As I had commented in another thread, despite the fact that Bitwarden is marketing the new “New Device Login Protection” requirement as a security enhancement, one should really just think of “New Device Login Protection” more as a nag mechanism for encouraging users to enable Two-Step Login. There is no real security benefit of “New Device Login Protection” if an attacker can easily have the verification requirement waived for 24 hours, by simply providing the email address of the target to Bitwarden Customer support.
Well… I think that technically, it could be by-passed by Bitwarden on the server side, but there are presumably policies in place to disallow this (and possibly other guard rails to further reinforce such policy).