How does 2FA to bitwarden work?

Hi,

I want to understand how bitwarden 2FA works. With only a password I assumed that password decrypts the credentials store or a key to decrypt it.

With 2FA though, how does it fit into the process?

1 Like

Hello @akostadinov - welcome to the community forums!

You are correct about the use of your master password.

Regarding 2FA when logging in to your Bitwarden account, it is only used as another means to verify your identity. If 2FA fails, then The Bitwarden server will not authenticate your login attempt and it will not provide access to your vault. A similar system is also available if you self-host your vault on your own server rather than using Bitwarden’s servers. Cheers!

3 Likes

That’s cool. But then why in instructions it is written that Bitwarden team can’t help you in case you lose your 2FA recovery key? If that is not used for decrypting the store, can’t Bitwarden team help one retrieve the store even without 2FA provided other means to verify identity?

Or using emergency access contacts. Or using your own email as emergency access contact. For example request 2FA reset by email/phone and be granted it only after 7 days (or another configurable time interval).

1 Like

That’s a good question, and I think we would need a Bitwarden dev to provide a definitive answer. But my guess is that your 2FA settings are encrypted within your account. Since Bitwarden is a zero-knowledge provider, they can’t just decrypt all your info for you since they don’t ever have access to your decryption keys.

Your suggestion of creating an emergency contact for yourself is a good one, I think - this is my “fallback” in case something happened that locked me out of my BW account. Of course, I also make regular backups of my vault data, I keep a copy of my master password written down in a safe place, and I have my 2FA recovery codes stored securely as well.

Hi @akostadinov, a Recovery Code can take the place of a two-step login method in the event of a lost mobile device etc…, but the master password is still required to decrypt your vault. Let me know if that answers your question.

If you enable any Two-step Login methods, it’s important to understand that losing access to your secondary device(s) (e.g. a Mobile device with an installed Authenticator, a Security Key, or a linked Email inbox) has the potential to lock you out of your Bitwarden Vault.

To protect against this, Bitwarden generates a Recovery Code that can be used with your Master Password to disable any enabled Two-step Login methods from outside your Vault.

1 Like

Hi, sorry not exact the subject but, i just notice that even i have 2FA login method, i can login just using master password to browser extension and to mobile app (you can just have master password saved to chrome browser).

Is there a way to use 2-step login also for them ? I mean it only works on vault.bitwarden webpge.

Real security issue or am i missing some point here ?

1 Like

Check out our two-step field guide, you are most likely only seeing the two-step prompt on the web vault because you are fully logged out, rather being in a ‘locked’ state elsewhere.

You can read more vault timeout options here.

1 Like

It may also be that you enabled the Remember Me option when you first authenticated with your 2FA on the device. The device is remembered for at least 30 days if you do that during which time you won’t be prompted for 2FA again. But you can always deauthorize your devices if you want to ‘undo’ the Remember Me option on your devices.

3 Likes

@paamies I think 2FA is mainly used to prevent login from an unidentified device which an attacker might use if somehow he gets to know your master password.
If you don’t enable 2fa you’ll get a mail that login was detected from new device/browsers. So to authenticate your identity 2FA comes into picture

Asking 2FA on the same device every time isn’t gonna be that of a help coz if an attacker were to get access to your device then chances are he might also have access to your 2fa generating source like otp on number or mail or authenticater app on device. :blush::+1:

1 Like

I think you hit the problem of 2FA nail squarely on the head.
It has always seemed to me to be an added security measure from the server/programmer point of view but it certainly reduces the security from the users point of view and even more so for the user on a mobile device. It alerts you that someone has logged in but it is too late then.
Many years ago I was involved (peripherally) in a “Disaster Plan” response for a phone network, all access would be restricted to Doctors and Police. (Think it through - who actually needs access?).
My bank for instance has a “Forgot Password” button and uses 2FA to reset the password. If my phone is stolen/lost then once the phone is hacked open the operator has full access to my bank account - password manager with my 27 bit passwords or phrases doesn’t help. ( see the bank knows better, they use 2FA!)
So we use 2FA for more security then why use Bitwarden in the first place?
(what do you mean the internet says 2FA is more secure - the internet are just short sighted idiots who like buzzwords)
And yes its a bit off topic but the real answer is to re-frame the question into “Do I need 2FA in the first place, does it give me anything extra?” and if yes then be concerned with the implementation.

I think everybody tries to cover their a^Mback. For a web service it makes a lot of sense to discourage password brute-forcing attempts.

If anybody got to the credentials store, that probably means they had access to one of the devices used to open it and very likely can log keystrokes from user to get the unlock password. That’s what I can imagine.

Also maybe surprisingly large amount of users still use funny-weak passwords or allow their passwords to be known by other people. I don’t want to bother with 2FA for bitwarden but use for other services and record in bitwarden.

My issue is that company requires me to use 2FA for bitwarden :slight_smile: