I request for there to be an option to only access one’s Bitwarden Vault (via web, app, or extension) from a whitelist.
For example, if one uses Authy, if you enable the “Allow Multi-Device” tickbox, you can access Authy from any new device/platform. But when you disable it, you can access it only from those trusted devices, whether you have credentials to it or not.
I would like to be able to secure my Vault from being accessed from any device I don’t use it on; to be able to see a list of devices where it has been accessed (with customizable names that I can easily identify later); and to be able to delete a device from that whitelist.
There has been mention of an inability for a user to use device-specific access as a security measure, since the Web Vault can be accessed from any location. I request the ability to remedy this.
I agree fully. I just posted the below info to the “Account Access History” Feature Request but this could have also helped with the issue I am dealing with currently and could help boot support for your feature request:
This is really important to have. Today I received a two-factor code text to my cell phone from my bank (they don’t support other two-factor methods). This could have either been the bank system sending the code in error, someone (or thing) trying to log into my account, or something else I am unaware of.
Well I logged into my bank account and checked my logon history (same as account access history) and was able to view a set of IP Addresses. One IP address was associated with the time that I received the two-factor text. So I was able to see that the code was tied to the event of an actual login attempt.
I called the bank and asked a series of questions. There wasn’t a history of any failed login attempts with an incorrect password. So whatever method my bank account was being signed into with had the correct username and password.
My password was randomly generated in Bitwarden. This means either someone somehow got access to my Bitwarden account or one of my devices was compromised and in away allowing my Bitwarden data to get compromised or something else.
I would love to check my Bitwarden login history but can’t.
EDIT: Also, be aware that different browsers are seen as different devices, and clearing browser data can result in a “new device”. The behavior is similar to how bank logins “remember my device”.
Authy is different since it operates only as a dedicated app.
I like the principle of this idea - I’d like to be able to prevent my Bitwarden vault being opened on devices I dont specify. I guess this is easy on a mobile device with the IMEI number?
Last pass had a cool feature to only allow access to your vault from defined territories - I guess this is easily overcome with a VPN if someone knows your normal country of residence.
Perhaps accessing from a new device needs extra authentication (maybe it does already) such as entering your fingerprint phrase?
After seeing a few recent posts about compromised vaults even with 2FA in place, was wondering if it’s possible to “whitelist” a device so that is the only device that can access the vault? Or is this something a hacker can easily spoof making it useless? There was a similar post in 2021 (closed Feb 8) “Device Access Whitelist” that had a few votes.
@fham I reopened the request and moved your post into it.
(emphasis my edit)
I’m not particularly against this request per se - but besides the question if there was a security gain, I would be curious to know what you would do then if you lost your “only device that can access the vault”? (stolen, broken, fallen into the ocean, destroyed in a fire, whatever…)
Erasing your browser’s cookies or setting your browser not to save them.
Clicking “deauthorize sessions” (maybe).
The problem with whitelists (or blacklists) is that you need a way to update them. As such, you really can not protect the whitelist itself with a whitelist without creating risk of lockout.
In a sense, new device login protection is a an alternative way of accomplishing this. If it does not recognize the device, it enforces a secondary authentication for those users that do not already have MFA enabled.
Guess my choice of “only” was a mistake; If this option was a possibility, I would have at least 2 devices whitelisted so if one of the mishaps you mentioned occurred, I would have a second device able to access the vault and make necessary changes.
And I guess, in what way a device gets “whitelisted” at all - and how “persistent” that is (like recognizing a unique hardware configuration/condition?) or if it is easily “breakable” (like some of your examples for “other failure modes” show).
