Allow TOTP generation in emergency access

If I have a premium plan and I designate a non premium user as a emergency contact (view access level), when he access into my vault he cannot see the TOTP codes because premium plan is required.

In my case the user I want to invite doesn’t use Bitwarden as a password manager, but it would use it just in emergency situation, to access into my vault, so it would be useless for him to pay for the premium yearly plan.

I think this is a common situation, so it would be useful to allow non premium users to see the TOTP codes during an emercency access into a premium user vault.

That really makes sense to me!

If the emergency-access option is view-only it won’t show - but if you do an account takeover you’ll be able to use their premium status.

Also, you can also put the key into any other app to generate the code

Not sure I understand why can it not be seen in view only?

The view-only option is just displaying the data saved, not performing any client functions like auto filling / totp generation, etc. it’s just that - data.

To have full functionality of someone else’s vault, you should use the takeover option.

I wouldn’t compare auto filling with totp generation. Auto filling is an additional feature, while totp generation is a very important primary function. Without TOTP it’s impossible to log in into my accounts, so if someone need an emergency access, the passwords would be nearly useless without the TOTP.

Yes, I know that TOTP could be generated also with other apps, but in emergency situation it may happen that someone who is not too familiar with technology need to access my account, and it would therefore be much more easy and safe to be able to generate the TOTP directly from Bitwarden.

For important sites you should definitely have backup codes and the less advanced user can simply use one of them to get into one of your accounts.

Hey, that’s scary. If I hadn’t been a curious user reading the forums, my emergency access would had been useless when I or my family needed it most!

The text on the “emergency access” option needs to be amended ASAP as a stopgap to make users aware of this gotcha with TOTP/Emergency View, as this has potential to hurt people. What any user would reasonably expect is, “if I got the emergency access, I can log in his bitwarden and get is his credentials for X purposes”. What they get is “hey, I cannot access any of his TOTP accounts!” (exactly the ones that matter).

This shouldn’t (IMHO) be a feature request but a bug and a showstopper one at that.

Just having created emergency accesses myself, I am presented with 2 options (exact text from the page). No mention of any difference between choices other than changing the master password:
View - Can view all items in your own vault.
Takeover - Can reset your account with a new master password.

As a minimum, the “View” text should be something in the lines of "Can view all items in the vault, except TOTP codes, and does not allow auto-fill, too ".

If purchasing a premium account would allow users with Emergency View to get access to TOTP, please state so, too. That would be another possible workaround - if users know it.

If this is a matter of subscription, I would gladly pay another one just to have my emergency view assignee have “full view including TOTPs” when needed. It is useless without it.

The issue with takeover is that I can imagine the following happening:

• I have an emergency and disappear. Family takes over account to log into accounts and investigate.
• I “re-appear” somewhere. Still in a bit of danger, but mostly safe - to get to complete safety, I just need to access one account and… woops. I don’t have access to my bitwarden anymore (was taken over).

Yeah, bit of a stretch, maybe - but can happen.

In any case, more than enough reason to improve the text on “emergency access” with what it does, how it works, limitations and gotchas.

Emergency access is the kind of thing that, if needed, cannot fail.

Better be extra verbose and allow users to make an informed choice.

As emergencies go - people get angry/scared/confused. Imagine a father that got emergency access to the account of his disappeared-while-trekking son. He now thinks he can use location history on his google account, or message history on his facebook account, or private messages anywhere as a lead to find out where his son is - but he cannot as his son was security conscious and had TOTP everywhere… he will be very angry, and at Bitwarden no less.

Sorry to be a bit long and over-the-top, but the View Only emergency access is dangerous as it is, as it can potentially be useless during an emergency. Please fix the wording, at a minimum.

And thanks for the excellent product btw. Whole family uses and loves it!

atmz I think you are correct and would love to see this feature implemented. I want to give my family full access to my passwords in case of an emergency but I don’t want anyone to be able to change my passwords to lock me or other family members out.

What does that mean ?

atmz is the username I was replying to.

Thank you Secart.

Hi atmz, if I’m not mistaken, the grantee who initiated an emergency access request and doesn’t have a premium account won’t be able to generate the Time-based One-time Passwords (TOTP) with his Bitwarden apps, but he can see the Authenticator Key (shared secret) that is used to generate the TOTPs.

So, as tgreer mentioned before, the grantee could just copy this key/shared secret into an authenticator app of his choice to then generate the TOTPs.

So why am I paying for Bitwarden Premium if I need to use another app to generate the TOTPs?

Because generation from Bitwarden is much more convenient and quicker, and as I @atmz already pointed out, in an emergency, this convenience is even more necessary.

Not all people are tech-savvy, probably none of my family members knows that they can use the code they find in Bitwarden to generate a TOTP with another application, so in case of emergency, it would be very difficult for them to get into my account.

I agree with you, it’s probably not the most convenient way for a grantee who uses a Basic Free Account, but at least the view-only access is not useless. From a user’s perspective, obviously, I wouldn’t mind if Bitwarden allowed grantees to view all of the grantor’s data including the premium features, but at the same time I understand the current policy.

View-only: The grantee uses HIS account (and therefore only his enabled features) to view the grantor’s items – I assume, similar to shared items. I could imagine that the implementation is quite complex to enable his application to show premium features for the shared items but only free account features for his own items.

Takeover: The grantee gets full access to the grantor’s account including the premium features the grantor is paying for.

I also agree with you that there are probably many non-tech-savvy people that have no idea how to use the Authenticator Keys to generate TOTPs in another application, but these people could just upgrade to a Premium Account (I would argue that 10 USD are quite reasonable in an emergency situation), or we could just grant them full temporary access (for free) if we trust them to hand over the new password after they gained access.

But even if I understand the current situation/policy, I’m not writing this to undermine the request for this feature, and in case if it’s “easy” to implement the activation of the premium features in the view vault within the grantee’s settings, that is currently separated from his own vault anyways: +1 for this feature request.