Starting today with a gradual rollout, New Device Login Protection is now live — providing enhanced security against cyberattacks by requiring email verification for unrecognized devices. This extra layer helps protect against hackers targeting weak passwords, even if a password is compromised.
As a reminder, here’s who is excluded:
Users who have a two-step login method set up are excluded (such as authenticator app or hardware key).
Users who log in with SSO, a passkey, or with an API key are excluded.
Self-hosted users are excluded.
Users who log in from a device where they have previously logged in are excluded.
Users who opt-out from their Settings → My account screen are excluded (Not recommended).
You will only get prompted for this verification when logging in from new devices. If you’re logging into a device that you’ve used before, you will not be prompted.
Helpful tips
Bitwarden offers a standalone authenticator app to store your TOTP codes
Always store a copy of your recovery code and important passwords (like your email provider) outside of your password manager app — the Security Readiness Kit is a great starting point.
I’ve been reading through the previous thread and the announcements, help, etc. Please advise:
Let’s say that I travel without any device but the phone.
I’m using an authenticator on the phone, and email on the phone.
I use a random password for email, stored in Bitwarden.
The phone gets stolen.
Where do I go, from there? My sole means of getting into Bitwarden is that phone. I can’t get into email because that password only really exists in Bitwarden.
At this point, I know two passwords, basically: my bank’s and Bitwarden.
Do I establish a third, insecure password, to an email just for Bitwarden?
I’m being serious, please: if I turn on 2fa & lose access to the 2f, what do I do?
Turn on 2FA for Bitwarden. Carry BW 2FA recovery code with you.
Turn on 2FA for Bitwarden. Leave the 2FA recovery code with someone you trust that you can call.
Use a FIDO2 key to store your BW passkey, so you can get access to your email’s credentials from Bitwarden, on a trustworthy computer.
Carry your email password and 2FA recovery codes with you.
You can turn this feature off, although this is not recommended. It’s highly recommended that you turn 2FA for BW on, and do whatever to accommodate the changes.
If you keep them with you, you have some explicit control. If you leave them with someone you trust, that person has some level of control. If you leave them in a place that is not easily found but is accessible to the entire internet and could potentially be linked to you, are you comfortable with that? Do you need to check if someone accesses it every once in a while? Do you need to change the location periodically?
It’s like leaving an emergency sheet hidden in your house. The differences may be that you have more control over who can access your house, and you can package it in a way that allows you to know if someone has opened it.
So I’m in Scotland & I have no phone, nor email (phone’s stolen). I need to get into email. I can’t get into Bitwarden without the master password and some sort of code. I can put that code with someone or somewhere I have access to, correct? I can hand it to my mom or leave it in an Internet location, I guess are my choices.
I could create an additional email account and leave it in there, I suppose. Or on an ftp server, which is safer. Or just hanging out on a web server, without any context, because I don’t think it’s very useful without the context.
You mentioned accessing email using the info stored in BW, so your email either has 2FA in BW, has other forms of 2FA, or has no 2FA. Typically, people would think about how to regain their TOTP app. Your disaster recovery plan probably should cover that too, like in the Bitwarden security readiness kit mentioned above.
If you had e.g. an additional YubiKey with you – and given that was not stolen – you could login to the BW web vault if you had a “login-with-passkey”-passkey on that YubiKey.
You could change that email password from “a random password for email stored in Bitwarden” to a “memorizable random passphrase, stored in Bitwarden and in your head” (and probably on your emergency sheet).
A thought that occurred to me when reading it: given, it may run a few years without incidents (without my phone getting stolen)… I wouldn’t be sure, if I still remembered the correct web server address and login credentials to it (?!) - but you might know that by heart, because you use it regularly.
An encrypted file (e.g. VeraCrypt, or maybe even a KeePassXC database file, …) on USB sticks – maybe even one on your keychain (probably waterproof etc) – may be another possibility to have everything with you. – Of course, access to that would require the used tools then (VeraCrypt/KeePassXC/…) - at least they are easily downloadable from the internet, or portable versions can also be stored on the USB stick.
With AI I wouldn’t be so sure about that last point. It might be unrecognizable for a naive human, but AI might see some possibilities in an instant. (PS: Especially if there is more info collectible to “connect the dots”.)
Keeping portions of your unencrypted credential online is not a great idea. Leaving it with your mom (or in a location to which you can direct her) is substantially more secure.
One other thing to consider. This discussion is not really about “device verification”; it is the realization that static passwords are not good enough in an online world and that to properly protect one’s online-life, MFA of some sort really is needed on all accounts. And, since “something you know” is just a single factor, you are not going to be able to recover solely from your memory while still upholding the tenants of MFA (something you know, something you have, and something you are – pick two).
Security changes, I think, and I’d somewhere obtained the belief that long, complex, random passwords were the ideal.
Changing an account to one that I can remember feels like I’m making myself more vulnerable because I’m susceptible to pressure - I can be forced to divulge dog-puppy-cat-finch-whatever where I can’t quite easily spit out 1k2k3j34j4l1l2k3j!!!* or something.
I dunno. It feels like I’d make the wrong decision here and risk being stuck, is part of my hemming and hawing about it.
This discussion has given me enough to think on, though, and to make a reasonable and secure choice. Thank you.
Complex used to be the consensus, but 8 or so years ago, thinking evolved to realize that longer passwords could be just as “strong”, yet much easier for people to use. Susceptible to pressure is not a threat I really worry about too much. If the $5 wrench does not do it, they will just get the $10 axe. And when it comes right down to it, I would rather lose all my money than lose my life.
Does this really work? I just got an “New Device Logged In From Firefox” email from an unkown IP, without me doing anything. I had to change everything.
One possibility is that the email is a forgery. Another is that your account is truly compromised and your account has not yet been updated with this “gradual rollout”: