Exporting a a vault has a couple of issues:
Using ONLY an emailed pin to export the vault feels too easy. There should be a need for 2FA to execute this action, just in case the email account is compromised.
The emailed PIN (used to export a vault) can be used multiple times. I can re-use the last emailed pin over and over again in a logged in session. That doesn’t seem right. This should be a one time use pin.
Are these concerns valid, or am I just being paranoid?
When I select “Export Vault” in the web vault, windows app (2024.30.0) or the Chrome extension (2024.2.1), I am prompted for the master password. Master password feels completely appropriate to me.
What client are you using that does not have this requirement?
I agree that asking for the master password would be reasonable.
I am logging in using in using the web client, but I’m logging in using the “Log in with device” option.
Perhaps that’s why I only get an option for emailed pin as verification?
If you want to export your vault, you first need to log into your vault, which you can protect with 2fa in addition to your master password.
So, a possible attacker would have to compromise three different protection layers to export the vault. Regardless, if an attacker already knows your master password and 2fa, another 2fa prompt to export the vault doesn’t seem to add much protection, as you have already been compromised.
I get what you’re saying.
My thinking was that if you WERE compromised, the intruders would have access to your email account since they have access to all the passwords. So using the email code as another factor is useless.
However using a TOTP code, SMS, or hardware key would be much less likely to be accessible by the intruder.
Yes they can still look through each entry in your vault and copy the data manually, but having some form of considerably more friction to export the vault would be a good thing, no?
Yes, the email verification code is required only when a user has logged in without a master password.
To me, what would make most sense is a requirement to re-authenticate (using master password, device, passkey, etc.).
But with the current system, is is the user’s responsibility to ensure that the vault is locked when not in use, to prevent access by unauthorized individuals.
I for one am not at all keen on adding friction of low protective value to compensate for a possible but low risk which in any case pertains only to my own putative behaviour rather than a security issue.
Force multi-factor authentication (2FA) before the following tasks can be performed:
Vault export
@Flow Welcome to the forum!
I moved your post into this existing feature request to the same topic.
Sidenote: I changed the title of the feature request from “Exporting vault is too easy” to “Make the ‘export vault’ function more secure (e.g. requiring 2FA, use a one-time-PIN, …)”.
Not a fan. There is not much to be gained by increasing friction to create an export, but there is an entire vault to lose.
A common scenario is that someone is nearly locked out of their vault (e.g. lost/broken device, failed master password change, etc.). The absolute first step we recommend is to find a device that may be logged in, putting it in airplane mode and then performing an export. This is an important step to ensure things do not get worse.
Requiring online access (e.g. email pin, SMS, etc.) would become immediate loss-of-vault as it would allow the “logout now” message to reach the device.
Personally, I would require nothing more than repeating whatever unlock mechanism(s) is currently configured (biometrics, master password, etc.).