Option to force multiple login verification steps (force “multiple" 2FA / MFA)

As simple as in the title. The possibility to create an additional security layer, e.g where you have to enter e-mail+password, TOTP code AND a code per email to log in. Here the email would be the additional security layer.

That would be a simple step for much more security.

As simple as it seems to you… you mean for Bitwarden account login, right?

There is a standards document that describes three “levels” of authentication.

Multi-factor is the middle level (“AAL2”). The way to move to the highest level is not to use another “something you have”, but rather to require that one of the authentication components be hardware-based. In the case of Bitwarden’s master password the typical approach is to use a YubiKey, preferably one that does Webauthn.

2 Likes

@DenBesten … and here I can add again, that the “FIDO2 Webauthn” 2FA-option for the Bitwarden account also works with e.g. Windows Hello and at least Android devices*** - it does not have to (only) be a YubiKey. (though I use my YubiKeys for that as well)

*** I couldn’t test, whether other platforms like MacOS TouchID/FaceID and/or iOS devices work as well

@XHyperDEVX … and regarding the last posts - and I don’t want to critize your suggestion - but I would suggest, changing to “FIDO2 WebAuthn” as 2FA could be the better alternative to “TOTP + email”.

FIDO2 WebAuthn provides phishing resistance, which neither TOTP nor email provides. And as I tried to write above in the other post: you may already be able to use FIDO2 WebAuthn as Bitwarden-account-2FA… it’s not only for YubiKeys :wink:

yes, i mean in principle it’s not complicated (i don’t know from the programming side, because i don’t know how bitwarden authenticates the users). it’s just one more query.

yes, yubikeys are secure. let’s include that in my example:

i have a master password, totp code generator on my phone and a yubikey at home.

now i have lost my phone and someone finds it and finds out my master password through other ways.
now he would get into my bitwarden account without any problems (assuming he gets into my phone first)

with this extra layer of security he wouldn’t be able to get in, because he still needs my yubikey, which is at my house, safely stored.

And vice versa, if someone steals my Yubikey, they would need my phone to get into my Bitwarden.
-x-x-x-x-x-x-x-x-
Yes, the whole thing is rather unlikely. But it is one more level of security. And more security = better or not?

That would also be the case, when the YubiKeys would be your only activated 2FA. :thinking:

Yes, one more layer… but more layers = better? I’m not so sure about that. :thinking:

  1. The more layers, also the more “attack surfaces”.

  2. The more layers, the more probable it becomes, that you yourself lose access to Bitwarden, if one of the layers get’s lost, and all layers are needed to login. (and there are many people who say, that loosing access to your password manager may be more likely than getting the password manager hacked)

But then there’s the phone’s security level

Yes, but now there is only one level of security at most. Then there are two, and even if one of them were to be hacked, the other would still exist.
Yes, the attack surface is larger, but there is also more protection, even if one is successfully hacked.

That’s right, that’s why it shouldn’t be mandatory, but an option. Option ≠ Must.
You take a higher risk, but you have more security. For users who don’t want to take the risk, simply don’t use the feature.

PS: The risk of losing your account increases as soon as you set up the first 2FA level :stuck_out_tongue_closed_eyes:

Sorry, I don’t understand what you mean by that. What has the YubiKey directly to do with your phone?

As I see it, now you have already three layers of security for a Bitwarden account (not looking at specific devices):

  1. choose a very private email address which “nobody knows” and is not leaked anyway → the email address works as a kind of “username” for Bitwarden and as I understand it, is even part of the encryption of the vault (PS: now that I think of that… it would be wise not to choose “remember email” on every device… I will think of that myself for some devices :thinking: )

  2. very strong master password + protect it as good as you can

  3. set 2FA → FIDO2 WebAuthn for max. protection

How is this “only one level of security at most”?

Of course - but then you have the 2FA recovery code as well. In your suggestion, would there be a second recovery code then? Or does the “only” recovery code would “turn off” two “second factors” then?

1 Like

To get the protection from the Yubikey, you need to disable TOTP as a 2FA method for your Bitwarden account. In your scenario above, the phone thief would not be able to log in to your vault, even if they find out your master password.

1 Like

just nothing, that’s the point

I express myself differently: “just another layer of security” (password and email ignored)

we could discuss how to solve this, good point!

-x-x-x-

my principle is actually quite simple, i don’t know, am i expressing myself so incomprehensibly? xD

just a way to set up two 2fa variants and force both when logging in. that’s all it is.

@XHyperDEVX, I think the general picture being conveyed to you here is that there are many more ways in which you can lose or be defrauded of access to critical things than will ever be covered by a marginal gain from multi-2FA.

I can lock keys in a safe within a safe each with multiple combination locks, and still lose in other ways whatever that safely-held key unlocks.

That is merely my view of the situation. The proposal is yours to make and to support to garner votes. The fact that each of us has (or for some, had) only 20 votes ever to give means that priorities tend to be assessed carefully for each person’s circumstances.

In decades of computing with weak but original and unique passwords and no 2FA, I had not one single account takeover.

Has anyone heard of someone using a strong, unique password and 2FA suffering an account takeover?

1 Like

@Herc, not directly, no.

Not spotting one form or another of a confidence trick is the most common method of betraying your own data. There are many variations within that.

Yes. Many phishing victims.

The strongest master password and e.g. TOTP are both - as important as they are - still phishable.

in that case, if ur email is full or whatever cant access,
you are doomed.

i always say

UN+pwd+2fa(totp OR key OR recovery code)

Totally support this. This is part of accepted Security standards and cookie cutter for ALL corporate environments.
Also it’s easier to fix if you just add a setting option to force MFA on all logins.

For something as high profile and as ambitious as BitWarden is this should be up top 3 on features that are most important for securing the app.

It may also allow you to be taken serious by Enterprise users and Corporations.

1 Like

Hey @George_Savlovschi, and thanks for the feedback! Although this is not a common request, business plans can already enable 2FA natively via Bitwarden in addition to any 2FA they set up through their existing identity provider. If you’re referring to something else, let me know!

1 Like

Nah, I mean Force 2FA on all logins, all apps, everywhere, all the time. It sounds excessive but in the context of virus apps like basically anything made by a Chinese developer, it is very important.

In my corporate environments, today in 2025, I have this for all apps that are available for both my company and my customers.

In my humble opinion it should be a default for all BitWarden users.

The rest of the awesome features you guys painstakingly coded and got serious certifications for are useless if the Master Password is ownable.

But this should be a toggle in the settings, because maybe some people don’t wish to MFA in every time.

PS: Thanks for quick approval!

Thanks for the additional context @George_Savlovschi. So you’re looking for something like master password re-prompt, but 2FA instead of password and set as a default? Vault Items | Bitwarden

Happy to leave this one up in the community to see if it gets any traction, but rest assured, business plans already have extensive access customization via their existing identity provider when they SSO into Bitwarden. We also provide SSO with trusted devices, which means team members aren’t assigned a master password.