This is annoying. This doesn’t make my vault more secure, it just makes me not want to use my vault. Will there be a way to turn it off? If I set up 2FA, can I set it up so that it only asks my code once per device per 24 hours?
1 Like
Welcome, @pwd-github to the community!
Yes, there is a “remember me” checkbox during login that suppresses MFA for 30 days on that one device.
Just set your vault to Lock instead of logging out. Then you don’t need your 2FA, just enter the Master Password to unlock it. Simple.
2 Likes
I’d rather not give my recovery code to anyone thanks.
1 Like
Blockquote
So just to clarify, when I encounter a login form on my phone and then press bitwarden, there will be a checkbox to not have to deal with that for a while, even if I’m logging into 59 websites in the following ten minutes?
This has to do with logging into Bitwarden, as opposed to using Bitwarden to login to other sites.
When you login to Bitwarden and have 2SA enabled, you are prompted for TOTP after you have entered your password. On that screen is a “remember me” checkbox that works for 30 days.
This is an absolutely horrible idea. My entire digital life revolves around Bitwarden. I’ve been using a password manager with randomized passwords for at least 10 years now. My 2FA app’s password is in Bitwarden. Even if you use the traditional Google Authenticator, that’s backed up on Google with a password. I don’t have 2FA set up on my account for a good reason. I don’t want to introduce the (albeit small) possibility of permanently losing access to my entire digital life. This should not be an opt-out feature. This was already available as an opt-in feature and should continue to be up to the user to enable. I appreciate the attempt to make the platform more secure, but this is a horrible way to do it. Even just occassionally reminding the user on login that 2FA is an option is a significantly better way to do this.
7 Likes
Thanks, I pretty much am exclusively mobile, so although it’s not helpful to me, I appreciate your help.
As for mobile, it’s not asking for the TOTP every time I unlock, so that’s useful. If I had known that, I probably would’ve enabled it sooner.
Thank you very much. I believe it’s the default setting. I don’t recall changing it at least.
My iPhone also has a remember me slider, very similar to the chrome extension checkbox shown above.
But yes, the best choice is almost always to keep the devices logged in, but locked. Then you can take advantage of biometrics (FaceID/fingerprint/pin) to unlock. The advantage of this approach is that by making unlock very easy, one does not mind generally keeping their vault locked, resulting in a better security posture. A locked vault is just as secure as a logged out vault. In both cases, the vault is encrypted.
2 Likes
Bitwarden’s “uppping the MFA game” does not create the risk of lockout; it exposes a risk that you already have, because forgetting your master password is equally impactful. To protect against “loss of access”, you really do need an emergency kit. The most useful reaction to this announcement is to ensure that your MFA recovery code and your TOTP secret key are correctly documented in your emergency kit.
You also need to consider that your vault could be corrupted or that Bitwarden could suddenly vanish off the face of the earth. To protect against this, a full backup is your friend.
Mentioned several times above but using a YubiKey makes this a one second button touch. I would NEVER maintain a password vault anywhere without 2 factor. I don’t like rolling dice because I tend to lose — LOL!
2 Likes
Could you point me to the doc that allows opting out of this feature?
Just two months ago, I lost my phone. I was able to lock and track it by logging into my Apple ID on a random phone nearby. I retrieved my Apple ID password from my Bitwarden account—also from that same random phone.
If this new verification step had been in place, I probably wouldn’t have been able to access my vault or my email, meaning I’d have lost my phone for good.
I get that this makes accounts more secure, but the chances of this feature benefiting me are extremely low. The only time I’d ever need to log in from an unknown device is in an emergency where I likely wouldn’t have access to my usual 2FA methods.
I wonder if we could find some middle ground for emergency situations—like allowing access to a limited version of the vault. Though I guess the “full vault” access likely could be obtained if an attacker had access to the limited vault.
Curious if there’s any workaround for cases like this.
2 separate vaults? You are allowed to have 1 free account, so this solution would come at the cost of $10/yr (if not already paying it).
Hi,
Just found out that 2FA/email verifications are becoming mandatory starting Feb and came to this thread…
There are scenarios (some are listed here, and some are not) where such enforced verifications will mean in certain situations being completely locked out of one’s own digital life, at least for a period of time long enough that makes the impact of this “improvement” unacceptable.
None of the solutions offered by Bitwarden and “enthusiasts” in this thread provide a sufficient mitigation for all situations of such impact anywhere close to a sufficient level.
As such, this “improvement” must not be enforced as mandatory. We must have the freedom to chose what is more important to our own circumstances and the way we use our vaults.
The day this “improvement” is shoved down my throat and becomes mandatory, is the day I cancel my paid subscription and move somewhere else, where I can make my own decisions on security and accessibility of my vault.
Best regards.
4 Likes
I think one possible solution was not mentioned in this thread yet: if you want to rely solely on “something you know” and therefore can use without any special requisite and at any time… you could set up email 2FA for your Bitwarden account.
The email address for 2FA can be a different email address than your Bitwarden account email address.
If you set up an (old or new) email address with a sufficient passphrase - and probably without 2FA for that email address itself - then you can login to your Bitwarden account with only knowing the master password and the passphrase to your Bitwarden-2FA-email address (if you want to login to BW, you get send an OTP to that email address after you typed in your master password, login to your 2FA-email address with the passphrase, get the OTP, and put that in as 2SV for the Bitwarden login).
@Micah_Edelblut @dwbit Could you please clarify the roadmap item “Log user in after recovery code use” in the context of this “New Device Verification” feature? We had speculated about it in another thread, but it would be helpful to get clarification straight from the horse’s mouth.
@RyanL I second the suggestion by @Nail1684 to include a space for the backup file password on the recovery sheet. Bitwarden users (especially those who are beginners or not technically advanced) should be steered to the password-protected JSON export as the primary means of backing up their vaults. We routinely recommend this on the Community Forum (and Reddit), and routinely advise users to record the backup file password on the emergency sheet. Anybody who prefers a different backup approach can make their own annotations in the “Other Details” section as you’ve suggested, but it would be helpful for a large swath of users if you provided a space for the backup file password (if nothing else, this may alert users to the necessity of creating vault backups, something that would have saved many an unlucky user who has been locked out of their account).
2 Likes
It’s either 2FA or the device verification…
What scenarios might that be? - Of course, there are some absolute nightmare scenarios (like the whole house get’s burned down etc.), that could have that absolute risk - at least if there wasn’t a plan D or something… for the other 99% of scenarios, one or more comprehensive emergency sheets should prevent the most lock out scenarios.
E.g. if you set up 2FA, in the extreme, you could activate all five forms of 2FA parallel (FIDO2, TOTP, email, Yubico OTP, Duo) and store the 2FA recovery code of course. That should be flexible enough to prepare for most scenarios.
I think it’s not that simple. There are things we are responsible ourselves (like choosing a strong master password, using 2FA, updating our systems and Bitwarden apps…) - and there are some things, Bitwarden is responsible for (like the security of the code, the encryption, security fixes… and maybe apply policies to protect user’s vaults more than now…).
1 Like
I’m not interested in your mental gymnastics, buddy.
It really is that simple.
Bitwarden are responsible for developing and providing all the good security tools that are expected from a password manager these days (2FA, email verifications, Passphkeys, etc - you name it) and, maybe, helping educating people what these tools are, how they work, what the advantages and disadvantages of those tools are, and why it’s a good idea to use these tools.
Bitwarden are NOT responsible for forcing people to use all of these tools.
Not sure how YOU personally going to benefit from forcing ME to use 2FA and why you feel the need to argue, but I don’t even want to know…
I want to be left alone and to make my own decision based on my circumstances and the use case, which by the way, you have no business sticking your nose into.
2 Likes
They don’t. There will be an optional opt-out. See here.
2 Likes