I’ve appreciated when other services either allow for emailing me when I log in, or sending me an email token for never-seen-before devices or IP addresses. You’ve already implemented email token validation, so requiring email for all new devices, in addition to whatever else 2fa was set up, should be an incremental feature.
Another approach could be a notification sent to all logged-in devices, to allow or disallow the new login. For extra credit, you’d include the requesting IP address. For extra-extra credit, you’d do a reverse geo lookup to say where the login was coming from.
I’d assume it’d be an opt-in option, and I’d be fine with either approach, but it’d be nice if I could get notified when new devices were being granted access to my secrets.
Thanks for BitWarden!