I have noticed in the login attempt notification emails they contain a link to the web vault in the part where it says "You can deauthorize all devices that have access to your account from the web vault under Settings → My Account → Deauthorize Sessions. ". The problem with this is that it does not encourage good security behaviour with users, going against the advice of never clicking links in emails, especially unsolicited emails and so making it more likely a user could be victim of a phishing attempt. My reasons for thinking this are as follows:
- Having a link in genuine notification emails normalises the practice of links being included and makes it harder to spot a phishing email using links to phishing sites.
- Including a link implies it should be used, why include stuff which is not to be used.
- When a user is short of time it can be tempting to take the quick option, clicking the link which supposedly will take you straight to where you need to go. If you are used to links being there then the temptation is even higher because it does not seem unusual.
- As the link appears in the discussion of deauthorising devices, it is most likely to be used when the login attempt relates to one which was not the user and probably was not expected and thus the notification email would not be expected. It is easier for a phishing email to spoof an unexpected login attempt which was not the user than to fake an expected notification.
I am asking for this link to be removed from login attempt notification emails so as to make it more difficult for scammers to use phishing emails to trick users into giving away login details.
I will acknowledge bitwarden is not the only place where I have spotted this bad practice of including links for users to login within security related notification messages. The worst case I have personally encountered was a bank who sent a suspicious activity SMS asking me to call a number, yet that number was not published anywhere else. When contacting the bank independently, yes the message was genuine and when challenged about the inclusion of an unpublished phone number I was told it was because that team was not to be called unless the bank needed the customer to call that team. Point being, bitwarden is far from being the worst, but I feel this issue whilst seemingly small isn’t really in line with best security practices or encouraging best practice amongst users and may be should do better.