I request for there to be an option to only access one’s Bitwarden Vault (via web, app, or extension) from a whitelist.
For example, if one uses Authy, if you enable the “Allow Multi-Device” tickbox, you can access Authy from any new device/platform. But when you disable it, you can access it only from those trusted devices, whether you have credentials to it or not.
I would like to be able to secure my Vault from being accessed from any device I don’t use it on; to be able to see a list of devices where it has been accessed (with customizable names that I can easily identify later); and to be able to delete a device from that whitelist.
There has been mention of an inability for a user to use device-specific access as a security measure, since the Web Vault can be accessed from any location. I request the ability to remedy this.
I agree fully. I just posted the below info to the “Account Access History” Feature Request but this could have also helped with the issue I am dealing with currently and could help boot support for your feature request:
This is really important to have. Today I received a two-factor code text to my cell phone from my bank (they don’t support other two-factor methods). This could have either been the bank system sending the code in error, someone (or thing) trying to log into my account, or something else I am unaware of.
Well I logged into my bank account and checked my logon history (same as account access history) and was able to view a set of IP Addresses. One IP address was associated with the time that I received the two-factor text. So I was able to see that the code was tied to the event of an actual login attempt.
I called the bank and asked a series of questions. There wasn’t a history of any failed login attempts with an incorrect password. So whatever method my bank account was being signed into with had the correct username and password.
My password was randomly generated in Bitwarden. This means either someone somehow got access to my Bitwarden account or one of my devices was compromised and in away allowing my Bitwarden data to get compromised or something else.
I would love to check my Bitwarden login history but can’t.
EDIT: Also, be aware that different browsers are seen as different devices, and clearing browser data can result in a “new device”. The behavior is similar to how bank logins “remember my device”.
Authy is different since it operates only as a dedicated app.
I like the principle of this idea - I’d like to be able to prevent my Bitwarden vault being opened on devices I dont specify. I guess this is easy on a mobile device with the IMEI number?
Last pass had a cool feature to only allow access to your vault from defined territories - I guess this is easily overcome with a VPN if someone knows your normal country of residence.
Perhaps accessing from a new device needs extra authentication (maybe it does already) such as entering your fingerprint phrase?