Thank you for clarifying your situation. When the “New Device Verification” feature was previously announced, Bitwarden reps hinted at the possibility that it would be possible to resolve new device verification issues (caused by lack of access to email) by contacting Customer Support.
Perhaps @dwbit or @Micah_Edelblut can elaborate on this, and clarify whether this option would be a potential solution for users who do not have access to their email account.
Users who are locked out by this new security measure are encouraged to contact customer support.
Thank you both for clarifying this. I hope you have a good day.
… what they would have to do with another email address than their Bitwarden email as the problem here was, that they don’t have access to their Bitwarden email… 
Hi - my wife and I share one Vault in Bitwarden, with a very long master password. That Bitwarden “account” login is my primary email address, so when this goes into effect, my wife (and I) have the potential to be locked out if we don’t know the login credentials to my gmail account. Or to an Authy or other TOTP account (which is too complex for her to deal with). My wife, obviously, is very unhappy about this. What would help us is to have the ability to specify a 2nd email address, so that both email addresses get a code that can be used to do the new-device 2FA. Then I only have to convince my wife to put access to her email on her phone.
I suspect we’ll end up opting out of this new ‘feature’ until such an improvement is made. Shame, because I fully understand the benefit of 2FA on Master Password login. But…the old adage “Happy Wife = Happy Life” applies here in spades.
@Graygeek Just as an FYI, Bitwarden’s Terms of Service do not allow for the same Bitwarden account to be shared by more than one individual. The proper way to share credentials is to set up a so-called “Organization Vault” (which you can do from your current account, at no extra cost. Your wife would then need her own Bitwarden account, which you can join to the “organization”. If your wife has her own Bitwarden account, she can use her own email address for receiving verification codes.
If you need assistance, I would suggest posting a new topic in the Ask the Community forum.
Although we might be able to come up with a way to fix this in a year, I would take a more immediate approach to to fix the problem “now”, before fewer recovery options are available. — Contact a trusted friend or family member, explain to them where the paper is and have them fax/send it to you.
Once you get in, create an export/backup (password protected JSON is best) onto a flash drive and then change your email to something that will work long-term. And after that, set up TOTP, saving its secret key on your recovery kit.
I “clicked off” (didn’t chose an option, ignored the pop up and had it go away i think through regular browsing, or eventually closing my window) that notification thinking it would come up again so I could deal with it later. But even after logging out and logging back in I’m not getting that pop up again.
I Used to have access to my email outside bitwarden. Then google required me to change the password so I generated one with bitwarden and it’s the only place I have it stored.
I’d rather not make a new email account just for bitwarden. but I guess I will if i’m forced to. What were the instructions if you clicked that you don’t have access? I’m a reading from the thread that there’s going to be a way to opt out? but it seems like that can only be done after the change?
Is there a way to opt out NOW? because as it is, there is a very high risk of me being locked out.
Even if i’m forced to make a new email for this, right now, in the UI (the browser extension i’m using) I can’t find a way to change my email…
What do?
right now, in the UI (the browser extension i’m using) I can’t find a way to change my email…
You need to use the Web vault to change your email address
Having an email password saved in Bitwarden isn’t necessarily a bad thing here. If you are regularly logged into that email account, you should have no trouble fetching these verification codes when logging into Bitwarden on a new device. If you also want to change your email, you can do that in the web app.
To avoid lockout, you may want to write that email password down on the same sheet of paper where you save your Bitwarden password, just in case you lose all your logged in devices.
You could, instead, set up two-step login using whatever method you prefer. In this case, writing down your recovery code in the same place you have your Bitwarden master password written down should be sufficient to prevent lockout.
Hi Den, thanks for your reply.
Absolutely, in an ideal world, this is what I would have done and wouldnt even need to speak here. But unfortunately I cannot do that 
I’m going to be honest: back when this was announced a few months ago, I told a friend of mine about this and he wasn’t very pleased, as it would make it significantly harder for him to log into his Bitwarden account if he lost access to his devices and needed to bootstrap from scratch. He ended up just using Ente Auth to store his Bitwarden TOTP seed and used the same password for his Ente account, thus being able to indirectly achieve single-factor authentication that way.
As such, I’m glad that the Bitwarden team reconsidered forcing device verification when 2FA is disabled and is allowing users to opt-out.
Just my opinion, but using a password manager to ensure strong passwords, but not using 2FA to secure all of those nice, valuable passwords, doesn’t make any sense to me. If someone is worried about not being able to access their email password, then store that on your Emergency Sheet. But don’t forego 2FA for your vault, the most precious “golden nugget” of all for hackers to steal.
That counts at two factor. Your friend’s password is “something you know” and his TOTP secret key is “something you have”. He is not gaming the system; he properly upped his game.
I don’t follow your line of reasoning. Your friend was easily able to improve his security posture so that replay attacks are no longer effective and at the same time eliminate the common concerns surrounding this upcoming change. I would think that one would be glad for his accomplishment and want everyone to follow in his footsteps.
I wouldn’t say so, especially when he specifically set his Ente account password to be the same as his Bitwarden master password. Now he only needs to know one thing to be able to log into his Bitwarden account again.
I do have to admit that that is indeed true to an extent, but if the attacker knows he uses the same password for both services, then it’s still game over if they crack the password or phish the password out of him. Maybe if he used a different password for Ente, then it would be more in spirit with the device verification change?
Everybody’s got different operational requirements at the end. If one wants to be able to bootstrap their access from just a fresh low end Android phone in another country, then let them do things like turning off 2FA. The fact that the Bitwarden team is going to make it opt-in by default with an option to opt-out strikes a good balance, I’d say, so that those who really dislike it will turn it off while those who are ambivalent about it will keep it on and get some improvements in their security posture.
Yes, he only need to know one thing, but he also has to have the TOTP code, hence it is still MFA.
Even if he had no password on his Ente account, the TOTP contained within is still considered “something you have”. And, coupled with the “something you know” password on his Bitwarden account, he has two different two factors protecting his Bitwarden account.
Here is a definition from an authoritative source that may help:
An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.
That said, you are correct that it is a better practice to use unique passwords for everything, but if sharing a password between Bitwarden and Ente is what it takes to get your friend to use TOTP, there is still a big win in his security posture. This is an example of “not letting perfect becoming the enemy of better”.
It is important to realize that the primary goal behind TOTP is not about a longer password or bifurcating the password. The thing TOTP excels at is protecting against an eavesdropper. If someone were to watch you type your credentials, it would not not work when they tried to use them because the TOTP code is only good for 30 seconds (plus they can only be used once).
All right, third time’s the charm hopefully? I am so sorry if I’m flooding your notifications this way, but I just want to make sure the replies chain isn’t broken.
EDIT: nope, it’s not linking. Never mind.
I tried to send a reply to your message, but somehow, the reply chain got broken. I deleted the message and tried again, but it’s being rejected for looking too similar to the previous message I deleted. Hopefully this preamble is enough to work around that…
For Ente, though, the fact is that you can log into your Ente account from any device (or even the website itself: https//auth.ente.io) and pull up your TOTP codes that way, which is why I viewed it as effectively turning it into “something you know” as a result. Then again, for device verification, someone could just set up an email account with a provider that doesn’t require 2FA and set their login password to be the same as their Bitwarden master password too, which has a high possibility of being an even worse setup.
I could definitely go on and on about nitpicking about when something no longer qualifies as “something you have” and crosses into the “something you know” territory. However, it would probably be unproductive to do so, because one could claim that 2FA backup codes can be memorized and thus cross into “something you know” territory, but many would not agree with that sentiment. Or even sillier, claim that TOTP crosses into “something you know” territory because you can memorize the TOTP seed.
Now that, I can agree with definitely. It really just comes down to what your threat model is. If one really needs multifactor authentication and needs one of the factors to strictly adhere to the “something you have” rule as much as possible, they’d get a Yubikey or something and ensure that recovery codes can’t be used to recover access to the account if their Yubikey is destroyed. For the case of my friend, he did not want to use multifactor authentication, and found a way to be able to remove the “something you have” rule from his setup, but along the way, he ended up gaining eavesdropping protection while out in public, haha.
Average User Here: KISS method is what i liked about Bitwarden. Remember one very complicated password, instead of hundreds of simple ones.
I use a vpn so every time i close my browser i’m going to need to remember my email username, email password and email 2FA, through my email…oye
You guys have a great product, but lets not re-invent the wheel here. at least have the option to opt out.
Can I please confirm that this won’t add an extra 2FA step for enterprise users logging in with SSO? We enforce 2FA in our IdP and don’t need this enforced by Bitwarden.