I received this email informing me that Bitwarden will soon require two-factor authentication via email. I pay for Bitwarden premium and use its two-factor authentication feature for all of my other accounts, including my email. This means that my email will require 2FA from Bitwarden, while Bitwarden will require 2FA from my email, which could completely prevent me from logging into either.
I shouldn’t need to explain why this is potentially catastrophic. It is baffling to me that this idea even got off the ground. I will be cancelling my membership unless this change is reconsidered.
To prevent “the catastrophy”, it becomes mandatory, IMHO, to store the login credentials (password, 2FA…) to your email account (that’s associated with Bitwarden) on your emergency sheet besides the usual: master password, 2FA recovery code, server region (US/EU)…
“I will be cancelling my membership unless this change is reconsidered.” → Remember at least, that this is a community forum, and it may be the case, that the Bitwarden team reads this here as well. But if you want to be sure, you have to write to Bitwarden support directly.
As this is about the Bitwarden password manager, I will change the tag to that. (it is now “Authenticator”, which is about the dedicated Bitwarden authenticator app for TOTP codes only…)
@graz My understanding is that this notice was sent to you by mistake. If you already have 2FA enabled, the new device verification process will not be triggered for you, and you should “expect no changes to the way login works” (source). The only exception may be an edge case in which you login with a new device after using your 2FA recovery code (which disables all of your 2FA methods), but before re-enabling 2FA; per the response here, Bitwarden may consider adjusting how new device verification works following use of the recovery code.
More information (and discussion) about this change is available in the following thread:
Maybe, maybe not. First of all, if you already have 2FA enabled, then the 2FA recovery code should work (even if you are using a new device and if you no longer have access to your Bitwarden email or your other 2FA methods).
Second, this statemement implies that the “new device verification” requirement can be bypassed by Bitwarden Customer Support, and that they would be willing to do so “if a user is unable to access their email or a known device” (at least in some cases).
So the main risk for “catastrophe” is for the following corner case: if a user has lost access to their Bitwarden email, as well as their “known devices” (or cleared the browser cache that holds the device identifier), then lost access to their 2FA methods, used their 2FA recovery code, but became logged out before obtaining a new recovery code (and before re-enabling 2FA), AND if this user cannot convince Bitwarden’s Customer Support to temporarily disable new device verification requirements, then that unlucky user becomes fully locked out of their Bitwarden account.
