MFA by SMS

Feature name:

MFA by SMS

Feature Description

I wish to contribute to the project and add this feature by myself.
Which repo is responsible for that?

Clients / Repos Affected:

  • Server
  • Web
  • CLI
  • Mobile
  • Desktop
  • Directory Connector

Timeline to completion (estimate):

ETA: Q4/2020

Hi Shiran,

Thank you for your suggestion and the offer to contribute to Bitwarden, it’s much appreciated! As far as MFA goes, Bitwarden currently does not have any plans to implement MFA via SMS, and while normally something like this may be welcomed, our product philosophy and security posture makes using SMS itself outside of the scope of anything we would be willing to put into the product. In other words, this feature would not be accepted or merged in (so very glad you asked first!).

SMS is inherently insecure and as such is not viable as an MFA provider, especially for a service such as Bitwarden. Please see this publication from NIST, and Krebs has a pretty good article about this as well (for some background). If you’re personally using SMS for MFA on other sites or providers, especially sensitive ones, and there are alternate ones, I urge you to switch your MFA method ASAP if possible.

Thank you again and hoping you’ll find other great ways to contribute to Bitwarden in the future!
~ Chad

8 Likes

I agree with the exclusion, your stance is appreciated. But it makes me wonder why you accept email? There’s still the same problem of takeover and phishability.

Email accounts hardened through other security measures are obviously better, but does that mean certain providers are blacklisted or no?