Would it then be possible to use both option simultaneously? So give someone “read only access” permanently ánd give this same person via the Emergency access function the option to request a “password reset” and take over control of the account after time-out period?
I am not sure if I see a specific use case for the emergency “account takeover”/“password reset”. I think “read only” emergency access pretty much covers any scenario that I can think of (and is strictly preferable over “account takeover” in any of these scenarios).
Great question… I know I didn’t really put together an exhaustive list of scenarios or use-cases, however the “password reset” is the key phrase there when we talk about emergency access and account takeover. Another use story may be:
As a Bitwarden user who really enjoys having access to my vault but who occasionally has a bad habit of forgetting my master password, I should be able to add myself with an alternate email address, my spouse or a trusted friend/relative as an emergency contact so that I can request assistance to reset my own password in the event I have forgotten it.
Yes, for example you could give someone emergency access with a type of read-only with a 1 week waiting period, and then again that same person with a type of account takeover with a waiting period of 30 days, etc.
No, the link is just a generic link to take that person to the impacted web vault where they would log in with their own account (necessary for decryption to work). There’s no key, nonce or any other identifying information in the link in the email itself, it’s just a notice that access as been granted, etc.
What if Bob uses an authenticator app or a Yubikey? Will 2FA automatically turn off, once Jill receives the email?
Great question! Yes, 2FA will automatically be disabled/turned off, but not when the email is received/sent, but rather once the password is reset/takeover is successful.
Bob and Jill is what I think of when it comes to this feature.
The Susan and Brenda story doesn’t sound like an emergency but instead poor planning. If it came down to it Susan can pay Brenda back for the cat food. I really doubt that the average user will have the foresight to log in to their Bitwarden account and grant access to someone for this or similar situation. If it was me in this situation I would just create a new organization and share the password that way or leave $20 on the counter.
All I need is a way to give access to my vault to someone if I die or get locked out. A time-delay with warning emails is a must. The extras like read-only, delete certain things, and such are nice but not a need right now.
The most important feature of emergency access should be simplicity. If someone has activated emergency access they are more than likely not clear in thought and most often panicking.
I think it would be nice if the application/extension also prompted for a response each time you login / unlock until a decision has been selected. That way email isn’t the only notification.
The Pick and choose what items or folders get emergency access granted option is needed. I would like to be able to select folders/items to grant access on one time frame (days) and others (including all) on another time frame (months) to represent shorter needs (hospital) vs total access (death).
It is currently Out of Scope. Maybe it will be added in the future.
I’ve been waiting to fully switch to BW premium for this exact feature and so good to see it’s on the road map and hope to see it being implemented soon!
FYI, the feature as described is code-complete and will be going through PR review(s)/revisions shortly. After that we’ll have some bake-in and testing before it’s released but is still on the radar for this year.
Great to hear😀
Will there be some sort of beta test program for user? Or will the feature be tested internally?
It might seem like counting chicks before they hatch, will it be a premium feature or free feature?
It will be tested internally; we don’t have and likely won’t be setting up a BETA/public testing environment and since this functionality will be purely server + web vault, the closest you could get to a preview is pulling down the
web repos once the code is merged and running locally via docker-compose, etc.
Not sure yet tbh and we’re in a “light” decision week with the holiday so I’m sure I won’t have any further updates this week.
If you do make it a premium feature, which is fair if you ask me, I would ask you to make it premium to make changes to emergency access.
It would suck to have this feature but lose it when you need it most because your premium expired due to unforeseen circumstances. To add or update emergency access should be behind the paywall but to activate and use it should not be.
Happy Thanksgiving! Save some turkey and mashed potatoes for us as well. Jut kidding.
I think the premium members will find Emergency Access really useful as most of the them store their medical bills, receipts and other sensitive documents in the encrypted storage. Not only that, there are also users who use Bitwarden for generating TOTP codes. Lets assume the granter is a free user and If he/she were to give emergency access to their Google Account or some other account, the grantee will also need the TOTP code for the particular login which is in Authy or any other authenticator app . The Grantee may need the granter’s phone number and the verification code to login to Authy. It just becomes complicated and inconvenient. Premium members will find emergency access more convenient to use if they store TOTP codes in Bitwarden itself
I prefer to give my phone to my trusted friend(If it is possible) to make things easier.
Happy Thanksgiving! This is the single missing feature preventing me from making a full switch to BW. Unfortunately you need to prepare for emergency situations more and more as you get older. For the less tech savvy around you, you also want the process as simple as possible, so the roadmap sounds promising.
I applaud the effort, and I’ll be keeping up with the progress!
I know some people have asked for a multi-role feature. If a person has a BW account, maybe the emergency access could be via one these roles.
Instead of strait up disabling 2FA, if emergancy access is associated with someone else’s account, it could allow that other account’s 2FA as a super-set.
It would be desirable to never drop 2FA if possible.