Would be nice to have email verification by code added to Send feature, similar to 1Password where you can specify the email address of the recipient so they have to enter the same email address & verify by code sent to email.
@khadanja Hi!
You mean the send feature in Bitwarden’s password manager, right?
Yes that’s what I meant
Okay, then I just changed the tags accordingly.
@khadanja, does this not merely add entry of e-mail, nothing else? Bitwarden already allows you to include a password which must be entered, if you wish. Is a “code” usefully different?
In practical terms, the recipient has the link because they have their e-mail in which they received it. If someone else gets the link it would be from the same e-mail (it is not otherwise exposed), so they have the e-mail as well. I am not quite sure what entering the same e-mail adds?
I think it adds another layer of protection like a 2FA to retrieve the password. Doesn’t it? I just noticed this when someone sent me a 1Password link & it asked for email which was my email they entered when creating & code was sent to email which unlocks the password.
Yes, I am trying to establish what is different.
Bitwarden Send
1Password secure share
Reading the 1Password site, it not being a product I have used, it appears to allow you to nominate certain e-mails which may access the item. However, it does not appear to allow any additional security. If you were to notify recipients by e-mail (easiest, given it contains a complex link) then someone who sees or intercepts it immediately knows the correct e-mail to enter.
In contrast, Bitwarden allows the option of a password which can be communicated by another channel, for example a text message or phone call or even a letter. This is more secure; you have 2FA by different channels. 1Password seems to have a “2FA lite”.
Where you do not set a password to access a Bitwarden Send item then the position is fundamentally the same as for 1Password in that an attacker will not have the link without intercepting or observing the e-mail, so they have that as well; practical security is no different there.
Further, Bitwarden allows limiting to a fixed number of retrievals. I do not see that option on the 1Password screen.
There are many people here who have used 1Password. If there is more to it than I have observed on the web page on the subject, please enlighten us.
1Password also lets you send the link by email, text or other means. So, link gets sent by let’s say Teams, recipient clicks on it & enters their email, gets code by email & sees the password.How can Bitwarden send by phone call? It’s not a big deal but would be nice to have in my opinion. All good, thanks for your replies.
Also, if authelia is being used to secure Bitwarden Send feature can’t be used, some more details here by someone else & the developer of authelia has replied too. Any idea how to get around it while keeping Bitwarden protected by authelia
As does Bitwarden, in the same way. There is a checkbox at the bottom of the Bitwarden Send pane which copies the link, to send by any means into which you can paste it or where you can make a copy. I did not see that 1Password would make a phone call for you (nor will Bitwarden) so I presume you are talking about pasting the link into a text message or anywhere else.
The linked conversation concerns vaultwarden. That is not Bitwarden software, so support questions for it should be asked on github.
I know this function. I have previously used 1Password myself. I also miss this function in Bitwarden.
When you share an entry in 1Password, you can add an email verification so that only the person who has access to this email address can open and view the entry.
As with Bitwarden, the link generated when sharing is sent to the recipient (e.g. by email or Messenger). It is therefore not automatically sent to this e-mail address, but the e-mail address is only saved for verification purposes.
The recipient opens the page with the transmitted link and must enter their e-mail address there. A confirmation link is only sent to this e-mail address if the correct e-mail address has been entered. The confirmation link can then be used to open and view the sent entry.
If an incorrect e-mail address is entered, nothing happens.
I find this security function very secure. As any unauthorized third party is not able to access the secretly transmitted data. For one thing, they will probably not know the correct recipient’s e-mail address and, even if they do, will not have access to the recipient’s mailbox to retrieve the link for accessing the secret content.