Help me understand all ways Bitwarden will/can bypass 2FA. I have been using BW for a couple of years and would to make it my primary password app, but I’m struggling with accepting 2FA override/recovery/bypass. I don’t want any type of bypass - period. I was reading Reddit this morning and someone had lost access to their email but still knew their password, called Bitwarden support and support disabled the code to email for the customer so they could authenticate a new device.
Maybe I’m overreacting, but support overriding 2FA in any way is horrifying. Even the fact that they have the ability to do it seems to devalue having hardware keys. Can some miscreant that gets my password somehow can call them up and explain how they lost the keys and have the 2FA disabled?
I have never heard this for Bitwarden’s 2FA. If at all, that could have been the new device verification (which is as default set up for all, who didn’t activate 2FA for their Bitwarden account – and where there were some statements, that Bitwarden customer support could do something in case of losing access to the email address where you would get the verification code to).
Could you provide the source / link to that Reddit post?
When 2FA is set up, then only using one of the 2FA methods you set up and using the 2FA recovery code will work.
This is a misunderstanding. That user did not have any 2FA enabled for their Bitwarden account, or else they would not have been challenged with Bitwarden’s recently implemented “New Device Login Protection” (which sends an email verification code to users who have not enabled 2FA). Yes, customer service can disable “New Device Login Protection” on a case-by-case basis, but you should think of “New Device Login Protection” more as a nag mechanism for encouraging users to enable 2FA (which by itself completely disables the “New Device Login Protection” process).
What if you lose access to your hardware keys (or if they malfunction)? Are you willing to risk complete loss of all contents in your Bitwarden vault?
The main way would be to steal your personal 2FA Reset Code. Accessing this would require the attacker to either gain access to your web vault, or to steal the code by phishing or social engineering attacks, or by accessing your Emergency Sheet (the security of which you are in complete control of).
Another way to bypass the 2FA would be to access one of your devices on which you have previously used the “Remember Me” option when logging in to Bitwarden within the past 30 days.
I may have been overreacting then. I’ll do some further reading on their policies concerning it. I really don’t want any ability to have 2FA bypassed under any circumstance. I’d prefer they don’t even have a recovery key created.
The only way to prevent the recovery key from being created is to never enable 2FA on your account. After you have enabled 2FA (even if you later disable all 2FA), the recovery code remains associated with your account.
However, if you simply refrain from ever viewing the recovery code, then an attacker could not possibly access it, unless they have a way of accessing your Web Vault (which means they had access to one of your security keys, or you carelessly left a device unattended while logged in to the Web Vault).
The documentation for “New Device Login Protection” is here:
@bwquestions Thanks for the link! Interesting confirmation, that they (BW) do indeed bypass the new device verification in individual cases…
But please understand again - the same thing won’t be done for any of the 2FA options if set up.
To the 2FA recovery code: if you write it down on your emergency sheet and never use it - it can’t be phished then. And every code is only usable one time (a new one get’s created after usage).
The entropy (**) of the 2FA recovery code should be about 165 bits, so pretty much “unguessable”.
(**): If I didn’t make a mistake: 32 characters with 36 possibilities – 26 Capital letters and 10 numbers – log2(36^32) ≈ 165 bits of entropy.
However, to be sure of the entropy, one would have to delve into the source code to check whether all characters are randomly generated (and to get definitive confirmation that no alphanumeric characters are excluded). It is (theoretically) possible that some of the characters are non-random (e.g., checksums).
