Disable new Device Login

Thank you for merging the post

Yep what you are describing does not apply to my “methods”. I totally control any and ALL IP’s presented to BW every single time I connect. Using a privacy activist VPN does not mean your IP’s will rotate unless you want them to. I do the exact same thing with my Bank because as I travel around the globe they tend to shut my account down for security reasons unless I do. By always connecting with the exact same IP (via extremely encrypted channel tunnel) they never know when I am traveling or even where I truly am so my online account doesn’t get flagged as an issue in process. In addition to the “static IP” appearance I also use U2F to sign in at the bank.

U2F is the best and I use it here at BW. The addition of an IP authentication would just be one extra step, which for me is easy. BW doesn’t seem to get nervous when my IP’s rotate, likely because I can only log in via U2F. My bank is crazy when I log in from around the globe. I know they think they are keeping me safe but its a pain in the butt, and nobody is going to get past a U2F login anyway.

Ablac, thank you for sharing your thoughts. I figured I was the lone ranger here. I am used to it since most software paradigms conform to the general user.

The target audience of a bank is more lay when it comes to security. If an account is secured by all U2F, I see no reason to ever prevent logins because U2F is pretty much bullet proof, short of finding a bug to bypass it.

One issue that I do see with BW and just tested, is someone can test a password against your account without ever having the 2FA. I tried logging in via incognito mode and got a login error without ever getting first prompted for 2FA. Personally, I think they should not give any feedback about your password’s correctness without also entering in the 2FA and passing the 2FA.

Yeah, they can’t get into my account without 2FA, but they can still attempt to figure out my password. I am not worried about my password, but say they get a leak of BW user emails and attempt common passwords against all of the accounts. I’m sure they’ll find at least one account. Then they can focus on those few.

That is a great observation. Depending upon the software edits required, if it can be done dependably, I would love to see a “present your U2F credential” and then you would see the password prompt.

Another – maybe easier to code – method would be to present the password and the U2F credential to the server at the same time. They both would have to PASS or you would get nothing. That way even IF someone entered my correct password without my U2F they would see nothing. That also means that a hacker would not see they hit my password (no visible confirmation) correctly so they couldn’t continue penetration research beyond that. I suspect this approach would be easier to code then U2F first. BW Mgmt??

Further if this was the generic access method a hacker would never know which users here have U2F enabled.

@OpSec Every time I sign in to my Google Account from my PC. Google ask me if I am trying to sign in to my account on my phone. When I press yes, I have to choose and verify the two digit code displayed on my PC.

Wouldn’t this be a more convenient process for Bitwarden?

Authy was taken as an example, so I feel compelled to ask that if this feature is implemented, please please pretty please use clear language to name it. On my Android phone the setting in Authy is called “Allow multi-device”. If I’ve not messed with it in a long time, I have to relearn that it really means “don’t allow access from new devices”. The Authy desktop app does it better. The setting is called “Multi-device”, which is not great, but has the text under it “Enable/disable new installs”. Seems to me just calling the setting “Allow new devices” would be clearer.

That’s a very good point :slight_smile: I also get confused about the toggle in Authy sometimes, not 100% sure if it’s enabled or disabled due to the wording.

The thing I like about the way Authy does it makes it clear to me. Next to the “Allow multi-device” is the slider to enable and disable. The slider being faded out instead of “lit” makes it simple for me. Almost instinctively I know that a “bright/lit” button means its ON. I am a simple man, LOL!

1 Like

I am new to Bitwarden, in fact still comparing different tools, and one thing I was looking for seems discussed here, that is be able to see and control the devices that connect, and thus be able to revoke or block one if needed. It is something that exists in other products and that I find quite useful and also reassuring to be able to see and manage this, instead of only relying on received email notifications to know what new devices joined, and if unsure, having to revoke all sessions.
The discussion here ended last July, and it seems to have drifted towards 2FA… but still, the original expressed concern reaches what I was looking for, more visibility and control on authorized devices.

Hello, I’ve switched over from lastpass and quite liking bitwarden so far, in fact I liked it enough to switch over my mother too. Now this issue came to light because someone managed to guess her lastpass master password and was trying to login with it from an unauthorised device, luckily lastpass was blocking the login attempt but still emailing my mother, so we knew her password had been compromised.

Now that I have moved my mother over to bitwarden she asked me if it would do the same thing, I just assumed it did, but now I have read this post I find this feature seems to be missing. It seems quite important to have the ability to block unknown devices, so is this something that will be coming in a future release, it is the only feature we seem to be missing?

I can’t set her up with 2FA because she’s in her 70’s and gets confused enough about technology as it is. The old saying “keep it simple” applies here. Just block logins from unknown devices and send an email like lastpass does. If it is a new device then the email will include a link to allow it to be added - I know this isn’t a perfect solution because the attacker might have control of the email account, but there will also be a lot of cases where they won’t have that control, so you will still eliminate a higher proportion of attacks than presently, which does not stop an attacker logging in at all.

:exploding_head: I haven’t been logged in in such a long time!

But I would recommend setting the master pass for her as something that you remember, or even something that’s saved within your Vault, and enabling TouchID/FaceID or Fingerprint unlock for her phone, and her computers/other devices enable a pin code unlock. Also enable 2FA so she can’t add other devices without contacting you first.

This is what I did with my mom, cause what I found is the less she knows the safer she is, and I’d rather have her frustrated on a rare occasion that I have to sit and talk her through it over the phone, then getting hacked.

The way you have it now, she could fall prone to a Phishing email and get all her accounts compromised.