I’m not sure what was going on when I made my post but after clearing cookies and trying again, I can verify that it is now working as expected.
2 Likes
There is no way to turn off the email prompt, as was promissed in the previous dicussion that was combined into this one.
This statement is not accurate. The instructions are provided in the Help Documentation (read all the way to the end).
Hi,
This was gradually rolled out starting on the 4th of march.
I have a test account where I disabled two-step login in order to test a couple of things when this new login protection hit that account.
14 days later, I still can login to it without any kind of email verification (I’m trying the web vault on an incognito browser window).
And, obviously, I have not turned off the new device login protection.
Is that gradual rollout still incomplete?
Thanks.
3 Likes
Yes, the gradual rollout is still proceeding. We are not at 100% yet.
2 Likes
PSA: https://github.com/bitwarden/clients/issues/13953
I just tested this and was shocked with the result.
EDIT:
So, for anyone relying on the emergency access feature (in takeover mode), my recommendation would be to turn off this new device login protection; and to enable two-step login verification, if you haven’t already.
1 Like
Great QA check! Does the device verification email get sent to the original user’s email, or to the emergency access grantee?
To the email of the account being taken over, of course.
…yeah, that’s a major design flaw, alright. I have a feeling that your bug report will be closed as expected behavior, though. 
2 Likes
Strike three…
- circular dependency with the email account.
- session loss during recovery.
- emergency access silently broken.
New Device Login Protection from the start has seemed like a knee-jerk reaction to an undisclosed event, as opposed to being a strategic raising of the bar.
I can’t help but think how much simpler it would be if they had simply made MFA/2SA mandatory. And if account recovery (including emergency access) were limited to logging the user into the security settings, forcing the first step to be repairing access.
This would be much closer aligned with NIST’s forthcoming recommendations (especially §2.2 - AAL2, §4.2 - account recovery, and §4.2.1.3 - recovery contacts), providing an excellent excuse for the change – “aligning with industry standards”.
I think that this is the primary goal, but it’s too heavy-handed in its implementation. IMO, the New Device Verification should only be enforced on accounts that have never had Two-Step Login (or by opt-in); it should be automatically disabled when Two-Step Login is first activated, and remain disabled even if Two-Step Login is later disabled (by use of the recovery code or emergency access).
It certainly is…
I would seriously hope it is not.
It is perplexing that something like this was overlooked.
But refusing to fix it would be another level.
3 posts were merged into an existing topic: Restrict account access to certain countries/IP ranges
Leave it to users to decide their own security issues.
It would be interesting to listen to the developers’ assessment: if I have lost access to my BW account, then inside it there is a password to the mail that you ask the one who has access to my account. All this is quite controversial and makes no sense. This doesn’t protect against anything. And it just takes time.
Now I thought - yes, I agree.
My BW password database must contain all my passwords except one - password to the linked mail.
This means that I must remember him and insert him with my hands.
And who exactly does this? I’m sure no one. Everyone follows the line of least resistance. And me too. I am aware of the risks. And I ask you not to provide me with zero-effectiveness protection.
@serega_da Assuming you mean the “new device verification / login protection”, I moved your posts into this corresponding thread to keep the discussion “centralized”.
You can already do that, as you can opt-out of that. More info to that and everything else concerning the new device verification, see here: New Device Login Protection | Bitwarden
1 Like
With the new device verification, it does make sense to store your email login credentials also on your Bitwarden emergency sheet. (and remember, if you activate 2FA for your Bitwarden account, you are not even subjected to the new device verification… if ever, then only if you deactivated 2FA, e.g. by using the 2FA recovery code)
1 Like
It seems to me that it is not difficult to organize - make a setting within my account “disable e-mail authentication”.
You make the first check - e-mail address.
You write that you were “unable to check my device”.
Let’s be honest: you don’t check anything.
Or more precisely, modern Windows protection does not allow you to recognize my device (I don’t know the details).
But the fact remains - nothing has changed for me (country , IP-, PC, OS, browser, monitor …) for last 4 years. You can even train on me, because I even have IP-static. What now
very rare.
If it is difficult to check a user, then there is no need to torment him with additional forced checks. I agree with my destiny to be a victim of scammers. Don’t disturb me.
One well-known browser also introduced forced registration by telephone. People stopped registering with their services altogether. registration by telephone сanceled a month later.
People cannot be corrected. You shouldn’t train with this either.