Option to force multiple login verification steps (force “multiple" 2FA / MFA)

Feature name

Three Factor Authentication for all new devices

Feature function

The difference would be that if you logged into your Bitwarden account with a new device, it would ask for TOTP from your Authenticator, as well as either email token, a passphrase or a security question.

As this is a password manager with a TOTP generator built in, it is pretty important to keep the account as secure as possible. Just like many cryptocurrency sites do, I would like Bitwarden to ask for these when logging into my account from a new device:

  1. Master Password
  2. 2FA TOTP (Google Authenticator, etc.)
  3. token sent to my email address, OR a passphrase, OR a security question

It would greatly enhance the security and lower the chance of someone getting into your customer’s account. To be quite honest, this is what is keeping me from upgrading to Premium for sure.

I hope more people find this useful, thanks

I like that idea. While not everybody uses 2FA, sending an email token(I guess to the e-mail used for your BW registration) when logging from a new device sounds really good. Adds an extra layer of protection. At the moment, I can’t think of a way someone might be able to bypass this, unlike other proposed security features.

Even better, make it so you could turn this feature on/off. But how doable is all this? No clue.

Edit: However, I think that the only option should be an email token

  • What exactly do you mean by passphrase. Like a second password or something?
  • Security question is the worst thing people have ever come up with regarding authentication. If you answer honestly to the “what’s your favourite animal”, the answer is most likely very bad in terms of security. If you lie, it becomes like a 2nd password which you have to remember. (majority of people can’t even remember their main password, therefor choosing weak ones)
2 Likes

Absolutely, agreed! An option to turn this on/off in settings is an absolute must, in case bitwarden does end up implementing this.

By passphrase, I meant either:

  • A randomly generated sequence of words in format: “this-is-a-randomly-generated-string-of-words-to-access-your-account” (similar to what cryptowallets use for recovery when you loose access)
  • Or, a completely random set of characters, just like 1Password uses, in format: “AA-A1B2C3 A1B2C3 A1B2C A1B2C A1B2C A1B2C”

I agree that a ‘security question’ is not actually a very good idea just like you suggested so that suggestion should not be implemented.

1 Like

I don’t think I am familiar with this kind of authentication. Can you explain it?

Let’s say I want to login to my 1Password vault from a new device. How, where and when do I get this “passphrase”? How do I use it to authenticate myself?

No worries, of course I can explain.
The first time you create your account on 1Pass, it requires you to download an ‘emergency toolkit’ which contains your email and the passphrase. It is nothing but a simple PDF file containing your ‘secret key’ (aka passphrase), as well as your email address. It looks like this:

This pretty much acts as your second password, but you only need to enter it for the first time on a new device.

Now, let’s say that you are logging in from a new device; the picture below shows the sign-in information that you need to fill out.

If you set up 2FA (Email, Google Authenticator, Authy, etc.) as well, you will be prompted to enter it right after this step.

Once you have been logged into the device and your credentials are stored from last login, only your master password will be needed just like shown below.

I hope this made my feature request much clearer :blush:

2 Likes

That’s actually very well thought! After a very quick google search, I learned that if you lose the “secret key” for whatever reason, you can simply generate a new one. If someone steals it (unlikely), they can’t do anything with it (at least not without your e-mail and password). I can definitely see myself using this feature or a similar one.

3 Likes

Indeed, I would love to have this in Bitwarden. Let’s hope it ends up on the roadmap :wink::folded_hands:

2 Likes

The Secret Key feature was already requested in Add (optional) Secret Key functionality (Like 1Password) or keyfile (Like Keepass), but the idea of a 3FA is definitely new!

1 Like

This is a good idea especially if it’s optional.

I’m not against the security question idea because if you allow us to pick our own security question and enter whatever you want you could enter a random password if you wanted to. It would be similar to a secret key but doesn’t encrypt.

I know a security question is not ideal, but it’s better than nothing or even a geo-block if you ask me.
The number of possibilities to make your own questions and your own answer is vastly more.

Plus, it’s something some people might understand easier compared to TOTP or an Email 2FA. I’m not a fan of email 2FA because most users put their email password in the password manager and if you’re locked out of your password manager you’re also locked out of your email. But a security question is not tied to something else. It’s basically another password that can have its benefits especially if Bitwarden changes the email alert to when a correct master password is entered and not a successful login.

Then the ability to have a master password, TOTP 2FA, and a security question sound good to me for new device logins. Even master password plus security questions alone could be beneficial to some users who are afraid to use certain 2FA.

1 Like

That is precisely the weak point of “security questions”. How often do you have to sign in to your vault from a new device? For majority of people it might be months/years. If you didn’t write the answer to that “security question” somewhere, you are screwed because a normal human can’t remember a password after many months/years without using it. However, the part of being able to ask your own questions and answer them - gives a tiny bit of hope, but not much.

Haven’t heard anybody say that, anywhere. I really hope it isn’t true.

Most people put their email password in their password manager, is this not common? That is what a password manager is for. When I set new people up I always have them write down their master password and email password just for this reason.

1 Like

Maybe use barcode/qrcode scan from mobile bitwarden app…

Could you elaborate on that? Not sure what you mean.

Feature name

3-step verification

Feature function

  • What will this feature do differently? It will increase the security of your account
  • What benefits will this feature bring? It will allow you to add a third step when logging in, which will further increase security

I propose to add the option to set up 3-step verification, it may look exactly the same as now with 2-step verification.
I would like to set a password + U2F key + code from email on my account
Or password + U2F key + code from a code generating app such as Authy / Google Authenticator

At bitwarden, I keep all my passwords and safe notes, I wish I could keep my account extra secure.

Another solution that could be added is a separate login password and a separate decryption password, as is the case with Proton mail login. First, bitwarden would ask for login details, ie email + login password + 2FA, and then a second password to decrypt the passwords. Of course, only as an option for those who are interested.

Sorry for my english, i use machine translation

Hi,

Maybe its an cool feature to create 3fa because I store as well, 2fa codes in there because I am kinda lazy, I have 2fa on my account now, but for extra security, 3fa maybe an good option like, an Authenticator app and Email code to get in.

You log in, not that often, just lock the Vault in the extension, or the Android app.

Kind Regards,
Larsmeneer

This could make sense if you are a high risk target. For example, Binance does this. But, it’s an unusual practice. For cloud-based password managers, the 2FA doesn’t secure the online vault. Its purpose is to give permission for your device to receive the vault - it’s really only device authentication, which is why you always see the “Remember Me” checkbox defaulted with a check on services because how many times do you need to authenticate your device? Your Master Password then decrypts the vault. So, multiple forms of 2FA have limited value. For example, how many times does someone need to authenticate their device to log into a single session? “First factor: Is this device authenticated to receive the vault? You: Yes. 2nd Factor: Are you sure? You: Yes again. Password: Okay, here’s your encrypted vault, now type your password and I may let you in your vault if you type it correctly.”

Someone who needs this level of security would typically already be using security keys. If you are using a security key, you can set a PIN of any length which will effectively act as your 3FA (PIN+tap key+type password). The PIN affords protection from local attacks; the tap affords protection from remote attacks. Alternatively, if your data needs such heightened security that you need 3FA, you may be a good candidate to be using a non-cloud password manager such as Keepass so you can secure the vault yourself in encrypted offline or local storage, away from a cloud-based blob of many accounts.

Hello, i’ve noticed that i can add 2fa with code generator and email 2fa. But when i try to log in, the email uses like a second option to log in, that makes it useless for me. I want to use both of types for login, as it realized in other password managers, like nordpass (input a master password, email code and after app generator code). Also you could use email for confirming logging in with a link, not a code, but it is not so important. It will be a great new feature for BW

Hey guys.

It would be really cool to have a multiple 2fa like:

In theory you could select any one of these authentication at random with multiple 2fa.

Hi @bw-admin.

I would like to contribute to Bitwarden. There are several similar feature requests here:

Would it be possible to merge everything here?

Hello,

I would like to see an actually simple extension for Bitwarden: Forcing 2 2FA authentications at login.

Let me explain it with a fictional scenario:

I have a Bitwarden account with all my passwords + 2FA via auth app and email.

But now someone hacks my email address, finds out that the account is registered with Bitwarden and cracks my password there too. Then you have to pick one thing to get through the 2FA. Since the hacker already has access to my email account, the 2FA is useless in this case.

If you had to go through 2 2FA authentications, the first one would go to the email the hacker has, but then you would still have to retrieve the code on my phone. And of course the hacker doesn’t have that.

You can also flip the whole example around so that the hacker has access to the phone [e.g., stolen?] but not the email.

I don’t think that’s strictly necessary, but it would be a simple step to allow users to make their account more secure.

2 Likes