As an FYI, if you sign into a Google account with Advanced Protection enabled and you enter the correct password and then don’t tap your security key, you will get either a “Security Alert” or a “Critical Security Alert.”
I believe this is a feature in the business version as it retains login logs. But the personal one, for privacy reasons, doesn’t create any login logs. Having said that, that’s not an excuse not to have this I agree it is quite important.
No, they don’t. They store a heavily hashed version of the master password, and this is what is used as the first authentication factor (the hash of the user-entered password is compared to the stored hash).
No? Why would this be the case? your master password is hashed through the KDF on your browser and this is what Bitwarden knows. Alerting a user that a hash doesn’t match the hash they store would not allow Bitwarden to know that master password.
Why would Bitwarden need to know the password to alert for a failed login attempt?
They don’t have master password I know and I am Not programmer but I know they figure out some how that your entered password is correct that sending you to 2Fa stage. they probably have hashed form of masterpasword to compare its correct or not all I am saying is that if some one attempt to login and bypass password stage and then didnt enter the correct 2FA code they sent a e-mail to warn the people I think this feature practical and Not too hard to add
I think you misunderstand how MFA works. MFA is only applicable in the application stage. Your vault is encrypted using a hashed password using KDF (PBKDF2 in BItwarden’s case). That is all the vault needs to decrypt your data. All MFA does is require another form of identity before the Bitwarden application allows the start of the decrypting of your data. It doesn’t use your Second Factor as part of the decryption.
Bitwarden the application should be able to recognise a passed first Factor attempt and then be able to see a failed second factor. All this feature requests is that the end user gets notified of this.
I know that , if someone have right masterpassword in their attempt to login they will create a hash form of it that match the serverside but then they will stuck with 2Fa authenticator. in this case i am sayin that bitwarden send a email that someone entered ur master password correctly but they couldnt bypass the 2FA
I mean that, they will first authenticate a valid 1st factor of authentication (password), and only then proceed on to ask for a valid 2FA login method as a 2nd step.
This is not proper 2FA in my opinion, but more so 2nd step authentication.
A more proper approach to MFA would be to present 2FA upon any login password and then once receiving the 2nd factor of authentication validate both factors simultaneously and only proceed if both are presented correctly. Albeit this might introduce the smaller concern of someone gaining knowledge to what form of MFA setup you have. Though this is better than the knowledge gained from verifying a correct login password, as an attacker simply wouldn’t know if it’s the password, or 2FA that is not valid for login.
Rate limiting can so do much.
I’m absolutely for this feature, if a valid master password is entered but the MFA factor failed this should send the user an alert
In other words, regardless of whether or not the password is correct, ask for the second factor. If the second factor is only asked for upon entering a correct password, this could be used maliciously to verify that the master password is correct.
No, Someone tried to login your account what they gonna do? first enter masterpassword then if it was valid bitwarden will ask for 2FA code just I am saying If someone tried to login and entered the valid password but then he/she can’t to bypass 2FA. bitwarden send a e mail about this.
Sorry if this wasn’t clear. It is definitely different than most are used to, though it is as @BW_Michael points out
and even repeated
I don’t fault Bitwarden for this, most common MFA authentication follows this flow, but this does essentially “verify” if an attacker has successfully used a correct master password if they are then presented with the 2FA prompt.
subgraph "Alternative MFA Flow"
u.a(User) -- Any Password --> 1.a(Validate Master Password)
u.a -- Any 2FA Code --> 2.a(Validate 2FA Token)
1.a & 2.a --Both must verify--> v.a(Vault)
subgraph Typical 2FA flow
u(User) -- Password --> 1(Validate Master Password) -- 2FA --> 2(Validate 2FA Token) --> v(Vault)
In an alternative flow one would be presented with the MFA prompt regardless of using the correct password or not, and only upon validating both forms of authentication (password + 2FA) gain access to an account.
This would mean that an attacker would not know if it was the password, the 2FA token, or both simultaneously that was not valid and failed to gain access.
In the typically example once an attacker gets to the MFA prompt they have validated the password is correct and only the 2FA is needed.
All this being a tangent and my own thoughts on the matter unrelated to the core of this feature request, on a side note.
I absolutely agree with this and think it would be a great idea and should be something the user is notified about especially since this would advise a user that their master password is known and their vault is at risk.
Bitwarden could present a randomly chosen 2FA challenge if the master passsword is incorrect. That would have the benefit that if the master password is entered incorrectly by the authorized account owner (e.g., a typo), then they would realize that they mis-typed the password when they see a 2FA prompt that is not actually enabled for their account.
I agree with your recommendation, but the UX for the user who simply makes a mistake should be taken into consideration. They should have a way of revealing the master password to check for typos, which may be difficult when the 2FA prompt is on a new screen.
In any case, this discussion may be straying from the original request, but may merit its own Feature Request topic.