Bitwarden's upcoming mandatory 2FA is unacceptable

Maybe, maybe not. First of all, if you already have 2FA enabled, then the 2FA recovery code should work (even if you are using a new device and if you no longer have access to your Bitwarden email or your other 2FA methods).

Second, this statemement implies that the “new device verification” requirement can be bypassed by Bitwarden Customer Support, and that they would be willing to do so “if a user is unable to access their email or a known device” (at least in some cases).

So the main risk for “catastrophe” is for the following corner case: if a user has lost access to their Bitwarden email, as well as their “known devices” (or cleared the browser cache that holds the device identifier), then lost access to their 2FA methods, used their 2FA recovery code, but became logged out before obtaining a new recovery code (and before re-enabling 2FA), AND if this user cannot convince Bitwarden’s Customer Support to temporarily disable new device verification requirements, then that unlucky user becomes fully locked out of their Bitwarden account.

1 Like