I also like this idea and think it would help convert some users to actually using 2FA.
Clearly the default delay should be long. Let’s say one month. However, it would be good to give the user the opportunity to reduce that delay to 2 weeks, 1 week or even a day or two. It’s also important to be able to set the delay to more than that : 3, 6 or 12 months.
Thanks!
The default time is tricky. One option is to vary it depending on the user’s IP. Bitwarden already knows your last login IP Address and if you activate recovery from the same IP the time delay could be shorter (3 days?). If not the same IP, then we go to a longer duration?
Don’t forget that recovery mode is deactivated when a user logs in. So it would boil down to how often a user opens their Bitwarden vault and not how often they check their email. I don’t like tieing email or a phone number to it because of phishing. The email is more of a “hey, someone knows your master password so you need to change it”.
An attacker would need to know your email address, master password, wait a week, have you miss the email, and/or you not log into Bitwarden account for things to fail. This is possible, but how likely? If the user deems this is possible for their threat level they can always pick a longer delay or the option for no recovery at all.
2 Likes
The more I think about it the more I feel the time delay should be an opt-in feature.
Make the recovery code the default but the user can also select time delay recovery and pick the days they want to wait in case they lose their recovery code. I drew a crude mock-up…
3 Likes
Similar to Google Advanced Protection, BW could have a similar option where the default is not to be so paranoid and enabling Advanced Protection is the most paranoid.
I guess that not only my IP changes every 24 hours. And what about Dial-In-connections? Those ones change with every new connection.
1 Like
How about if not only days, but also weeks, months and even years would be on offer? And it definitely would need a pop-up telling the user of the risks that come with it.
I figured a textbox where you enter days would be the best as you can enter how many days you want. So If you want 3 years you can enter 1,095 days (3*365).
1 Like
Currently there’s a workaround for this if you have Bitwarden Premium.
You can create a second Bitwarden account without 2FA and give it Emergency Access with Takeover permission. I currently have it set to wait 7 days.
5 Likes
Yeah, this is what I ended up doing too. I still wish this was a feature and I didn’t have to create a second account. Even if the default was a 30 day wait I would take that over being locked out forever.
It’s like we need one more thing for this idea to work perfectly. Like a security question or something else to do or enter after entering your email or master password in recovery mode.
I don’t think an additional security question is necessary. The master password should be the only thing necessary to memorize. The master password should never be told to anyone or saved anywhere except in the account owner’s mind. Adding more things is just redundant and won’t really improve the security. The time delay will be enough to verify that it really is the account owner who is locked out.
I recently got locked out of my Google account because I removed SMS as a 2FA method on my Google account, but I was dumb and didn’t notice that I no longer had access to my TOTP codes because they were stored in Google Authenticator on an old phone that I had erased and sold, and I was also dumb because I hadn’t saved my recovery codes. The recovery process took a couple of days, and Google didn’t ask any more security questions after the wait time had elapsed. I just had to type in my password again, and then I was back in my account with all 2FA methods disabled.
However, there were some additional things that Google did to verify it was me. I had to initiate the recovery process on my phone, which I had previously used to login to my account, and I also had to provide an OTP that they sent to my recovery email address.
Unless the master password/passphrase is fairly short, or the person has very good memory, I think that is not advisable.
I have this information stored in several places, as I think that the risks of it being found that way are small compared to the risks of my forgetting/part remembering it. Been there, done that. This is a question of evaluating risks for oneself and deciding which approach is right for an individual.
2 Likes
The point is that I don’t think any additional security question is necessary, and neither does Google. I personally don’t recommend storing your master password anywhere. I don’t think it takes a particularly strong memory. The average person can memorize tons of things. It’s just a matter of repetition. I find that especially absurd or funny passphrases are very easy to remember. But anyway, this is getting off-topic.
I would not be opposed to adding some other form of recovery verification like a recovery phone number or email address that is used to send an OTP to initiate the recovery process and perhaps checking the IP address of the user against past login locations.
Using email or a phone number is not ideal for the recovery process due to phishing and you may not have either if you also lost your 2FA and backup code.
For me personally, entering your username, master password, and waiting 7 days is good enough for recovery. Just like the emergency access the account owner gets an email every day to let them know they’re in account recovery. They’re logged out of all devices and logging in cancels the recovery process.
After the 7 days, 2FA is removed and the user still needs to know the username and master password to get in.
Maybe solving some “I’m not a robot” questions would be nice to have but I still don’t have a solid solution to Kyle’s extended vacation problem. There could be a case of someone with 2FA who doesn’t use their Bitwarden account for over a week and someone is trying to get in their account and the account owner misses all the warnings.
One idea is to make the time delay recovery only available on certain 2FA like TOTP and Email. The people that use U2F only have the recovery code as they want the most extreme security. And those that have TOTP or Email have both a time delay and recovery code option.
An additional security question would also be vulnerable to phishing, and likewise, the master password is vulnerable to phishing, but since we are discussing how to add more methods of verification to initiate the recovery process, these are just suggestions.
I would expect Bitwarden to have a recovery process that is equal or even more strict than Google. Currently, Bitwarden’s Emergency Access feature makes the account’s security weaker than Google because it doesn’t also check IP addresses. You could enable email 2FA verification on the secondary account though.
I do agree a security question is not a good solution either, the only reason I brought it up is that you may not have access to your phone or email as the passwords to both are in your password manager. But overall, yes, a security question is a bad idea.
This is a really hard problem to solve, that is for sure. As you’ve mentioned using emergency access seems to be the best solution we have. With emergency access I’m starting to wonder if this feature request should go on?
1 Like
Yes, the Emergency Access feature is sufficient for me, but I wish I didn’t need to use a separate account in order to accomplish it, and I wish that free accounts also had access to the feature. I think the account owner should be able to recover their own account with a time delay without having to pay money.
I really want my father to use Bitwarden, and I want him to use 2FA on his account because he is vulnerable to phishing, but I’m not confident that he will always have access to his TOTP, email, and recovery code on his free account, and so he may need another recovery option someday. He only needs very basic features of Bitwarden, so he doesn’t really want to pay for it, but Bitwarden is his best option.
I think Bitwarden will have a lot of these less tech-savvy users who don’t need the other paid features, but who need a way to recover their account if they make a terrible mistake with their 2FA and lose access.
1 Like
I think 7 days is plenty long enough as a default value. The longest time delay that I’ve ever seen with this feature was with Google, and they make you wait up to 5 business days.
When the user sets up their 2FA for the first time, the user could be prompted to set how long the time delay should be for account recovery or to disable the feature. The prompt should also educate the user about making sure to set an amount of time that is appropriate according to how often they check their email.
As a bonus feature, you could also add a button to disable account recovery for a selected number of days so that the user can press it before they go on vacation, and then they won’t have to worry about checking their email while they’re on vacation. Then if they lose their 2FA devices while they’re on vacation due to some accident (which is more likely during a vacation), they can still initiate an account recovery when their vacation is over.
I’m fairly new to BW, having migrated from using LP for many years.
I believe this is an intriguing proposal, but would definitely want it to be an optional feature, NOT a replacement for the Recovery Code.
There are edge cases (even if having low probability) where this concerns me. Suppose I lose my 2FA device(s) AND a bad actor gets my email address and somehow obtains my master password. Bad actor can initiate “recovery mode” and timer begins, but now I’m powerless to log in (not having my 2FA device) in order to cancel timer and change my master password.
Yes, I hear you about BW trying to leverage IP/trusted device knowledge to give me a shorter timer than bad actor, but maybe my ISP just gave me a new dynamic IP AND my only other trusted device was my laptop that died yesterday?? BW trusts me no more at this point than they do bad actor.
Best case is that I somehow find my 2FA device before the timer ends and have victory over bad actor.
Worst case is that bad actor is a bot that’s trying every X seconds to be the first one into my account, an effort that I’m likely not going to beat.
If I had been required to have a Recovery Code when enabling 2FA in the first place, and I was warned of how important it would be to print multiple copies to be stored a different locations (home + family/friend’s house, etc), then all I need to do is visit the special Recover Account page, log in using my master password and Recovery Code to cancel the timer, and quickly resolve this threat.
My take:
- Recovery Code is still necessary and should be the default.
- Obvious and Explicit warnings about how important it is to document the Recovery Code should be clear about the need to do so, and thus will be less likely ignored.
- There are practical ways to not lose your Recovery Code. Print multiple copies and store them at different locations/sites.
- If such a recovery timer is implemented as a replacement to the Recovery Code, there should be considerable thought into scenarios where a bad actor can make you wish you had something they didn’t!
In my case I can’t log in to my vault because I unistalled the autenticator app and cannot use the 2 steps login because it is a snake bitting its tail thing, I need the autenticator to log in and need to first log in to be able to use the autenticator app… And because I cannot export shared passwords from the extension i have to copy each one manually… I know the sistem is supposed to be safe but not so safe that it is not pratical… Or your passwords are so safe that not even you can access them… Please fix this issues as opt-ins, delays whatever!
@Cinha - Sorry to hear you locked yourself out of your account. But there is still another way - when you set up your two-step login you would have been prompted to download your recovery code. You can just use that now to login instead of using the authenticator app, and then you can go in and disable two-step login or setup a new 2FA mechanism.
If you ignored the prompt to save the recovery code, and you ignored the warnings that you would not be able to get into your account if you lost access to your 2FA device, then there isn’t much to do. But please don’t blame Bitwarden if this was your choice.