Emergency Access Login?

Hello,

I’ve read the Emergency Access documentation page carefully. However, there is one point that is not covered.

If my emergency contact requests full access (and I still have access to my mailbox), if I decide to accept, I assume I am redirected to a link. Do I need to log in to Bitwarden to accept? Or is clicking on the link enough to unlock access to the emergency contact?

This is in a scenario where I’m unable to remember the master password. I know it’s no substitute for an effective backup strategy and giving the information to my trusted contacts but it would allow me to adapt my threat model if I knew the information.

Thank you !

When you set up Emergency Access, you specify a delay period. After the delay period has expired, the Emergency Access grantee will be able to take over your vault (or view its contents, depending on what configuration you’ve chosen), even if you do nothing (e.g., if you have forgotten your master password, or if you are incapacitated).

I assume that any email notification would contain a link that takes you to the Web Vault, but requires you to log in (if you wish to reject the emergency access request, or approve it prior to the expiration of the delay period).

There is no link in the notification email that your emergency contact has requested to takeover your account:

You have to login to the web vault to approve or deny the request before it is automatically approved.

A link to approve the request without loggin in I think would be a security risk. To takeover your vault, an attacker would need only to takeover your emergency contact’s bitwarden account and intercept your notification email.

A link to reject the request without logging in is another thing. I think it could be useful in some cases (eg.: you are traveling with only your phone and you are not able to access yout web vault from it).

5 Likes

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.