Allow a user to set restricted IP ranges that can log into their account. I’m not sure if this is a just a false sense of security though, since an attacker can and most likely will be spoofing their IP through some other route.
original requestor here - These sorts of geo-ip address blocklists actively monitor such things as TOR exit nodes and proxy companies. Realistically, if the code is secure otherwise, I’m not as concerned with some sophisticated adversary then as much as the every day scenarios. If I log in at a hotel while I’m on vacation I can’t terminate that lingering session nor restrict access from that country when I return home.
This is such a low-cost improvement and implementation and help with some of the most common scenarios.
from original request:
I really like Lastpass’ feature to restrict logins to only certain countries on an allowed list.
I see MaxMind free location tables https://www.maxmind.com used a lot for this though I’m sure there are probably others out there.
The only time I allow any other country might be if I’m on vacation and I definitely block all TOR login access.
This combined with an ability to proxy traffic (via SSH or something) would be a game changer.
I would only allow my home IP and an IP of some server that I own and to which I could connect with my phone. It would thus reduce the attack surface to my physical circle, I would no longer have to worry about keyloggers or malware on my pc stealing my passwords because attacker would not be able to login anyway (unless he proxies through my pc).
I don’t know how much I like the idea of totally blocking someone via geo-restrictions or proxy restrictions. At the very least, though, maybe there could be an additional challenge when logging in from either a higher-risk or sufficiently different location (e.g. a different IP, an IP a certain number of miles away from my last recorded IP, etc). This could be as simple as master password and MFA, plus an additional random PIN being sent to an email that needs to be entered to log in.
I agree with this one, it is one more defense to put in place. It would at least force an attacker to come from a country/region that has been allowed by the vault owner before being able to try to brute force credentials.
@kspearrin you could use http://iplists.firehol.org to allow users to optionally block access from IP in some of the lists in addition to GEO IP.
Even if it’s not blocking it could be just sent an alert email, so for someone based in France it could be interesting to know that someone is logging or trying to (fail logs) from china, US or from an IP in some of the block lists (TOR, suspicious IP, etc.)
I’m looking for this feature as well. I keep getting notifications that someone is attempting to brute force my account. While it will not prevent it, unless the attacker knows where I live it will prevent them from trying to brute force my account.
Sorry if this has already been requested but I’ve only been able to find threads about whitelisting devices.
It’d be awesome if we could implement trusted locations to autoblock certain countries. I’ve gotten a few notifications of failed login attempts from blatant VPN locations (Martinique, Burkina Faso, Seychelles) and I’d like to either whitelist certain IP ranges or just block entire regions. Stuff that it considered standard for cloud tenants but… well, Bitwarden is obviously a huge vulnerable weakpoint if all hell breaks out.
We would like to use BitWarden, but we would like to be able to limit what IPs are able to log in to our organisation. So we would have X users, and those users would have to connect to our company VPN before being able to log into Bitwarden.
This whitelist would apply to a user or role, not the organisation as a whole. IE Non Admins can only access from a whitelist of X addresses, but Admins can access from Y Addresses.
Limit where users can log in from.
Allow us extra security in that not one of our office staff should be logging into our company account from anywhere but the office, we don’t have remote staff and don’t need to allow them.
Related topics + references
There is a similar feature request for locking down what countries can access the account, but we only want to allow specific IPs, at our disgression,
LastPass, Zoho, ManageEngine all have this feature already, it’s fairly common security practice to limit what IPs can access a resource.
Once U2F is implemented, blocking of any kind becomes moot. The only thing your password serves is to encrypt your vault because you shouldn’t trust BW. You know what I mean. zero-knowledge E2EE and all that.