For me, 2-step login defeats one of my main purposes for Bitwarden. I need to be able to log in to a random device, without access to any other device or account.
For example, I lost my phone, but I need to access my text messages or email on someone else’s phone. Or I am traveling without a phone, and I want to log in to someone’s laptop.
If this isn’t possible, then I’ll have to leave bitwarden, but I’ll be sad to go 
Yes, you can turn it off (not recommended). See associated notes here:
… and not recommended, as in e.g. your @gobofongo scenario one “compromised” someone’s computer (malware like keylogger etc.) or entering your master password (regardless of how strong it is) e.g. on a fake Bitwarden phishing site would be enough for compromising and losing your vault.
Single-factor auth would be practically a non-issue (eliminating most threat models) if BW had the option to send you an email each time you log in.
You would no longer have to deal with the constant inconvenience of pulling out some device to fetch the next password plus the uncommon but vastly more annoying showstopper of breaking/losing/forgetting whatever hardware you’re depending on to always be your second factor.
So far, my master password has probably been used by someone else zero times in the past three years. (I wouldn’t know because there are no login emails.) In the same time, I have damaged a phone in a rainstorm, broken a hardware key, lost another, needed to recover the password of my TOTP authenticator account because my university decided to revoke lifetime alumni email addresses, and forgot where a paper with a bunch of Github single-use keys was, plus someone stole my keys and computer from my keycode-and-key-locked rental apartment in Dublin.
If someone actually gets your master password, you probably would notice an email right away on your phone (that you have 99.7% percent of the time but not 100%) and—presumably there would be a “that wasn’t me” link in the email—you could start damage assessment, changing your master password, etc.
Weird to me? Nobody seems remotely nervous about leaving several emergency sheets in “always secure but always accessible” (however you intend to accomplish both) locations. Most suggestions sound like the real world analogue of security via obscurity. A drawer with a fake bottom? Tape it to the back of an appliance? Why not put it under the potted plant near the front door with your house key?
And to the statement that you can always call home to get your emergency sheet faxed to you? One in 6 people lives alone.
Are you familiar with the expression about shutting the barn door after the horses have already left the barn?
In the sense that the horse has left the barn and now you need to catch it. Much better to proactively install a better latch.
Good news, though. With new device verification, if you chose not to enable MFA, you will get said email when logging in with a previously unknown device. And, it will have a “that’s me link/code” so you can react before the horse has escaped.
Still, I would go with MFA because Industry consensus is that MFA is a significant improvement over passwords alone (regardless of their length/complexity) because they foil attacks that are don’t depend upon brute-force.
And no, MFA does not have to be painful. Most of us keep our vault logged in, but locked. This allows us to generally use biometric unlock, which is substantially less burdensome than even using a weak master password.
And in my explanation, I’ve had zero horses leave my barn to my knowledge. A few times the lock on a different barn got broken and I had a helluva hassle fixing it.
Not everyone shares your security stance, and I’ve put a lot of thought into my own. It involves no. physical. devices. period.
To quote the SEC: “Past performance is not indicative of future results”.
You might consider keeping an emergency sheet and maybe an occasional backup. Makes recovery nearly painless and stress-free.
And yes, you do need to consider how to protect both. If taping it to the back of an appliance is not enough, purchase a safe and bolt it to a cement floor. Or rent a bank vault. And if you live alone, “calling home” can be substituted with “call a friend/colleague with a rock”.
Everyone understands your arguments, none of you are addressing the issue that I and brwr are talking about. I’m simply asking how to deal with BW, I’m not asking about your security priorities.
Okay, I’ll try to address the issue of your OP here:
Set up email-2FA with Bitwarden. Use a separate email address (as you don’t have to use your BW account email address for email-2FA) and set that up without 2FA, but with a random passphrase that you can memorize (additionally to your master password).
When you want to login to Bitwarden (username + master password), you then get an OTP to that email address, and can login with your memorized passphrase to that email address… Problem solved.
(Two comments from a security standpoint:
)Did you not read the answer that you received in the very first response to your thread? Just disable the New Device Verification feature by clicking Turn off new device login protection in the Web Vault Account Settings, and then you will be back to status quo:
If your actual complaint is about the security notices that are currently being pushed to ensure that users are prepared for the new feature when it comes, then that issue should be fixed very soon, as well:
Closing this thread as a duplicate to centralize conversation into the pinned post.
