MFA by SMS

Hi Shiran,

Thank you for your suggestion and the offer to contribute to Bitwarden, it’s much appreciated! As far as MFA goes, Bitwarden currently does not have any plans to implement MFA via SMS, and while normally something like this may be welcomed, our product philosophy and security posture makes using SMS itself outside of the scope of anything we would be willing to put into the product. In other words, this feature would not be accepted or merged in (so very glad you asked first!).

SMS is inherently insecure and as such is not viable as an MFA provider, especially for a service such as Bitwarden. Please see this publication from NIST, and Krebs has a pretty good article about this as well (for some background). If you’re personally using SMS for MFA on other sites or providers, especially sensitive ones, and there are alternate ones, I urge you to switch your MFA method ASAP if possible.

Thank you again and hoping you’ll find other great ways to contribute to Bitwarden in the future!
~ Chad

8 Likes