Let’s consider a case where I have a cloud hosted Bitwarden account. And a machine that is authorized. When I log in I need to provide a code from the email. However if the password is complex and stored in Bitwarden, then before bitwarden is authorized, I can’t know the password. How do you intend I solve this? Dumb down the password to stomething trivial before I try to set up bitwarden and then do it again. And if I switch to a browwser window from the bitwarden question for the code to login to the emial to get the code, then the bitward prompt closes. and if I go back, does it want the same code or a new one?
Consider another case. I have a computer with bitwarden set up in one room of my house and I want to set up another one in another room. So I start to log into bitwarden on the 2nd machine and it wants a code, so I walk - say 30 meters - to the other room and log into my email to get the code and write it on a FREAKING PIECE OF PAPER and walk back to the 2nd machine and by that time, the bitwarden prompt has timed out and I need to do it again, but there is not enough time.
So I can’t authorize the 2nd machine.
Seems you folks have not thought through how to have multiple machines and authorize them using the email codes.
I have no idea how to solve this problem. again DUMP DOWN the password for my email?
But if I switch away from the bitwarden prompt do I* need to start again?
2nd factor sounds all secure and stuff, UNTIL YOU ACTUALLY HAVE TO USE IT.
Enable non-email 2FA (e.g., a TOTP authenticator app, or a passkey) on your Bitwarden account. This waives the requirement for New Device verification.
My suggestion would be to make the time out long enough to walk across the house, login to email on the other computer and return with the code written on a piece of paper. Say 10 minutes.
DO WE REALLY THINK THAT THE DIFFERENCE BETWEEN 2 min and 10 min is going to allow thieves to break into a bitwarden account?
For any OTP 2FA, especially when the effectiveness of rate-limiting is unknown or subject to change, the added minutes can enhance OTP brute-forcing effectiveness for attackers who know the password. It’s better to keep the time period as short as possible to make the OTP more of a hindrance for attackers.
Besides the possibility to use 2FA for your Bitwarden account that is not based on email… Why is it not possible to log in to your email account on the computer you want to install Bitwarden on? (given your email account credentials are stored on the emergency sheet, which is recommended in any case)
So I should spend money instead of just changing the timeout.??
BTW, how does having a longer timeout allow attackers a wider window? Seems like it would, but surely bitwarden only allows a fixed number of tries per code. Say 4 - I have no idea what the count is. So I ask to login and a code is sent. For say a 10 min timeout not a 2 min timeout [or whatever it is]. But the number of times I can enter a code is fixed during that 10 min. Say 4 times to enter code before I must ask for a new code.
If the timeout were an hour rather than 2 min or 10 min, the limit on the number of tries on entering a code would prevent any any additional attack surface? Wouldn’t it?
I’m not clear why we think I should spend money on physical keys, or expose Bitwarden on my phone, or whatever. Rather than just make the timeout long enough to walk across the house to get the code on another computer where bitwarden is active so that I can login to my email on that other computer with a strong password.
Oh, so there is a setting for turning off this thing all together - New-Device yada yada?? So there’s my solution. Just turn that off, Bring up Bitwarden on the new computer and TURN IT BACK ON.
Sorry to be a bother.. I did not know I could do that. I think I can risk it for the 20 min required to bring up bitwarden on a new computer.
Changing the code also costs money (just not yours).
Neither of those is required. You could just install a free TOTP authenticator on your phone, and use that to provide 2FA for your Bitwarden account login.
That will be fine, but you may need to repeat the process if something occurs that clears the browser data on your computer (preventing Bitwarden from recognizing it as a trusted device). Enabling 2FA gets around this potential problem.
In addition, email verification codes are known to be among the least secure of the available authentication methods. As you are evidently 2FA-averse, I assume that your email account does not have any 2FA; if this is true, then an attacker could gain access to your email account, and use that access to facilitate a vault compromise.