As simple as in the title. The possibility to create an additional security layer, e.g where you have to enter e-mail+password, TOTP code AND a code per email to log in. Here the email would be the additional security layer.
That would be a simple step for much more security.
There is a standards document that describes three “levels” of authentication.
Multi-factor is the middle level (“AAL2”). The way to move to the highest level is not to use another “something you have”, but rather to require that one of the authentication components be hardware-based. In the case of Bitwarden’s master password the typical approach is to use a YubiKey, preferably one that does Webauthn.
@DenBesten … and here I can add again, that the “FIDO2 Webauthn” 2FA-option for the Bitwarden account also works with e.g. Windows Hello and at least Android devices*** - it does not have to (only) be a YubiKey. (though I use my YubiKeys for that as well)
*** I couldn’t test, whether other platforms like MacOS TouchID/FaceID and/or iOS devices work as well
@XHyperDEVX … and regarding the last posts - and I don’t want to critize your suggestion - but I would suggest, changing to “FIDO2 WebAuthn” as 2FA could be the better alternative to “TOTP + email”.
FIDO2 WebAuthn provides phishing resistance, which neither TOTP nor email provides. And as I tried to write above in the other post: you may already be able to use FIDO2 WebAuthn as Bitwarden-account-2FA… it’s not only for YubiKeys
yes, i mean in principle it’s not complicated (i don’t know from the programming side, because i don’t know how bitwarden authenticates the users). it’s just one more query.
yes, yubikeys are secure. let’s include that in my example:
i have a master password, totp code generator on my phone and a yubikey at home.
now i have lost my phone and someone finds it and finds out my master password through other ways.
now he would get into my bitwarden account without any problems (assuming he gets into my phone first)
with this extra layer of security he wouldn’t be able to get in, because he still needs my yubikey, which is at my house, safely stored.
And vice versa, if someone steals my Yubikey, they would need my phone to get into my Bitwarden.
-x-x-x-x-x-x-x-x-
Yes, the whole thing is rather unlikely. But it is one more level of security. And more security = better or not?
That would also be the case, when the YubiKeys would be your only activated 2FA.
Yes, one more layer… but more layers = better? I’m not so sure about that.
The more layers, also the more “attack surfaces”.
The more layers, the more probable it becomes, that you yourself lose access to Bitwarden, if one of the layers get’s lost, and all layers are needed to login. (and there are many people who say, that loosing access to your password manager may be more likely than getting the password manager hacked)
Yes, but now there is only one level of security at most. Then there are two, and even if one of them were to be hacked, the other would still exist.
Yes, the attack surface is larger, but there is also more protection, even if one is successfully hacked.
That’s right, that’s why it shouldn’t be mandatory, but an option. Option ≠ Must.
You take a higher risk, but you have more security. For users who don’t want to take the risk, simply don’t use the feature.
PS: The risk of losing your account increases as soon as you set up the first 2FA level
Sorry, I don’t understand what you mean by that. What has the YubiKey directly to do with your phone?
As I see it, now you have already three layers of security for a Bitwarden account (not looking at specific devices):
choose a very private email address which “nobody knows” and is not leaked anyway → the email address works as a kind of “username” for Bitwarden and as I understand it, is even part of the encryption of the vault (PS: now that I think of that… it would be wise not to choose “remember email” on every device… I will think of that myself for some devices )
very strong master password + protect it as good as you can
set 2FA → FIDO2 WebAuthn for max. protection
How is this “only one level of security at most”?
Of course - but then you have the 2FA recovery code as well. In your suggestion, would there be a second recovery code then? Or does the “only” recovery code would “turn off” two “second factors” then?
To get the protection from the Yubikey, you need to disable TOTP as a 2FA method for your Bitwarden account. In your scenario above, the phone thief would not be able to log in to your vault, even if they find out your master password.
@XHyperDEVX, I think the general picture being conveyed to you here is that there are many more ways in which you can lose or be defrauded of access to critical things than will ever be covered by a marginal gain from multi-2FA.
I can lock keys in a safe within a safe each with multiple combination locks, and still lose in other ways whatever that safely-held key unlocks.
That is merely my view of the situation. The proposal is yours to make and to support to garner votes. The fact that each of us has (or for some, had) only 20 votes ever to give means that priorities tend to be assessed carefully for each person’s circumstances.
Totally support this. This is part of accepted Security standards and cookie cutter for ALL corporate environments.
Also it’s easier to fix if you just add a setting option to force MFA on all logins.
For something as high profile and as ambitious as BitWarden is this should be up top 3 on features that are most important for securing the app.
It may also allow you to be taken serious by Enterprise users and Corporations.
Hey @George_Savlovschi, and thanks for the feedback! Although this is not a common request, business plans can already enable 2FA natively via Bitwarden in addition to any 2FA they set up through their existing identity provider. If you’re referring to something else, let me know!
Nah, I mean Force 2FA on all logins, all apps, everywhere, all the time. It sounds excessive but in the context of virus apps like basically anything made by a Chinese developer, it is very important.
In my corporate environments, today in 2025, I have this for all apps that are available for both my company and my customers.
In my humble opinion it should be a default for all BitWarden users.
The rest of the awesome features you guys painstakingly coded and got serious certifications for are useless if the Master Password is ownable.
But this should be a toggle in the settings, because maybe some people don’t wish to MFA in every time.
Thanks for the additional context @George_Savlovschi. So you’re looking for something like master password re-prompt, but 2FA instead of password and set as a default? Vault Items | Bitwarden
Happy to leave this one up in the community to see if it gets any traction, but rest assured, business plans already have extensive access customization via their existing identity provider when they SSO into Bitwarden. We also provide SSO with trusted devices, which means team members aren’t assigned a master password.