I know BitWarden would not disable 2fa for security reasons.
But let’s say your are a paid member, which used his VISA card and has all real details including phone number registered. It should be enough to prove identity.
Could BitWarden remove 2fa if there were no legal issues? Technically.
Or does encryption prevents it somehow?
Decrypting your vault needs only your master password so technically I think yes. However, I don’t think there are any circumstances in which they will.
Decrypting your vault needs only your master password so technically I think yes. However, I don’t think there are any circumstances in which they will.
Not even in a life or death situation, or a high profile political circumstance? What if they are legally forced to do it?
I mention it not just from a privacy point of view but from a user security point of view. It could be useful for users that got locked out, but can offer proof of identity, they are just removing the 2fa temporarily and since one is the rightful owner one can use the master password and login. Then restore 2fa.
How many people lose their phones with the 2fa on it, or have circular dependencies with 2fa and BitWarden and forget their master password.
People should have a disaster recovery plan but not everyone is an experienced individual.
Hello and welcome to the community!
I think different organizations definitely have different rules regarding bypassing your authentication mechanisms if you can adequately prove your identity, i.e. your financial institutions, your workplaces, etc. It’s just that we’ve never heard of people being able to regain their BW account that way.
The definite ways you can regain your access are:
Fairly confident there is no way to access a (locked) vault if you lose your master password. Not even a technical only way. (assuming a strong password ofcourse)
As regards a 2FA bypass, I think there is too much reputational damage for a password manager.
As regards a 2FA bypass, I think there is too much reputational damage for a password manager
I don’t mean to bypass it as an exception, behind the scenes. But officially available if you are able to
2fa is to protect YOUR account from unauthorized access but your master password is still the security. If you get yourself locked out then you might lose precious data because of that, which could be solved by flipping a bit in a database.
No reputational risk there, maybe a convoluted process to validate identity and privacy management but they already store payment details and private information. Not everyone uses Bitcoin to pay or fake personal details in BitWarden.
Your credit card is already proof of ownership (but not enough), together with your private key it is impossible to unlock someone and give access to the vault by mistake since the 2fa alone does not suffice.
Judging by the help pages, I don’t think BitWarden will do this but I note that 1Password will so if you create a feature request then it may get implemented in BW.
from the help pages
BW couldn’t be more clear when a user starts out. Plainly stated you create and retain a recovery code, which allows you to “effectively suspend” the 2FA by bypassing/turning off the code. How much more simply can they say it? Even with the 2FA bypassed/turned off you get nothing without the Master Password, which as stated above, is the real security.
And the kicker is that we ALL are asked to retain a somewhat recent backup of the entire vault, which easily allows for a complete redo if anything goes wrong.
I don’t see how any user wouldn’t have a recovery code and full backup, and then even sleep at night, LOL!!
You should stop by the Bitwarden subreddit sometime…
I don’t see how any user wouldn’t have a recovery code and full backup, and then even sleep at night,
Sure. But that is not the point. I don’t know how people can use BitWarden in Windows and sleep at night. If you want to be this pedantic.
You can also get impaired while your house burns together with your printed copy of such code btw, and forget your password due to trauma or whatever.
It would be easier to rely in an Emergency Contact and less risky than having to also protect a backup (BitWarden do their own). Again, if you want to be so pedantic about it.
I just hope you self-host in OpenBSD at the very least, Sir.
I do apologize if I come across as pedantic. While I don’t serve as “service support” on this forum I did on the old TrueCrypt site (now VeraCrypt). The work involved trying to rescue folks that disregarded our basic recommendations at the start of their journey with TC was massive.
e.g. - creating backup headers which takes about 2 minutes or risk total data loss by skipping such a simple step.
And while I agree with you on your Windows comment part of your post, I realize most here do in fact utilize Windows for their OS. I haven’t seen a Windows computer for over a decade. My backup info is stored off premises along with an encrypted data vault. My spouse knows exactly where to acquire it if needed so no fire concerns either, LOL!
