Bitwarden prompts to update login after entering 2FA / verification code

When using the Bitwarden Chrome extension to log into sites that require a second step verification code (especially banks), I keep running into an unnecessary prompt to update my saved login.

Typical flow:

  1. I autofill username and password using Bitwarden
  2. The site sends a 6-digit verification code via SMS
  3. I enter the verification code
  4. Bitwarden then prompts asking if I want to update the saved password to the one time code

This is disruptive because the password has not changed. The only new input is a one-time verification code, which is a normal and frequent part of login flows for financial institutions and other secure services.

In one case, I accidentally accepted the update prompt and it overwrote my stored password with the one-time verification code. I then had to go through the process of recovering my bank account password. That is a serious failure mode for this behavior.

It would be helpful if Bitwarden could reliably distinguish verification code fields from credential changes and avoid treating OTP input as an update to saved login data. This pattern is extremely common in banking and other secure login flows, and the current behavior creates unnecessary risk and friction.

If you had a site where others – ideally without having an account there – could reproduce this, you could report this as a bug on GitHub (“New issue”).

Some advice for the next time: Every login item stores the last (previous) five passwords in the password history.

I can see that. – That’s one other reason why it’s a common recommendation to uncheck the “Ask to update existing login” option in Settings → Notifications, and make all changes manually and intentionally. (and apart from that: as mentioned above, consider reporting it on GitHub)

If there are specific sites that you use frequently, you should be able to avoid the problem either by adding the corresponding host name (FQDN) to the exclusions list at Settings > Notifications > Excluded Domains, or by using URI match detection settings and/or custom fields. If you need assistance getting this configured, please let us know (and post the website URL, if possible).