I don’t know if I am doing something wrong but why am I getting asked to enable 2FA email on my account if I have Duo enabled on my account from my organizational policies?
Thanks, what I wanted to hear.
Agree, I am recording all information on the on my security readiness form. I just want to know what options I have. For example what do I need to write on a business card.
For the time I’m on holiday and lose my my phone. I can go to an internet cafe and launch a browser. Full of security risks, but all I can do.
The phrase “In case of emergency, please call”, followed by your emergency medical contact’s phone numbers. That covers much more important scenarios and ensures you don’t forget their numbers.
After you lose your phone head to the phone store (not an internet cafe), call the number yourself, have them pay for you new phone, then tell them where your emergency sheet is and have them iMesage or fax it to you.
Thanks. I was being rhetorical. A piece of paper or cardboard is small so I need to be brief.
I am totally reliant on Bitwarden. At home I have backups and Bitwarden installed multiple devices. I am inclined to think the worst.
“What if I’m overseas; what if l am robbed and lose the phone and wallet!” There are are lot of sleepless nights 
A feature is going to be implemented soon that will result in you getting automatically logged in to your Web Vault (without need for further verification) when you use your 2FA recovery code. Thus, if you use your recovery code on a browser that does not delete cookies automatically (i.e., not in Private/Incognito mode), and then that browser will be automatically registered as a “recognized” device — meaning that future logins into your Web Vault from the same browser will not require any “new device verification”. Furthermore, if you immediately set up a new form of 2FA for your Bitwarden account as soon as you are logged in to your Web Vault after using the 2FA recovery code, then you will not need any “new device verification” for any new device, or for any Bitwarden app or extension.
1 Like
I was taking it to mean “what should I carry on my person”, the answer being “nothing sensitive”.
Phoning-a-friend to retrieve the emergency sheet from behind the dryer is at least protected by the friend recognizing your voice and you being able to provide direction.
1 Like
In the “I want to opt out” section of the docs, it lists a set of 4 things under “Users that may experience some challenges”, however it seems that if someone, like myself, has only the one, simple (exceptionally common?) thing of “Keeps their email TOTP generator in BitWarden”, they also “may experience some challenges”. And by “may experience some challenges” of course I mean “be completely unable to access their email or BitWarden account ever again” since the 2FA for each is now the other. It’s pretty much guaranteed that any time I need a OTP to log into my email it’s going to be the exact same situation that triggers BitWarden to want to do 2FA (e.g. phone died while traveling, trying to log into email on a new device, or house burnt down and took my computer with it, or any number of other disaster recovery situations that keep me up at night).
1 Like
@Jimbly Welcome to the forum!
I agree that the part of the help documentation that you are referring to is inaccurate/misleading (and also, in my opinion, comes across as a bit patronizing in tone):
Users that may experience some challenges are those do the following:
- Do not have two-step login enabled.
- Store their email password in Bitwarden.
- Constantly uninstall and reinstall Bitwarden.
- Log out of their email everywhere.
Only users that do all these things and match the conditions above will experience friction with this security update.
(Emphasis added)
There are definitely other scenarios in which the New Device Verification requirement can cause “friction”.
For example, I do have 2FA enabled, and I do not “constantly uninstall and reinstall Bitwarden”. However, I do have my email credentials stored in Bitwarden (and to further complicate matters, I always browse in Incognito mode, clearing all cookies on browser shutdown). Thus, if I lose access to my 2FA and end up using my two-step login recovery code, I am in danger of getting locked out of my Bitwarden account unless one or both of the following is true:
- I remember to always use the two-step login recovery code only in a non-incognito browser that I will have continued access to (thus ensuring that this browser can act as a “known device” for future account access); or
- I am able to successfully re-enable 2FA for my Bitwarden account before I leave the Web Vault or before I lose internet access due to reasons beyond my control.
Thus, there is a small, but non-negligible risk of losing access to my Bitwarden account if I use the recovery code in an incognito browser (e.g., by habit — especially since I might not be thinking clearly in the event of an emergency), and if I lose internet access or am otherwise prevented from enabling a new 2FA method on my account before the browser is closed.
For these reasons, I intend to maintain status quo by opting out of New Device Verification while also keeping two-step login enabled on my Bitwarden account.
To add another perspective (and I do agree with the explained reasons): I thought about the same (opting out), but as I do use “login-with-passkey”-passkeys (with encryption) - and they “circumvent” a for-whatever-reason activated device verification - I tend to not opting out. For now.
(especially as my BW email login credentials are also stored outside of Bitwarden and the emergency sheet contains everything… so in theory, there should be more than one safeguard)
This seems like a great idea now that opt-out is on the table. I chose a different approach, though, as I don’t like the idea of disabling 2FA even for a moment. My plan is to never use my recovery key.
I registered TOTP as a second factor and keep its secret key on my emergency sheet. In the event that my primary 2FA mechanism fails, I will download/configure a temporary TOTP authenticator and use that until my normal work-flow is repaired.
For Yubikey/Duo/etc users there is a need to need to temporarily configure the TOTP authenticator so one can “verify” the code. Once done, the secret can be deleted from the TOTP vault. Or in my case, I have portable KeepassXC on my emergency/offline USB in which I permanently keep a working copy of my Bitwarden TOTP.
I tried that for a while and found it overly annoying. Now, I have an extension that deletes cookies after a spell (or shutdown) and has a whitelist so I can save those few cookies that I find valuable (e.g. “Bitwarden.com”).
Thank you for the opt-out facility. I came here to add (in additional to every one who has already chimed in) that two factor for the bitwarden vault causes a chicken-and-egg problem.
I rarely use email outside of work and most of my personal communication happens on Phone or Whatsapp. SMS being the second factor would be acceptable, but I would get locked out of my account with email as the second factor.
1 Like
I agree that an opt out option is necessary for peace of mind, but after yesterday’s discussion I will not be opting out.
On thing I did a couple of days ago was move from the Bitwarden Authenticator app to the Ente Authenticator app. I only store the Bitwarden TOTP and my Email TOTP. The Email TOTP is optional, I may remove it.
Ente can be run as a web based app. In emergency all I need is a browser. I still have the recovery keys if all else fails.
Why? My email password is logged behind my Master Password inside Bitwarden. I use VPNs regularly and this will be a huge hinderance in the usability… again, why? Make it optional, a feature behind a switch… but for me as private user, this not more secure nor easy to use but only more hassle AND less safe because now I will have to note down my generated Email Password somewhere just. in. case…
1 Like
So I have an issue with this change. At work I do not have access to my cell phone or any other computer device upon which I could store a TOTP, and I can’t use my work email for TOTP because I can only access it on work computers. I have the personal email I use to sign into Bitwarden setup with a very long password in order to keep it secure because it’s a regular Microsoft live email address and is exposed to the internet. This will essentially lock me out of my Bitwarden account when I’m at work.
The only workaround I can think of is using my Standard Notes account to store my BitWarden TOTP, as I can log into that without a Tand then sign into that account with a memorized password, in order to get the TOTP for BitWarden.
Do you see how frustrating this is for someone who needs account access in a non-cell phone environment? Could I setup a physical RSA key with TOTP? It needs to be a device that:
- Doesn’t connect to the computer
- Doesn’t have transmitting, receiving, or camera capabilities.
Or you could just give me the opportunity to opt out of this. If I roll my own server can I avoid this? I’d be willing to pay money to avoid this change. I’d also be willing to change apps but BitWarden is the industry standard in ease of use. This change is a deal breaker for me.
-Alex
There will be an opt-out option.
I have precisely two passwords which are not long, random strings. One of those is for bitwarden, and is longer than 20 characters. I maintain it that way, because I needed to be able to log into it in the event that I have lost my personal device and access to my email. If I’m abroad, for example, the only personal device I typically carry is my phone. If someone steals my phone, an authenticator app will do me no good. All of my email accounts are secured with 40+ character random passwords, maintained in bitwarden.
The only way I can see to have reliable access to bitwarden would be to create an unsecure email account for the sole purpose of authenticating to bitwarden. This does not seem to be an improvement in my application security, as I now have one more unsecured account.
What am I missing, please? How do I get around creating something insecure just to pretend that I am more secure? Granted, losing my passwords would be severe. Losing access to all of my accounts while abroad would be insane.
1 Like
I got the email today; it came to my old email address which is no longer linked to my Bitwarden account and won’t be available in a month or two. Any reason for that?
This. I use BitWarden because if, in an emergency, I’m somewhere without my phone (and I don’t always carry my phone) I can use someone else’s computer to log into BW web to get into things I might need. Like my email. Which I wouldn’t be able to get into because of this chicken/egg situation.
Security that’s based on “what you have” is useless if you don’t have the thing on you every moment. Like, if you have to run out of the house in the middle of the night because of a fire or earthquake and you’re more concerned with staying alive than grabbing your phone or authenticator key.
Or, I could create a new Gmail account with an easy-to-remember (aka weak) password just for this, thereby defeating the whole stated purpose.
Please, BitWarden, rethink this decision.
So, we’ll need to memorize our recovery codes for those “don’t have access to any trusted devices” emergencies (like the aforementioned “What if I’m overseas; what if l am robbed and lose the phone and wallet!” or “had to run out of a burning house in the middle of the night with nothing but the clothes I sleep in”)?
@davimack @LJWolfe Bitwarden seems to be pretty bad at communicating the fact that users WILL be allowed to disable Device Verification altogether WITHOUT needing to enable a 2FA method. I’m not sure why either, because the PR for this was merged back in the beginning of January, so they’ve had plenty of time to plan their announcements to mention this without requiring people to specifically check the documentation or read the pull requests…
1 Like