I have recently retired and my work email no longer exists. I cannot find my original verification code. I can access my Bitwarden as reference on the app but I cannot log into the online account. So because of that, I cannot log in to change the email address. Can someone please advise me as to what to do about this.
Thank you.
You will need to contact Bitwarden customer support so that you can access the web app and change your account email. Alternately, you can sign up for a new account (with an email address you can access), export your old account data from the app where you are logged in, and import it to the new account.
@Robyne_Cot Welcome to the forum!
Very similar issue as this thread: Verification on a new device, but cannot access my email – I would recommend to have a look at the advice given there also.
Ok, here we go again.
First I learned that Bitwarden is willing to disable a customer security feature if a customer loses access to their email. Now we have an offer from a Bitwarden employee on a public forum offering to change the email for someone.
This has me wondering if I made a mistake purchasing 2 Bitwarden accounts.
Does Bitwarden have very clear policy documentation governing under what circumstances it will override customer account protections? If so, is it published? How can I as a customer ensure that under NO circumstance, BW support disables my email address or 2FA regardless of who calls you and what story they may have or information they may have. I need some solid guarantees.
I think you misunderstood what @Micah_Edelblut meant here:
My translation: “When you contact Bitwarden customer support then they can temporarily deactivate the new device login protection. Then you can access the web app and then you can change your Bitwarden account email address. Because that’s only possible in the web vault, you need to be able to login to the web vault first.”
As a fellow customer/user I can only say, that there is not a single record of ever happening that for 2FA.
You may be correct, but at this point I need to see a published policy. I have searched and could not find one.
Perhaps you have a different perspective on this as a brand new Bitwarden user, but those of us who have been using Bitwarden for a while are aware that the “New Device Login Protection” (NDLP) feature is a brand new addition to Bitwarden’s security arsenal, and that it mainly serves to provide a band-aid solution for ensuring some minimum level of protection for those users who have neglected to enable Two-Step Login.
IMO, the standard to which the NDLP feature should be held is that it is “better than nothing” — i.e., for users who have failed to properly secure their accounts using Two-Step Login, the NDLP feature will offer some last line of defense, which will succeed at thwarting some attacks, but not others. Any user who takes the security of their Bitwarden vault seriously should secure their account using a strong, randomized master password, complemented by an active Two-Step Login mechanism. For these users, the NDLP feature is irrelevant, because it is never invoked (and thus, temporary suspension of the NDLP by Bitwarden staff is a moot issue).
@Robyne_Cot Another possibility. Contact your former employer and see if they are willing to help you get the recovery code email.
I concur with @Nail1684. The original discussion surrounds NDLP, not 2SA. And, changing the email was an offer of assistance/advise, not an administrative override.
Self host. Then Bitwarden would have no ability to do anything to your vault, even if they were to suddenly disappear of the face of the earth.
Regarding the email address itself, the security whitepaper states that the email address is one of the inputs to the encryption algorithm. So changing the email requires first decrypting then re-encrypting the vault (specifically, the protected symmetric key). If Bitwarden were able to do this (hint: they can’t), changing the email would be the least of one’s concerns.
Bitwarden disclaims all warranties. Please let us all know if you find a competitor that has a decent warranty (e.g. more than the subscription cost).
Thanks all, I have exported the list to a USB and opened a new account. All good here now.
I have updated my original message to be more clear. As @Nail1684 guessed, I was suggesting that with help from Bitwarden customer support, a user in this position would be able to access the web app and change their email themselves. Bitwarden customer support cannot and will not change your account email.
@Nail1684 Thank you for pointing that out.
@grb Thank you for your insight and knowledge with helping me understand the policy.
I slightly disagree with you on one point. I don’t feel “better than nothing” should be anywhere in the vocabulary of Bitwarden. There is a trend taking place across many industries, requiring 2FA be used. Security providers like Bitwarden should be at the forefront of that trend, not lagging behind. NDLP with a simple request to turn it off, is not a valid replacement, IMO. I would have greater trust if they had instead taken the policy of moving everyone with to 2FA, no exceptions. That along with a clear policy of no reset or deactivation of that login factor. It could have been accomplished in a manner that provided plenty of notification, along with x number of grace logins.
@DenBesten I worded my comment incorrectly. I should have used the word assurances (with respect to disabling 2FA). The info was provided by Nail that I had overlooked. I overreacted when I saw this thread. It’s important that I have trust in operational policies. I already have trust in the product.
@Micah_Edelblut Thank you for your followup. I now realize that it would not be possible for anyone but the key holder to change the email address as it’s part of the key.
This would cause a large number of existing users to lose access to their vaults. Look no further than the various examples of users unable to receive their NDLP verification codes. If the lost NDLP codes had instead been OTPs for an enforced two-step login, then those users would have no mechanism of accessing their vault data (since Bitwarden cannot bypass a user’s 2FA).
Personally, I see the NDLP feature as a first step towards enforcing 2FA in the future. It is basically an added inconvenience that serves to push users towards enabling two-step login (to avoid having to deal with NDLP). Perhaps once a sufficient number of users have enabled two-step login, it will be easier to make a stricter policy.
Regardless, it is evident from user feedback during the NDLP roll-out that a fair number of users prefer to assume responsibility for their own security, and bristle at being forced to take X or Y precaution based on inflexible policies or requirements imposed by Bitwarden. Thus, whatever the future may bring as far as 2FA enforcement, I believe (and certainly hope) that opt-out mechanisms will be made available.
While you may feel strongly about requiring 2FA, other users feel equally strongly about not being forced to use 2FA. Those users would question why your preferences should apply to them. Two-step login is available for you to use — so go ahead and use it.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
