New Device Login Protection is now live for enhanced security protection

Hi everyone,

Starting today with a gradual rollout, New Device Login Protection is now live — providing enhanced security against cyberattacks by requiring email verification for unrecognized devices. This extra layer helps protect against hackers targeting weak passwords, even if a password is compromised.

As a reminder, here’s who is excluded:

  • Users who have a two-step login method set up are excluded (such as authenticator app or hardware key).
  • Users who log in with SSO, a passkey, or with an API key are excluded.
  • Self-hosted users are excluded.
  • Users who log in from a device where they have previously logged in are excluded.
  • Users who opt-out from their Settings → My account screen are excluded (Not recommended).

I need help accessing my Bitwarden account

Please contact support at Help Center | Bitwarden

When will I get prompted for this verification?

You will only get prompted for this verification when logging in from new devices. If you’re logging into a device that you’ve used before, you will not be prompted.

Helpful tips

  • Bitwarden offers a standalone authenticator app to store your TOTP codes
  • Always store a copy of your recovery code and important passwords (like your email provider) outside of your password manager app — the Security Readiness Kit is a great starting point.
  • Designate a trusted contact for emergency access
  • For more on Bitwarden account security, check out this Blog Post.

Previous announcements

1 Like

@thomashardy Welcome to the forum!

And could you please name the source of your quote?

I’ve been reading through the previous thread and the announcements, help, etc. Please advise:

  • Let’s say that I travel without any device but the phone.
  • I’m using an authenticator on the phone, and email on the phone.
  • I use a random password for email, stored in Bitwarden.
  • The phone gets stolen.

Where do I go, from there? My sole means of getting into Bitwarden is that phone. I can’t get into email because that password only really exists in Bitwarden.

At this point, I know two passwords, basically: my bank’s and Bitwarden.

Do I establish a third, insecure password, to an email just for Bitwarden?

I’m being serious, please: if I turn on 2fa & lose access to the 2f, what do I do?

Hello David,

These are some possibilities:

  1. Turn on 2FA for Bitwarden. Carry BW 2FA recovery code with you.
  2. Turn on 2FA for Bitwarden. Leave the 2FA recovery code with someone you trust that you can call.
  3. Use a FIDO2 key to store your BW passkey, so you can get access to your email’s credentials from Bitwarden, on a trustworthy computer.
  4. Carry your email password and 2FA recovery codes with you.
  5. You can turn this feature off, although this is not recommended. It’s highly recommended that you turn 2FA for BW on, and do whatever to accommodate the changes.

Thank you.

A solution might be to put codes in a text file on a random web server to which I have access, in which case I just need to remember its location?

It seems that if your phone gets stolen, you’d be in trouble regardless, since you’d lose access to all of your 2FA.

I think that is a possibility.

If you keep them with you, you have some explicit control. If you leave them with someone you trust, that person has some level of control. If you leave them in a place that is not easily found but is accessible to the entire internet and could potentially be linked to you, are you comfortable with that? Do you need to check if someone accesses it every once in a while? Do you need to change the location periodically?

It’s like leaving an emergency sheet hidden in your house. The differences may be that you have more control over who can access your house, and you can package it in a way that allows you to know if someone has opened it.

So I’m in Scotland & I have no phone, nor email (phone’s stolen). I need to get into email. I can’t get into Bitwarden without the master password and some sort of code. I can put that code with someone or somewhere I have access to, correct? I can hand it to my mom or leave it in an Internet location, I guess are my choices.

I could create an additional email account and leave it in there, I suppose. Or on an ftp server, which is safer. Or just hanging out on a web server, without any context, because I don’t think it’s very useful without the context.

context

Yes, to me the recovery code looks like:

  1. 2FA recovery code
  2. encryption recovery code (like in Proton Mail)
  3. a password suitable for printing
  4. a prank or a joke

You mentioned accessing email using the info stored in BW, so your email either has 2FA in BW, has other forms of 2FA, or has no 2FA. Typically, people would think about how to regain their TOTP app. Your disaster recovery plan probably should cover that too, like in the Bitwarden security readiness kit mentioned above.

From your first post here:

If you had e.g. an additional YubiKey with you – and given that was not stolen – you could login to the BW web vault if you had a “login-with-passkey”-passkey on that YubiKey.

You could change that email password from “a random password for email stored in Bitwarden” to a “memorizable random passphrase, stored in Bitwarden and in your head” (and probably on your emergency sheet).

A thought that occurred to me when reading it: given, it may run a few years without incidents (without my phone getting stolen)… I wouldn’t be sure, if I still remembered the correct web server address and login credentials to it (?!) - but you might know that by heart, because you use it regularly.

An encrypted file (e.g. VeraCrypt, or maybe even a KeePassXC database file, …) on USB sticks – maybe even one on your keychain (probably waterproof etc) – may be another possibility to have everything with you. – Of course, access to that would require the used tools then (VeraCrypt/KeePassXC/…) - at least they are easily downloadable from the internet, or portable versions can also be stored on the USB stick.

With AI I wouldn’t be so sure about that last point. It might be unrecognizable for a naive human, but AI might see some possibilities in an instant. (PS: Especially if there is more info collectible to “connect the dots”.)

AI might see some possibilities in an instant.

:grin: I did try. The possibilities are wide-ranging indeed. Claude listed 12; almost feel like showing off.

You are wise to think of this. The standard mitigation is to use both recovery codes and emergency sheets.

Keeping portions of your unencrypted credential online is not a great idea. Leaving it with your mom (or in a location to which you can direct her) is substantially more secure.

One other thing to consider. This discussion is not really about “device verification”; it is the realization that static passwords are not good enough in an online world and that to properly protect one’s online-life, MFA of some sort really is needed on all accounts. And, since “something you know” is just a single factor, you are not going to be able to recover solely from your memory while still upholding the tenants of MFA (something you know, something you have, and something you are – pick two).

Thank you for discussing and explaining.

Security changes, I think, and I’d somewhere obtained the belief that long, complex, random passwords were the ideal.

Changing an account to one that I can remember feels like I’m making myself more vulnerable because I’m susceptible to pressure - I can be forced to divulge dog-puppy-cat-finch-whatever where I can’t quite easily spit out 1k2k3j34j4l1l2k3j!!!* or something.

I dunno. It feels like I’d make the wrong decision here and risk being stuck, is part of my hemming and hawing about it.

This discussion has given me enough to think on, though, and to make a reasonable and secure choice. Thank you.

Complex used to be the consensus, but 8 or so years ago, thinking evolved to realize that longer passwords could be just as “strong”, yet much easier for people to use. Susceptible to pressure is not a threat I really worry about too much. If the $5 wrench does not do it, they will just get the $10 axe. And when it comes right down to it, I would rather lose all my money than lose my life.

Keeping the recovery codes on a hardware-encrypted usb drive would be a great way. Hang it on a leather cord around your neck.

1 Like

Does this really work? I just got an “New Device Logged In From Firefox” email from an unkown IP, without me doing anything. I had to change everything.

Welcome, @boii to the community!

One possibility is that the email is a forgery. Another is that your account is truly compromised and your account has not yet been updated with this “gradual rollout”:

Just had my first experience with the new prompt at the web vault.

Entered credentials, received email with code, but there was no place to enter it?

The web page had gone back to asking for my email address.

This isn’t good.

Is this on a browser where you’ve never previously logged in to the Web Vault? Could you post some screenshots?

As soon as you submit the master password, you should see the following screen:

 

If you’re seeing something different, then the issue may not be related to New Device Verification.

1 Like