Recently I clicked on the BW icon but saw a spinning roundel and it had obvs hung. I restarted Firefox and BW prompted me to login to the vault all over again, without remembering my email, natch. (Though I tick ‘remember email’ every time).
Then I received a "Your Bitwarden account was just logged into from a new device. " email.
I’ve noticed that I keep getting these emails intermittently on the same device and I suspect it’s because my IP address has changed. Presumably this is more comon than usual because I’m on a consumer broadband service that does not offer static IPs by default.
But why do these emails say I’m on a new device when this is patently untrue?
It’s not uncommon for devices to change their network address, even if not physically.
How is Bitwarden supposed to recognize your device? It looks at the IP address, the type of app that was used, and a unique identifier that is stored in a cookie. If any of these change, then you will get a “new login” notification. For example, if your browser has been configured to clear cookies, then you will get a notification every time that you log in, whether the IP address has changed or not.
But therein lies the rub, my device has not changed. Sure my IP address may have but that’s not the same and so the message is plain wrong and misleading. One could deduce that someone has hacked into my device and changed something fundamental etc.
Devices don’t change fundamentally very often i.e. so that they could be termed as “new”, but IP addresses can do and the message should really be changed to reflect reality.
Whether BW should force folks to setup login from scratch again on an IP address change is another debate. The same goes for cookies.
I did some more digging and found E-Mail New Device Logged In - #5 by jetersen which refers to setting appId and uuid within data.json and though I’ve little idea what that means, it sounds promising.
I don’t know too much about the technical implementation of the current feature, but I imagine that it may be possible to steal or spoof the unique identifier (perhaps in an AiTM scheme), in which case the mismatched IP would be the only clue that an attacker has compromised your Bitwarden account.
For an important security feature like this, I would rather that Bitwraden err on the side of false positives than false negatives. Perhaps they can finesse the wording of the email though, to use a description that is more apt than “new device”.