Like
So I see a lot of people say that Bitwarden servers themselves do not know if the password was a pass or fail, and that could be true, but the client does right? so why not setup the client as a simple note that goes back to the Bitwarden servers, saying to send an email out with a note that the PW failed, I assume also could tell if the 2fa failed. add the IP address of the origaniting client, and boom, failed email attempt warning.
I mean, the client is hashing everything , so it knows if its pass or fail, it just needs to have a conduit telling BW to send the email.
i might be late to the game, but I Think this is quite important, and i know its possible.