Alerting users about login attempts that blocked by 2FA NOT masterpassword

I completely understand now and agree with that statement. As a security stance this would be a whole lot better.

The only part that has me doubting is having to walk an end user through this. I work and I assume will always work with people who crumble when you ask them to create a password longer than 6 characters, never mind using MFA. This would make us both have nightmares for different reasons.

Of course ease of use is no excuse for bad security or we’d all just have usernames and that is it. A much better implementation of MFA and not something that has crossed my mind before.

If you don’t mind those diagrams are excellent mind if I grab them?

Feel free, hopefully this should work?
A Better Way To MFA

1 Like

So I see a lot of people say that Bitwarden servers themselves do not know if the password was a pass or fail, and that could be true, but the client does right? so why not setup the client as a simple note that goes back to the Bitwarden servers, saying to send an email out with a note that the PW failed, I assume also could tell if the 2fa failed. add the IP address of the origaniting client, and boom, failed email attempt warning.

I mean, the client is hashing everything , so it knows if its pass or fail, it just needs to have a conduit telling BW to send the email.

i might be late to the game, but I Think this is quite important, and i know its possible.

I don’t think anybody has made that statement in this thread, and also, it is not accurate. Bitwarden’s servers will definitely know if you entered the correct password or not — that’s how they decide whether to give you access the the vault.