This is a super important feature that needs more attention. Even though you “trust” your emergency contacts, you should still be notified in a very obvious way that the emergency contact attempted to access your vault.
Accountability is critical when implementing “emergency” backup systems like this.
If someone is requesting access to my account, the least I would expect is a clear, permanent banner in every client where I use my vault, and no fewer than one email per day — or at least a dozen emails spread out according to the duration of the access request.
I hope this will be considered by Bitwarden team, I find it really important.
I can’t believe this simple addition which boost security 100X has not been done in all these years.
It should be a no-brainer that a message dialog/notification is LOUDLY displayed every time you sign into your app, browser vault, or ext. that there is a pending emergency access request.
An email inadvertently going to the junk folder could be missed, or malicious actor could delete the email. Sheesh even lastpass has had this for years.
We should make more noise on x and other social media. This is soo bad.
To be fair, in all these years it only gathered less than 20 votes. That said, I added mine today.
A malicious actor who has been added as a trusted contact and already has access to your e-mails?
I would say that this is a special case. I think that 99% of users don’t think about it until an emergency occurs. And 99% of users have never tested this case and therefore have never seen that only one email is sent. They trust Bitwarden. That’s why Bitwarden should carefully consider this scenario for its users. If users think carefully about an emergency scenario, they would definitely expect more notifications than just an email. At least a notification within the software you use every day would be very helpful. Users would certainly like to know when the emergency contact triggers the emergency function.
Exactly, I assist many clients in configuring Estate recovery situations, and currently I have to do half ■■■ work arounds with email forwarding from their secure email to their daily driver email so they don’t miss such an important email.
Every time I have to set this up I just know it is not giving them the best option.
Given this is such a trivial thing to implement, but has such a critical effect on security and recovery it needs more priority.
Your assuming the “trusted” contact has not been compromised.
We need to be thinking defensively here not justifying why a critical but simple item is just not added by default anyway. Seems crazy to rely on external services (email) to your product, which you cannot guarantee delivery of.
They don’t even need access to your email. it could just be sent to an email you don’t monitor often, or get lost in a sea of junk emails.
Totally agree with this. Not sure how else to get the required attention on this issue. I posted on this over 18 months ago.
Every bitwarden client should be showing a massive RED WARNING saying emergency access has been requested to your vault.
@jetset I moved your post into this feature request as your comment was about in-app notifications (i.e. related to this feature request).
Yes, I would assume that the account of my trusted contact is equally secured to mine, with a strong master password and 2FA.
I do not want to downplay the risks, but in order to target my account, several steps have to be taken:
This attack vector is possible but much more unlikely than most others.
You also cannot guarantee the delivery of push notifications. How often does it happen that someone tells me “Oh, I did not see your message” when it is obvious that they have a full notification bar on their smartphone? Also an app needs the permission to display push notifications at all.
Displaying the warning when the app opens is not enough since most actions with the app can be taken without opening it once it is set up for auto-fill.
Seems odd we are butting heads over something that really is not that controversial in terms of protecting your account. But since that is where we are at here is my response to your ‘concerns’
With regards to vault security it would be very dangerous to assume such a thing. You have no control over the security hygiene of someone else.
To your points
Let’s think broader, what if trusted contact gets compromised and the malicious actor is just opportunistic, not really targeting you but see a chance to push this button. Or better yet the trusted person goes rouge (I have seen many things happen like this in my time assisting folks).
Gain access to whose vault, the trusted contact. You don’t know they have 2FA. If you mean the person trusting them, if they have take over rights then 2FA is bypassed. In most cases takeover is required if you are assuming a worst case emergency event.
What? So you are telling me you go in and check that your vault has not had the emergency access triggered every time you use bitwarden. How else would you know.
This does help I grant you that, but once again you are assuming a lot of things here, and trusting this does not happen. Timer can be set from 1 day to 90.
I would not be relying on notifications either, but come to think of it that would also be a nice feature worth adding as well. The reality is many folks may not even have the app installed so you could not rely on this method. I think you must use the app mostly in this way if you are thinking like this.
Ideally ALL apps, web vault and the browser extension should be screaming at you with some sort of warning that this has been triggered.
Do them all:
Let me clarify this: I think this is an important change, so I voted for it. However, with the limited resources of the development team in mind, there are several feature-requests that are more urgent in my opinion.
Sounds like a cheap excuse, but if this is a possibility, the person should not be trusted in the first place.
Yes, I was referring to the vault of the trusted contact. And I know that 2FA is enabled since both contacts told me they enabled it. Additionally, 2FA is mandatory for some time now.
There was a misunderstanding here. My four-point-list was meant as “Each of these points have to be true for an attacker to succeed”. What I wanted to express is: A successful attack requires that I somehow miss the notification email.
I fully agree.
Guys, as I have written above. A user does simply want to know if the emergency function is activated. Mail isn’t enough. The scenario could be much simpler. An emergency contact you forgot and have beef with. Or an emergency contact who is pressured to activate it. I don’t think it is too much of an ask to inform the user inside the App, Browser Extension, etc.
If I compare it with other companies that provide emergency functions or inheritance functions, they NEVER only provide one channel.
Well, it is similar to trusting someone with the keys to your home. With Bitwarden it is just easier to revoke.
That said, I do not think that this scenario is a real problem. Someone who is angry with you uses your credentials, e.g. posting on your social media accounts without your knowledge? This is punishable by law in most (all?) countries and we are not talking about an anonymous actor here who does not care.
It feels like you would rather not understand where the problem lies. Simple—ask your users if it is enough to just send an email if the emergency access will be triggered. Then analyze the answers.
The issue is that your users don’t know how you implemented the feature, because most of them don’t test it. They trust you. And that is why you don’t get more pushback here.
It is unclear who you are referring to. If you are addressing me, I am not a Bitwarden employee but a simple user.
And yes, I understand the issue here, but I do not rate it as a high priority.
@jetset, @chrisb, @marlin: I think that you’ve all thoroughly made your respective points — no need to clutter up this feature request thread with further arguments.
I would like to suggest that if one does not feel comfortable with emergency access, one does not have to use it. A few alternatives: