Device Verification: option to automatically consider device as verified after a waiting period

Bitwarden plans to try introducing Device Verification a second time after pulling back from the last attempt in 2022, and people are understandably upset because most of their email providers also enforce a system like Bitwarden’s Device Verification, and it makes it possible for one to be entirely locked out of their Bitwarden account, and subsequently, every online account they have if they don’t specifically plan for accounting for the Device Verification workflow.

I think it may make more sense to have a waiting period, where after a duration of time has passed, the device will be automatically considered as verified. More details are available in this post, which I have reproduced below:

When designing this feature, were there any thoughts about making it so that unrecognized devices are subject to a waiting period (e.g. 2 days, but adjustable by the user) before getting auto-approved? The user will get notified about the unrecognized device, via emails, notifications in the desktop/mobile app, notifications in the browser extension, etc. and can either explicitly accept the device as verified to skip the waiting period, or reject the device (and then change the vault password if needed). That way, in the worst case scenario where the user can’t access their trusted devices, the only consequence would just be an annoying waiting period as opposed to being 100% unable to access their vault.

I am interested in this history, if you have any links or references.

Sure, here’s a list of links I could find with discussion from around this time:

Interesting… before that, I wondered more and more about “why not just force 2FA for everybody?”… after looking superficially into the links, I get the impression “being able to say we don’t force 2FA on everybody” might be one of the goals (besides “more security for those adventurous folks without 2FA”)… :thinking:

Haha, my memory is definitely not working as well as it used to! :sob:

To be fair, I believe that was just when I first started using Bitwarden, and was still learning the lay of the land.

Thank you for the links.