Fault Tolerance Security for 2FA and 3FA Master Password Reset

Thank you for your post!

You’re welcome, got it, and completed.

Feature name

  • Fault Tolerance for MFA Master Password Reset

Feature function

  • Allows user to reset their master password via e-mail, SMS phone number, crypto key (Ubikey, Google key, etc.) and preset software authenticator (Authy, OTH, etc.)

  • 2FA: Reset must include 2 different means. For example: e-mail + SMS phone

  • 3FA: Reset must include 3 different means. For example: e-mail + Ubikey + SMS phone.

  • User may store multiple e-mails, phones, keys, authenticators as options.

  • User discretion as to which

  • This approach makes it exceedingly difficult for hackers to break in while making it exceedingly easy for users to reset lost or forgotten Master Passwords.

  • User-initiated 24-hour HOLD function (enabled or disabled at user’s discretion) using 1 less level. For example, if they chose 2FA, they can temporarily lock their Bitwarden account for password purposes using a single of any means at their discretion. If they chose 3FA, however, they will need to confirm via two means before Bitwarden locks their account.

  • When requesting lockout, user’s e-mail address are protected by displaying only the last three characters before their domain name or the last 2 digits of their phone number. Similar min-display security masks will be used for crypto keys and authenticators.

Related topics + references

  • No known related topics appeared in multiple searches.
  • This approach is used by some banks and financial institution to maintain high security while reducing the need for customer service calls and all but eliminating user headaches.

This. There really hasn’t been much effort put into these very real risks that users have no alternative than to put up with the risk of account/vault takeovers, ransom, or lockout (denial of service/availability) from everything stored in their vaults.

More thought needs to go into smoothing out the process of transferring an account/vault when someone passes away as well.

I don’t see how this could be done safely. If your phone is stolen, or you are victim to a SIM swap or SS7 attack, then if the email account password can be reset by SMS (which is not uncommon), now the attacker would be able to take over your vault by resetting the Master Password.

1 Like