Requesting the ability to test an emergency access workflow and reset back to normal without having to delete everything and set it up again.
Hello @user1232 and welcome to the community.
One of the main reasons for choosing Bitwarden was the ability to setup emergency contacts. You are right, I never tested this and therefore I am not sure how the overall workflow will look like.
Because of this you got the first vote for this feature request from me.
Can you clarify this ask a bit for me? What part of the emergency access flow are you unable to test in ‘live mode’ that makes you feel that the feature needs some way of being tested?
My current configuration states that my wife would be able to take over my account after a certain amount of days. Right now I am unable to view or modify that duration but that is another topic.
Let’s say we perform a test of this function. Will I be able to login into my vault after the takeover? Is there a way to revert it? What about other emergency contacts who only have “view” permissions?
If you perform an account takeover, the flow requires the grantee to set a new master password for the account. Given this, if your wife did not tell you this new password then, no, you wouldn’t be able to log into your account following the takeover. But the account itself continues pretty much unchanged except it has a new password.
It seems my understanding of a “takeover” was quite different, but just resetting the vault credentials makes sense.
However, I am wondering what happens to any configured 2FA methods. Are those deleted? Is NDLP disabled or does my wife need access to my e-mail?
Additionally, are any other settings reset upon takeover? What about the (other) emergency contacts?
Hello,
My example would be for view only mode but it should be available in takeover mode as well:
We usually do estate testing once a year. This would involve knowing where all import documents are, updating documentation if necessary and of course, access to digital assets. Bitwarden emergency access is a critical part of that.
When invoking emergency access the grantee receives the vault (in my case read only) verifies they have the passwords/mfa and proceed to access the critical assets.
Great, everything works.
Now put everything back the way it was.
When you revoke access you essentially “delete” all associations. So you need to re-establish everything by setting it up again. This involves adding the grantee and going through the email workflow.
is there a way we could have some kind of testing workflow or mode so you could take the vault back but not remove the relationship of the emergency access workflow?
An additional mode because you would still like to retain the ability to delete a relationship. Perhaps it could also use a different timer because often when you are testing estate plans key participants are basically sitting beside you for the test
In a scenario where you are just using the View permission rather than the takeover, you can perform the testing you described without any changes to the product.
- Account A sets up an emergency contact (Account B) with the view permission
- Account B requests emergency access
- Account A approves access
- Account B can now view Account A’s vault.
- Account A rejects access (NOT removing the emergency contact)
- Account B can no longer view Account A’s vault, but can still request access.
Great questions!
An emergency access takeover will turn off any configured two-step login methods.
We do currently have a bug in the code that means that for accounts that do not have two step login enabled, New Device Login Protection will still trigger. Until we get that fixed, your wife could get around this without access to the email account by logging in on a device you previously logged in on.
Other emergency contacts are not removed when an account takeover occurs.
How exactly is this step performed?
And thanks to you for answering them so quickly!
An emergency access takeover will turn off any configured two-step login methods.
“Turn off” as in “disable” or “remove”? How much work is it to restore the previous setup?
Until we get that fixed, your wife could get around this without access to the email account by logging in on a device you previously logged in on.
Such a device may not exist, for example in the horrible event when one person is no longer alive and all mobile devices are destroyed as described in the article What Happens After A Hacker Dies. This is a scenario I would like to cover.
Ah, that is very good to know! Is this already documented anywhere?
Ah, the second tab. Thank you!
1 Like
The solution would presumably be the same for anybody else who is locked out because of NDLP: contact support and ask for the NDLP requirement to be lifted (at least temporarily — e.g., for 24 hours).
However, I have no idea how much vetting the support team does to ensure that such requests are legitimate, and if the emergency grantee would have problems trying to prove they are authorized to access the account. If the emergency grantee email addresses are stored unencrypted in the server database, that would give the support team a way to verify a request to suspend NDLP.
Thank you for the fast response ! I will test that and confirm
Best Regards
An account takeover removes all 2SV methods for the account being taken over.
The amount of work required to set all them up again.
If the account that was taken over had hardware keys stored in a remote location, this can be quite an inconvenience.
To avoid future problems with this take-over (that would probably coincide with a moment of stress where you do not need additional problems), I would recommend to disable NDLP (and having enabled 2SV, of course) for all the accounts where you are a take-over emergency contact.
Btw, testing all these workflows is quite simple if you own (or admin) a paid organization that has one free seat available:
- Create a new test account,
- Include it in the organization so that it gets access to the premium features,
- Do all the tests you want (or can)
- And finally delete this test account.