Emergency Access Paper Key

The Problem:

Emergency access is a must-have feature but it requires the other person to have a Bitwarden account. While we may try to get people to use Bitwarden some people may not use it or use something else.

You also have the problem with people who will get a Bitwarden account but either forget or lose their master password and thus make emergency access impossible.

The solution:

My solution is to have an option for a paper key.

This paper will have instructions and two keys to perform emergency access.

The first key would be the activation key. The activation key would be long and random, like the 2FA recovery code, and once entered at a certain Bitwarden URL will start the timer on the server and alert the owner of the account that emergency access has been activated by paper key. The grantee will also be told how long they would have to wait to come back to enter the next key to get access to the vault.

The second key would be the decryption key. The decryption key can only be entered after the activation key and the time has expired. When the time has expired and the grantee re-enters the activation key to “log-in” they’ll be greeted with a new textbox that allows them to enter the decryption key and either view or take over the account as we have it now with emergency access.

The grantor will get an email notification like they do now and can also remove the paper key at any time like they can now. One great thing to add would be to name the paper keys in your Bitwarden account so you know who activates it and who has a copy.

Example of what the sheet could look like…

This is the emergency access paper to gain control of the Bitwarden password manager account below if the situation arises.

[Name]

[Email]

To activate emergency access please go to the URL bitwarden.com/emergency

Follow the instructions listed on the page and use the information below when told to do so.

Activation Key: LS5A UACA KFSZ C3DY Y5R3 T572 DDWU F92L

Decryption Key: 3JSM 2P9X N7X4 3DHK TT5Y 4PCM RUPZ CKT9 5JEN 9TVK

I made the decryption key longer for more entropy and just in case the grantee enters the wrong key the page can check the key’s length before sending. Another option is to pad the start of the keys with AK or DK and check for that to make sure the grantee is entering the correct key and not just spamming the system. Or do the checksum thing that they do with credit card numbers.