Disable new Device Login

I love this feature on Authy. BW could be the same where ANY authorized device could extend trust, but others can’t authenticate even with the correct credentials.

Good idea!!

1 Like

That is true, kinda like how Google Authentication works with google accounts, when trying to login it prompts on a device that’s designated as an Authorized Device to approve logins, and once you select approve, it allows for that new device to login. :face_with_monocle:

The thing to be careful about here is that when you clear your browser/app storage, it appears as a new device.


@tgreer which is where my other suggestion for paring the desktop app to the browser app comes in, because that would prevent the browser app from losing the login data.

As with Authy you would be able to disable this in any of the authorized accounts, so if for any reason one of them go disconnected you would still be able to disable this setting and re-enable it once logged back in.

This is nice, but Authy has a recovery process which I don’t think Bitwarden has.

Because, in case you lost all your loged devices, if multi-device is off there is no way to access your account anymore.

I believe that BitWarden can implement a recovery method quite easily, using another suggestion I made actually, all of my suggestions link up, and make each other more possible.

Because having multiple forms of 2FA, even if it’s just to disable the Multi-Device setting would make for much better security overall.

This could also be accomplished by always allowing the Web Based Vault to be opened.

If the recovery process include email (like Authy), if you use Bitwarden to access your e-mail, then you’re in real trouble.

A lot of people have installed Bitwarden on the same devices they are logged in to their mail account. It means that if they lost access to Bitwarden, they also lost access to email. Authy has not this problem since there is recovery codes for 2FA.

If Bitwarden would use such a recovery process, there should be a huge warning telling you to not use Bitwarden for your main email account.

I understand what your saying here, but chances are people who enable this setting will have some way of getting access to something that would allow them to recover there account. For Example, I’m logged into BitWarden on 3 devices and my emails are all saved on multiple devices, and I also use Authy. The chances of me being locked out of my BitWarden on all Devices, my Email on all devices, and my Authy at the same time would be extremely rare, and if that happened you would be locked out of your BitWarden anyways, even without this feature.

Things can go pretty fast. You travel and get robbed, your house is « visited » at night. I still believe a big warning sign should be used. Plus the clear indication that a recovery process takes time and you won’t be able to access your accounts for 1 or 2 days.

This even if I’m not concerned. There is some account I wouldn’t recommend to use a password manager with (and I don’t). At least 2 ; the main e-mail account and the bank account. It’s 3 password to remember. I believe people can do that.

I would still prefer a thing like Telegram does. With a notification system that tells you everytime there is a new login on your account (by mail and push notification on phone / tablet) plus a security where a new logged device can’t change password and can’t disconnect other device for some times (2h, 1 day…).

Both systems have avantages and disadvantages, and I would like to see both of them implemented in Bitwarden.

As a fail safe you could have recovery questions? I highly doubt that somebody would get locked out in the way your describing.

I think that using 2FA has the same effect…

@Franky_FFV the concern that @TiTwo102 raised was that if you got locked out of absolutely everything that you store in BitWarden how would one recover there account.

I think that store mail account in vault is a bad option.

The suggestion has nothing involving storing email accounts, it’s just to prevent the login on new devices. Unless you toggle a setting to allow new device login.

It would be great if there is a feature to set a limit to the number of devices logged into the account. Device limit would make the account more secure and prevent unauthorised devices from trying to login to the account.

@vachan - I moved your request here, as it seems it would be a good fit/configuration for device provisioning/limitations.

I see that point. I have had an issue or two with Authy on “flushed” browsers, which all mine do when I close the session. I had to grab my Android and allow new devices in the settings for Authy, then turn it back off. Not tough just a hassle, so I get it.

As a more technical person; what about authorized IP’s (2-5 on a list) for an account? NOT requiring this option just making it available for those that know how to make their IP the exact same from anywhere in the world. I may be the lone ranger here but I would activate that feature in a blink.

3 major problems with using IP’s.

  1. Very few people have static IP’s and your ISP will usually change your IP randomly without any warning, so you would potentially lose access to your account.

  2. Anyone who uses a VPN wouldn’t be able to use this feature, as the VPN will change your IP every time you connect, thus the purpose of the feature would be null and void.

  3. wouldn’t be able to use the feature on your phone/cell phone as your Cellular provider doesn’t issue your phone an IP but the tower it’s connected to do, so every time you change towers the IP address would change, and just walking a few city blocks you will change towers 3-5 times with the advent of 5G.

But I guess you could use a proxy to a Static IP, and just proxy though that device, but that would be very insecure, cause now you would be transmitting unencrypted data through the internet, unless you had an encrypted proxy line, but that’s a lot of work, and ya your prob a Lone Ranger on that haha

This feature is really just an alternative 2FA pattern. You can only add a new device if an existing device allows it. Yep 2FA.

I can understand how someone may like this alternative, but I think from a UX standpoint, it’s really just the same as sending a prompt to an authorized device asking if you’re trying to login. Because in the end, that’s exactly what’s going on.

Personally, with U2F around the corner, if it’s webuathn+pin, that is pretty much the best you can get. I would trust my yubikey more than any computing device that can have malware installed.

I will agree that it is nice for people to have viable options. I would say that when a new device wants to authorize and existing devices are connected, then possibly the option of requiring the masterpass or pin.

The real question is how the situation of all devices being inaccessible. Possibly a configurable idle timeout where if no already authorized devices respond to an authorization request, the new device is allowed. But of course, if the real user still has access to their device, they can reject the request. You’ll want some sort of rate-limiting so a user doesn’t get spammed by requests if under attack. Maybe an option to block all requests for X amount of time.

Also, since this really is just yet another form of 2FA, that it should be treated just like 2FA. Maybe even the option of configuring which devices can act as 2FA. For example, maybe I don’t want my work computer to function as a 2FA device, but my cellphone can. Less of a “disable new devices” and more of “notification 2FA”. It really is the same thing. A rose by any other name and all that.

1 Like

Thank you for merging the post