Nor does it mean it is unwise. Can you think of any serious downsides to providing this? A false sense of security perhaps? That’s a bit tenuous. I cannot imagine many users thinking “Oh good, now we’ve got geo-blocking I don’t need to bother with a strong master password”, can you?
Geo-blocking would be a good thing. We can debate just how good. But I don’t think we can say it would be a bad thing.
It is a bad thing if it diverts limited resources from the BW development team that might have created useful features that the majority of users could benefit from. Also, clearly the development strategy of competitors like LastPass, which has filled their software with all sorts of features - big and small - has lead to a very expensive product. You have to pay for the development time somehow. I would much rather have a lean but capable product for a reasonable price than a bloated product full of features I am unlikely to need at a much greater cost (in fact, that’s why I moved from a LastPass subscription to BW).
This is just part of an ongoing defense in depth strategy. While I agree we shouldn’t divert development cycles from important features. I think anything that can be a security related feature, should be prioritized more so than say something like adding theming.
I’d like to see this be expanded on though and not just looked at from a Geo-IP block scenario, but also from an MFA standpoint. Provide the option of saying, you need a username, password, correct geographic location, hardware key, PIN, and TOTP code. Or just state you need 4 of the 6. I think this could roll into a passwordless strategy also.
@ElKabong I agree with you. Of course this would not prevent determined attacks from skilled attackers. But most hacks are not that. They are speculative attempts from unskilled criminals just trying their luck with a load of usernames and passwords they got of the dark web. I get dozens of such hack attempts into my hotmail account from all over the globe every week. (Never have the hackers bothered to spoof their real location… unless of course they are in the US, pretending to be in Vietnam or China or Indonesia etc. which would seem unlikely!)
So these speculative hack attempts would be trapped, with the user getting an alert and an urgent warning that their master password may have been compromised, before any damage is done.
I do also agree with David H however that BW should of course prioritise important developments. Personally I regard all security enhancements as important however.
Blockquote
Thesecuritymarketing benefits are clearly substantial when so many companies have adopted these policies.
GeoIP only worked for IPV4 addresses which are technically exhausted. Addresses from other geolocations are being pressed into use elsewhere. Companies are having to abandon the Geofence when more cross border IP use occurs. IPV6 addresses doe not have this problem of cross border usage, there is no concept of GeoIP with IPV6 addresses as designed. The move is away from IPV4 toward IPV6, there from GeoIP to worldwideIP. This is happening now. I see no benefit investing resources in something vaguely beneficial which is becoming less beneficial.
With so much mention of VPN to bypass GeoIP blocking and the counter block VPN/TOR/proxies as well, I have to weigh in there. First of all the blocking of any of these could be implemented with largely the same code and using different data points representing GeoIP/VPN/TOR/proxies, so the feature request sort of covers them all. For someone bent on illegally logging into someone’s password vault, all such blocking can be defeated without much effort or traceability, yes even by the so called scriptkiddie.
I must use a VPN for security (I could not care less where I appear to come from). I travel within the US for work and have to use untrusted networks for internet access. I choose a VPN endpoint for performance not for location. I could be in OH but appear to be from IL or WV/DC or TX/TX or TN/NC. I have run into problems when security assumptions have been made by non-security savvy decision makers specifically in regards to VPN or GeoIP and blocking.
Most large ISPs and cellphone carriers have examined customer traffic and DNS queries to monetize the data for the targeted ad industry. If you value your privacy you too should view VPNs as a privacy/security tool as they were originally intended and not a piracy/hacking tool.
So are you also saying that industry standards are meaningless? For the most part, lots of companies do the same thing because it’s tried, true, and it would be a disservice to their customers if they didn’t adhere to industry standards.
This is like saying “just because most companies allow 2FA does not mean 2FA is good!”
It’s just a weak argument.
Exactly. It’s like saying SMS verification is no better than just using a password because a hijacker could social engineer your number away from you. It’s certainly possible, but it’s unlikely, so SMS verification is still a hurdle to cross, even if it is weaker than say, using a FIDO2 key.
Geoblocking is not at all resource intensive. It’s actually a minor feature compared to other features we’ve asked for.
I disagree - adding any significant new feature will consume development resources. With all the great suggestions out there to improve Bitwarden, I just don’t want to see any of those get delayed or overlooked so that features with negligible value are pursued by the development team instead.
I might change my opinion if someone could suggest a realistic scenario where GeoIP blocking would be useful. As I have stated previously, as long as you are using a strong and unique password, it is hard to imagine how GeoIP blocking would be a benefit (unless of course you are self-hosting on an insecure server, in which case you have a lot bigger problems to worry about).
Even if you’re using a bad master password geo-blocking won’t stop the attacker. It may slow them down but not by much. It would be a matter of being hacked now vs. hacked 3 minutes from now.
I too don’t see the benefit unless Bitwarden has implemented all the other feature requests and looking for something new to add. A user is better off adding 2FA to their account instead of geo-blocking.
Edit: There was a user who got 645 emails from Bitwarden in under a minute. With there being 195 countries, going through all possibilities is not hard as there is no rate limiting. With this fact, I don’t see the point of geo-blocking. At least with TOTP 2FA, you have 1 million combinations that change every 30 seconds.
GeoIP block is something which can be added as an option at the time of sign-up and easily enabled for all users. 2FA is something that users need to go and enable.
Not all users are tech savvy, most people aren’t even aware of the existence of 2FA’s, much less how to enable and use them. GeoIP based blocking doesn’t need the user to understand the technicalities. It can be a simple question “Would you like to restrict login to your country of residence? (You can change this option later)” That’s it, done. If the user says yes, enable it, if they say no, don’t enable it.
Also, in the entire conversation, I don’t see anyone asking for the removal of 2FA to implement GeoIP, no one said it’s an either-or scenario. In face, it’s been repeatedly stressed by people that it would be an additional layer of security, not an alternative to your password or TOTP/Yubikey.
Speaking of which, Yubikey’s are quite expensive for many people. For instance, where I live, a Yubikey costs half my phone’s price. And given it’s so small and easy to lose, and that I can’t afford to have multiple of them, I wouldn’t want to rely on them at all.
The problem is that most users here are from tech savvy users from US and Europe, and they only think from their own perspective. Whatever doesn’t help them is not worth implementing. This is a very common trait in techies, that they can either go out and dumb things down completely or keep it complicated. There is no middle ground where less tech savvy users can also benefit to some extent from the choices available to them.
But why not. You wrote down your password in a diary because someone told you to use a long password for your password manager and you didn’t trust yourself to remember it. So of course you deserve to lose access to all your accounts now.
You misunderstand what I’m saying.
No one ever said to get rid of 2FA. I say 2FA is more effective than geo-blocking so go with that instead. Also, most 2FA is free like TOTP.
It’s not about users being tech-savvy or not. It’s about doing what’s best for everyone no matter their skill level.
I’ve given a link to a user who had his account logged into 645 times in under a minute. With there only being 195 countries it’s clear that an attacker can run through all the countries in under a minute thus geo-blocking offers no real protection.
I’m for the non-techy user because the non-techy user would not understand this and even could lower their overall security because the “bad” countries who do “most of the hacking” can’t get in.
Unless I’m missing something I don’t see the need to add something that could make things worse for users (especially non-techy users) or doesn’t offer any better protection from a better master password or adding 2FA?
I think maybe you’re just a bit out of touch. I get loads of attempted hacks of my MS email account every week, maybe more. Every single one of them comes from outside the UK and is tracked as such, and blocked, by MS. Of course these criminals could use a VPN and try to mask their real location, but for whatever reason, they do not. Maybe it’s because they don’t know what country I am in.
Anyway, ALL such hacking attempts on my BW account would be stopped by geo-blocking, whereas as it stands none of them would be. Now if you cannot see the benefit in that, I really don’t know what to say.
Errr, no. I have not said that.
Whether an “industry standard” is useless or not depends on the particular “standard” one is discussing.
If anything, this tells me that Bitwarden is not doing enough to protect their users since there’s no rate-limiting, and if they don’t care about that, why would they care about Geoblocking?
Do you realize how worrying this is? Geo-blocking is not the big issue anymore. The lack of rate-limiting is now the issue that needs to be dealt with first. This is how so many people got their iClouds hacked in 2014, because Apple did no rate-limiting at all out of convenience.
We need to get Bitwarden to do rate-limiting first, and THEN ask for Geo-blocking.
Both wrong. Users just need to start taking responsibility for their own security and adopt complex and unique passwords. Keepasser provided a good article that very clearly states how users need to employ complex, unique passwords, and then other security features, such as rate-limiting or GeoIP restrictions are not needed.
If you are already using a complex, unique password for Bitwarden and you protect it with reasonable caution, GeoIP restrictions provide negligible benefits. Its merely a gimmick by other companies to give you that false sense of security to make you feel good. Focus on what matters if you are serious about the security of your personal information.
No-one is suggesting geo-blocking as a substitute for poor passwords. Surprising you cannot seem to grasp this.
Even an excellent password combined with 2FA is still vulnerable to MITM attacks. A simple phishing email with fake BW login address and if you’re on Android and limited to OTP for 2FA, then the hacker is easily in. Geo-blocking represents just another hurdle for the attacker.
You just saying you’re wrong all the time does not make your opinion correct.
Geo-blocking would not help in this situation either. The man in the middle will know your location when you connect to them and will adjust their location output to be in the same country as you before connecting to Bitwarden.
Fair point. More of an argument for the necessity of U2F or WebAuthn support - something I have been banging on about for ages.
Of course, but that doesn’t absolve a company of good business practices like rate-limiting. What does a company benefit from allowing anybody to log in to their servers hundreds of times in a matter of seconds? Do you think every user is a perfect security-minded person who is going to do everything to protect their account?
Sure, but nothing can stop bad common sense from a user. That’s almost as bad as having the user’s machines be compromised. Geoblocking is more for the most common types of attacks where the user isn’t being duped into clicking something they shouldn’t.
Or a complete redo of the OTP standard (or something newer and better) so that every user is totally protected for free.
Coming from LastPass, they don’t tell you why it was blocked (or that it was blocked). They just say password is invalid. Separately they send you an email.