Current problems with using a recovery code
- A lot of people don’t write it down when setting up 2FA.
- You need to store it somewhere.
- Can be lost, stolen, or copied.
- An unforeseen accident like a house fire could destroy it even if you did everything right.
- If you lose your 2FA device and/or recovery code, you can be locked out of your Bitwarden account forever.
Why a time delay is better
- Nothing to write down.
- Nothing to lose.
- Can’t lose it in a house fire or unforeseen event.
- Nothing to remember.
- Alerts you that some knows your master password and email address; I’ll explain more at the bottom.
- Less burden for the user.
- It would encourage more people to use 2FA as there would be less friction.
- So long as you know your master password and email, you won’t be locked out of your account forever if you lose your 2FA device.
To log in to your Bitwarden account you need your email, master password, and 2FA.
While 2FA is great, we do have the issue of users losing their 2FA device; this is why we have the recovery code. If you’ve lost your 2FA device you can get back into your Bitwarden vault by entering your email, master password, and recovery code here.
This works but the reality is that most users either forget to write down their recovery code or they lose it. If you lose your 2FA device and recovery code you’re locked out of your account forever.
To solve this we replace the recovery code with a time delay.
If you lost your 2FA device you can go to the same page to turn 2FA off. What is different is that instead of entering your email, master password, and recovery code you only enter your email and master password and then wait whatever time you set. This could be hours, days, or even weeks depending on what the user set beforehand or the default value if they did not set anything.
This puts the user’s account in recovery mode. When in recovery mode Bitwarden signs the user out of all devices and sends an email to let them know they’re in recovery mode. The email also informs the user that someone knows their email and master password so you need to change it if you did not do this. To get out of recovery mode all the user needs to do is log in to Bitwarden.
If the user does not log in completely because they actually did lose their 2FA device and the time expires the 2FA will be removed from the account. Once the time has passed and the 2FA removed you can log into your account with your email and master password like normal.
Many users have their entire life in their password manager and it’s scary to think you could lose it all with events out of your hands all because you lost your recovery code and 2FA device. With a time delay, this is not a problem.
This seems very complicated and annoying
You can use Authy which does cloud backup of your 2FA codes so even if you lose your device you can still get hold of them
A time delay seems very inconvenient
Authy is great, and this method doesn’t keep you from doing that.
This method is about replacing the recovery code, not 2FA itself. The recovery code comes into play when Authy or your 2FA device has failed you.
More here: Lost Two-step Login Device | Bitwarden Help & Support
Without your 2FA device or your recovery code, you’ll be locked out of your account forever which is far more inconvenient.
But you can export your Bitwarden to an encrypted excel document if you want.
And if you store it on a USB and put that in a bank safety deposit box or home safe, then you will have a backup method even if Bitwarden fails
Exporting the vault is hindsight and not everyone has that luxury.
For example, this user was locked out of his Bitwarden account because of 2FA. He too could have exported his vault beforehand, but life happens and now he’s locked out forever.
Here is another example. Can’t access his 2FA and doesn’t have his recovery code so now he’s locked out forever.
If we had the time delay recovery both of these users would have gotten back into their vaults.
You make a fair point. It should be an option I guess, but it should not be a default one. I would personally be very uncomfortable having this turned on as default
Agreed, options are nice. I wish we had the option for no recovery at all, some people’s threat level is this serious.
But I think a time delay should be the default as it better protects the average user. The average user won’t write down their recovery code or will lose it.
A time delay can be considered more secure than the recovery code option because there is no code that can be guessed or stolen. You also have the added benefit of getting a warning email when going into recovery mode that someone knows your master password and the very nature of the time delay buys you time, unlike the recovery code which gets instant access.
Even Authy does a version of the time delay…
Notice : This process takes 48-72 hours ; it cannot be rushed due to security protocols.
I actually thing it should be the default for new users. People with a bit more technical skills can change it / turn it off / backup the recovery code / or whatever.
This could be a ideal system for people who are new to 2FA or even new to Password Managers.
I would normally be against such an idea but it kind of makes sense for a password manager. Backup codes make sense for email as I can put them in my password manager. Where do I store my back up codes for my password manager? In another password manager? I got a password manager so I would not have to remember so many passwords so adding another one is not what I want. I could do it but what about other people, will they have the foresight to backup their codes? How many people do backup their codes but end up losing them anyway? If I give a copy to family they’ll for sure lose it within a week. I could scatter the codes across the internet but that feels worse and I could lose access to those codes if I don’t control the site. We can’t have security so strong it ends up keeping us out? I keep a lot of important things in my password manager and would be lost if I could not access it. I rather wait a week to get back in my vault than to be forever locked out.
If there was a bad actor they would still need to know my email and master password so it’s not easy to get into this recovery mode. Then they would have to wait and hope I don’t see the email or use bitwarden. If I see that email I’m for sure changing my master password which makes it even harder now for the bad actor. Maybe throw one of those overly hard captchas in and have a warning system inside the bitwarden extension? I don’t know, it seems like a hard problem to solve?
I like this idea @dangostylver . Thank you for the suggestion.
Some concerns I have are what would we set the default wait time to? I feel like it would need to be somewhat long to satisfy all the “but what about” scenarios such as someone being gone on an extended vacation and not having access to email to see the notifications and dispute the recoverty. Since the default delay would need to be long, I am not sure how useful the feature will actually end up being to the average user that loses their 2FA device.
Some concerns I have are what would we set the default wait time to?
How about if the user could adjust it on his own?
I also like this idea and think it would help convert some users to actually using 2FA.
Clearly the default delay should be long. Let’s say one month. However, it would be good to give the user the opportunity to reduce that delay to 2 weeks, 1 week or even a day or two. It’s also important to be able to set the delay to more than that : 3, 6 or 12 months.
The default time is tricky. One option is to vary it depending on the user’s IP. Bitwarden already knows your last login IP Address and if you activate recovery from the same IP the time delay could be shorter (3 days?). If not the same IP, then we go to a longer duration?
Don’t forget that recovery mode is deactivated when a user logs in. So it would boil down to how often a user opens their Bitwarden vault and not how often they check their email. I don’t like tieing email or a phone number to it because of phishing. The email is more of a “hey, someone knows your master password so you need to change it”.
An attacker would need to know your email address, master password, wait a week, have you miss the email, and/or you not log into Bitwarden account for things to fail. This is possible, but how likely? If the user deems this is possible for their threat level they can always pick a longer delay or the option for no recovery at all.
The more I think about it the more I feel the time delay should be an opt-in feature.
Make the recovery code the default but the user can also select time delay recovery and pick the days they want to wait in case they lose their recovery code. I drew a crude mock-up…
Similar to Google Advanced Protection, BW could have a similar option where the default is not to be so paranoid and enabling Advanced Protection is the most paranoid.
I guess that not only my IP changes every 24 hours. And what about Dial-In-connections? Those ones change with every new connection.
How about if not only days, but also weeks, months and even years would be on offer? And it definitely would need a pop-up telling the user of the risks that come with it.
I figured a textbox where you enter days would be the best as you can enter how many days you want. So If you want 3 years you can enter 1,095 days (3*365).
Currently there’s a workaround for this if you have Bitwarden Premium.
You can create a second Bitwarden account without 2FA and give it Emergency Access with Takeover permission. I currently have it set to wait 7 days.
Yeah, this is what I ended up doing too. I still wish this was a feature and I didn’t have to create a second account. Even if the default was a 30 day wait I would take that over being locked out forever.
It’s like we need one more thing for this idea to work perfectly. Like a security question or something else to do or enter after entering your email or master password in recovery mode.