Hi All,
Some time ago I checked how emergency access works. It looks like after request from trusted person to get access, the email to the owner of Bitwarden account that the access is requested is sent. The request can be rejected if it is not authorized and fake one OR after defined time (for example 24h) of no action the request to trusted person is given. However, (at least) in my case I sometimes do not my email box for several days. That means in case of not rejecting the not authorized request will be accepted. Also I can miss the email if I have plenty of them in my email box.
What I want to suggest to Bitwarden team is that beside the email it would be good that in the phone there is immediate notification. This how it works in Last Pass, and I think it is way more secure and convenient.
You could set up a filter in your email to forward emails that come from BitWarden with the Emergency Access subject line (I’m not sure what that is exactly but you can test it to see) to your phone via SMS. Every carrier has an email to SMS gateway as you can see here https://aruljohn.com/blog/sms/ . That way you’ll get a text message when someone requests access. In fact, even though I do check my email often, I think I’ll do this myself later today.
You should set the Emergency Access Wait Time to be sufficiently long that you are assured to check you email before the end of the Wait Time interval (in your case, maybe 1 week).
In addition to the excellent suggestion by @JeremyCouch, you should be able to configure some filter in your email client to perform other actions that will get your immediate attention if you receive an emergency access request email (e.g., play a sound and/or display an alert on your desktop).
Maybe can we implement it like the « Approve login request » button on mobile ? We click on the notification, log ourselves in if we’re not already, and then approve or deny the request ?
Not sure this button exist on the computer application though.
Also we have to think about how to implement this feature for enterprises, since the « login with device » feature is not available for them.
Jeremy, this is a part or semi solution. The best way imo is to have described by me functionality. The app alarms you then and you can immediately act from the phone. I would add this should alarm automatically and whenever I open the app myself.
Grb, setting 7 days is fine, but not everybody wants to have set such a long time, coz in case if I loose my password for many 7 days without passwords might be real problem, even disaster.
NovaliX, there are different scenarios to consider, like we do not remember password but we are logged in, or we are logged out. It needs to be checked bc I am not sure how everything works. But for sure we should have to have possibility to deny emergency request which should pop up in the phone even if we are not in the app, and should pop up when we enter the app and should demand take action before we could get access to our passwords. Lets talk about it, but I am happy that you like the idea. I also do not know how enterprise version works so we need assistance.
Anyway what I like in Bitwarden in comparison to LastPass is that in Bitwraden you can define are gonna give full access to your account so your friend changes the password and give it to you and you change it for yours BUT alos have possibility to give read only mode. In Last Pass it was only read only so when you gave access you needed to make a new account only which does not make sense for me.
