hello, my username/email is *redacted*, and I lost access to the email password - so I am having hard time logging in, I have reached out to proton, and I need your help for any options..
@kee Welcome to the forum!
I guess you now get an email verification code to your email when you try to login to your Bitwarden account/vault (and can’t access the email verification code now)? In that case, reach out to the Bitwarden customer support.
When you can login to the Bitwarden web vault (again), then you can change the Bitwarden email to an email address you can access - and/or set up any form of 2FA to avoid getting email verification codes for logging in to Bitwarden.
As for the email address itself - I guess we can’t help much, as this is the Bitwarden Community Forum. Reaching out to Proton seems like a good start (I don’t know if there are any account recovery mechanisms for Proton…).
Try logging into Bitwarden from a client or device that you have used in the past. Those should allow you to log in without device verification.
If you have no such client and can’t read your email, AFAIK, there is no technical workaround to access your Bitwarden vault. You can try contacting Bitwarden support, but AFAIK, there are no reports of users being able to recover their accounts this way. Your situation may not be distinguishable from a hacker being able to grab hold of a BW user’s password but unable to read the user’s device verification email.
If you have Bitwarden’s backup, you should also be able to recover from this.
Though I also have my doubts how this “works” (how you can identify yourself to Bitwarden, obviously without being able to use your Bitwarden email address for that), there still was e.g. this post suggesting customer support could do something regarding login problems due to the “new device verification”.
Let’s wait and see if anybody succeeds. 
Heck, you can’t even use IP addresses to identify the user; malware infected device can become a proxy.
1 Like
It may be possible to verify using billing information.
1 Like
FYI, there is now a report of such a recovery:
https://old.reddit.com/r/Bitwarden/comments/1k8gzy3/cannot_login_to_my_bitwarden_account/mp6sxls/
Unfortunately, this user did not explain what kind of information (if any) that they were asked to provide for purposes of verifying their identity. Frankly, the impression I get from the descriptions in that Reddit thread is that it was sufficient to provide the original email address.
The only limitation to account access seems to have been that Customer Support disabled the user’s New Device Verification for “only” 24 hours.
2 Likes
Yeah, the user wasn’t specific about what information was provided. In the case of “just an email address,” this recovery method should be time-limited as a handout; otherwise, it’s somewhat ineffective.
I note that Bitwarden would have the following info for all accounts (not just billing info for paid accounts):
- range of IP addresses
- password hint (set by user)
- account name (set by user)
- different kinds of devices that have been used in the past
- login dates
Bitwarden also mentions that they are willing to do this on their New Device Verification help page:
If users do get locked out of their account, they can reach out to Customer Success at Bitwarden.
For those offended by this capability, set up TOTP or Yubikey (and write your recovery code on your emergency sheet).
While I fully agree with this. It’s important to take into account that there are two very big differences between the two-step login verification (2SV) a user can (and should) set up on his account and this new device login protection (NDLP):
-
NDLP is only required on new devices, while 2SV is required on every login (on devices where you didn’t check the option don’t ask again on this device for 30 days).
-
And, IMO, most importantly: 2SV can not be by-passed by Bitwarden support, while NDLP can (at least in some not disclosed circumstances).
So, the probability of an irreversible account lockout is much greater with 2SV. An emergency sheet is always important. But much more if your account has (as it should) 2SV set up.
1 Like
As I had commented in another thread, despite the fact that Bitwarden is marketing the new “New Device Login Protection” requirement as a security enhancement, one should really just think of “New Device Login Protection” more as a nag mechanism for encouraging users to enable Two-Step Login. There is no real security benefit of “New Device Login Protection” if an attacker can easily have the verification requirement waived for 24 hours, by simply providing the email address of the target to Bitwarden Customer support.
Well… I think that technically, it could be by-passed by Bitwarden on the server side, but there are presumably policies in place to disallow this (and possibly other guard rails to further reinforce such policy).
1 Like
BW claiming NDLP is “only required on new devices” is part of the problem. I have been using the very same computer for years, so to me it is not a new device. However, NDLP applies if:
- I use a different web browser.
- I use incognito mode.
- I toss my cookies.
- I reinstall the Bitwarden software.
- I deauthorize sessions.
- Bitwarden decides to deauthorize everyone’s sessions due to a perceived threat.
This last one has me particularly concerned. Forcing everyone to re-login should be a defensive action by Bitwarden early in any incident response, perhaps even before the true nature of the threat is understood. And users will instinctively behave properly… grumble a bit and log back in even before learning why the action was taken.
But with NDLP in play, there is risk of support overload with global deauthorization. A certain percentage of users will not be prepared for the circular dependency and will call in requesting their NDLP be temporarily suspended. Realizing this risk will make the IR team much more hesitant to play the global deauthorization card.
1 Like
Bitwarden’s definition of a “device” is “an installation of a Bitwarden client”, and new device login protection applies to “devices” that are “not known to the server”, which includes the scenarios that you have listed.
BTW, this does happen from time to time, but not always due to a perceived threat. There have been server-side maintenance issues that have resulted in forced logouts of large swaths of users (not sure if all) in the past.
Experience has shown that this is only the case for those users who still have access to their master password (and 2FA if enabled), which excludes a not insignificant percentage of the Bitwarden user base… Since those users are also unlikely to have any vault backups or Emergency Sheets, they will lose all vault data unless they manage to find a logged-in device that has been disconnected from the internet.
I think my comments above may side-track somewhat from your main point, which is a valid concern.
Exactly the problem. One should not go inventing one’s own definition for a common word. Most people would equate a “device” to hardware, not a browser extension or a cookie, leading them to falsely conclude they have no impact.
2 Likes
It’s a reasonable criticism. Bitwarden tries to strike a balance between accurate and descriptive terms while avoiding jargon.
1 Like
I had similar thoughts as I looked into Crowdin a few months ago for German translations.
(One) “instance” or (one) “installation” might already be a better mental model as (one) “device”… as on the (one) “device” on which I have the desktop app and some browser extensions installed - and can also access the web vault - … that really doesn’t transport a good mental model…