Security update - new device verification coming February 2025

Starting February 2025, Bitwarden will add an extra layer of security for users that do not have two-step login or SSO via an organization. When logging in on a new device, like a new phone or computer, you’ll need to enter a verification code sent to your account email. This will only apply to new devices – if you are logging into your mobile app or a browser extension that you have used before, you will not be prompted for this code.

This additional verification protects your Bitwarden account from unauthorized access. If someone obtains your password, they won’t be able to log into your account without the secondary verification code sent to your email, helping to safeguard your data from potential hackers. Users affected by this change will see the following in-product communication and should have received an email.

Most users will not experience this prompt unless they are frequently logging into new devices. This verification is only needed for new devices or after clearing browser cookies.

If you regularly access your email, retrieving the verification codes should be straightforward. If you prefer not to rely on your Bitwarden account email for verification, you can set up two-step login through an Authenticator app, a hardware key, or two-step login via a different email.

Read the FAQ

Learn more about New Device Login Protection, including who is excluded.

Bitwarden Authenticator

Looking for somewhere outside of Bitwarden Password Manager to store your TOTP codes? Bitwarden offers a standalone app that generates and stores all your two-step verification tokens so you stay more secure.

Additional Resources

For more on Bitwarden account security, check out the Blog Post and Security Readiness Kit.

“Security” why does everything have to be more and more complicated. Purposely making it less secure while calling it for “Security”. There is definetly a hidden agenda behind this as it makes it less secure since now it relies on email.

4 Likes

Hi @artush, have a look at the linked article, you can use any of the available 2FA methods rather than email.

1 Like

I have multiple bitwarden accounts used for different purposes. Having to constantly verify each time I log in significantly takes away from the experience. It’s like the chicken and the egg problem. Now I have to find a different way to get access to the account, which creates an extra level of complexity.

1 Like

Hi @artush you can keep your account in a locked state rather than logging in from scratch each time. This change only applies when logging in from a new device or when deleting your browser cookies.

Accounts without 2FA are extremely susceptible to password spray attacks, as malicious actors on the web use exposed passwords to enter accounts.

Yes I constantly delete browser cookies. I have scheduled sends of the password giving myself access to certain bitwarden accounts at different parts of the week and for different purposes. Email isn’t even encrypted.

1 Like

I personally just use a Yubikey which is very seamless, but again, as mentioned above, email is optional, and there are encrypted providers out there, such as Proton, Tuta etc…

1 Like

Sounds like you have a pretty complicated setup there. This change is being implemented to add security for more typical users who might not understand the benefits of 2FA or the risks associated with re-using a password.

Bitwarden will be implementing options for users who want to opt-out of this additional account protection, although this is of course not recommended.

3 Likes

To login to my email I need the username, password, and 2FA code. All of these are stored within Bitwarden.

From February, I cannot login to Bitwarden without a 2FA code by email. And I cannot login to email without the password and 2FA code from Bitwarden. This has created a scenario where I am completely locked out of everything!

And before we talk about a 2FA app, like Google Authenticator. I don’t want this, that’s why I use Bitwarden in the first place. Also, what happens when I don’t have my phone, or it’s been stolen. Again, I am completely locked out of everything!

This is a really bad update, and sadly one which will result in termination of my membership and accounts.

5 Likes

Hi @ukandy, regardless of the password manager you use, you should always have a copy of your password and 2FA outside of the app you’re authenticating in to, to avoid a lock-out scenario.

We provide both a recovery code option, and several two-step login alternatives, such as Authenticator app, hardware key, or two-step login via a different email. Paid plans also allow you to designate and manage trusted emergency contacts.

Also worth noting, Bitwarden Authenticator is a separate app where you can store your TOTP codes outside of the Bitwarden Password Manager app.

It’s also possible to store passkeys to log in to your Bitwarden account on multiple Yubikeys (protected by pin, that wipes after x number of failed attempts) and allows you to decrypt your vault in Chrome browsers.

Additional resources here:

Hey, I didn’t know such an “emergency sheet” exists. :+1: I have one suggestion, though: since password-protected exports are recommended - and one probably sets up a dedicated “export password” for all vault exports (and those exports are also for “emergency situations”) - there should be an additional field for a Bitwarden “password-protected-exports”-password. (also @RyanL )

1 Like

So basically I have to carry the recovery code everywhere I go to get around the 2FA problem if my device isn’t with me, or it’s stolen? That doesn’t sound very secure at all.

This should have been an optional feature, so I think you have made a huge mistake here. I will be finding an alternative this afternoon and migrating my passwords.

@ukandy We’ll be adding the ability to opt out.

2 Likes

Before this roll-out in February?

2 Likes

Exports and such typically require more detail, like where the file is, what application to decrypt and such - that info can go in the Other details section.

As I think was mentioned, you can set up multiple 2FA methods. I have my phone and also my Yubikey. It’s never any issue, for me.

Also bear in mind that if someone steals your hardware key, it’s useless to them unless they also have your Master Password.

That’s correct.

This is the same problem as not remembering your master password (which happens surprisingly often). The solution is to keep an emergency kit (which includes the recovery code) in a secure location. And if travelling, one can always phone their emergency contact and give them instructions for finding and faxing the emergency kit to you.

I think this is unwise. I would much rather that Bitwarden allow the code to be sent to multiple email addresses, so one could prevent lockout by including their “backup” email, their spouse’s email, etc.

4 Likes