I’m glad there was feedback taken, and there is this option for more advanced users. Thanks.
With all due respect, I must disagree. It’s not a question of wisdom. It’s about choice. If a user understands and accepts the risk of disabling 2FA, they should be able to.
With email-based 2FA, the only way to have surety of not being locked out (assuming said address remains functional and is not impacted by an outage) is to have an email account with credentials not stored in Bitwarden.
This either creates additional expense (for a second password manager) or additional risk. Passwords that can be memorized and typed manually are rarely as secure as a randomly generated password. The risk goes up if that password is written down somewhere, as in the old days.
And consider that some users may not be up to the technical demands of other 2FA methods.
If Bitwarden does not maintain the ability to opt out, I will be leaving, and recommending that those family members to whom I’ve previously recommended Bitwarden do the same.
1 Like
THIS. Also, google and other email providers require passkeys and 2fas. So it really is the chicken and the egg, where now another password manager needs to be used to get the 2fa for bitwarden.
I can tell you from experience, that you will lose out more money from making the product worse. I will glady and am currently paying for multiple bitwarden accounts because of it’s simplicity, open source, and transperancy. There are more use cases created when things are kept simple, and there is no 2fa. Once bitwarden starts enforcing new rules that make the product worse, then people will start looking for alternatives. Create the best product and you will generate value and in turn money, but if you focus on extracting money, customers will go elsewhere.
Bitwarden gets the louder voice, though. They own the product and they have the bigger reputation to protect. They do have the legal ability to impose whatever conditions they desire. Just as they limit each person to one free account, and they require master passwords to be 12+ characters, it is within their realm of authority to enforce MFA on all the users of their product if they so chose.
Similarly, you can decide to vote with your money, feet and/or voice.
… not stored exclusively in Bitwarden. There is nothing wrong with having the creds in your vault. The problem is when that is your only copy. The “circular dependency” is easily broken with an emergency sheet, which is why us “enthusiasts” have long advocated its use.
Certainly!
Today, a user supplies their master password and recovery code, and this turns off 2FA for their account, but it does not log them in. This, as community members have pointed out, could be a problem because now when attempting to log in, the user may need to go through new device verification.
The change we are implementing is that when a user supplies their master password and recovery code, they are logged in AND have 2FA turned off for their account. This lands the user in their 2FA settings in the web app, where they can re-enable 2FA if they wish. Importantly though, they’re successfully logged in and have at least one recognized device at this point.
2 Likes
Here to pitch in on why I think this is a really bad idea.
How do I access my email account, if the password to my email is stored in bitwarden? Has the dev team never heard of the chicken and egg problem?
I buy a shiny new iPhone from the apple store, head over to the starbucks to enjoy my triple shot caramel marshmallow ice latte frappa and set up my new phone… and am instantly ruined, when I can’t access any of my passwords, because I can’t access my password manager, because i can’t access my email, because i can’t access my password manager, because i can’t access my email… you see how this goes??
My master password is secure as all mighty. If I take too heavy a fall and hit my head on the pavement I’m more likely to forget it myself, let alone some malicious user access my bitwarden account.
If there is no option to opt out of this, I (and I’m sure many others) will have no option but to move away from BitWarden. You’re not special guys. People mass migrated form 1Password to LastPass, and from LastPass to BitWarden. It won’t take much work to move to the next provider.
Bitwarden is definitely aware of this chicken and egg scenario - it’s called out in the FAQ document linked in the original post.
We think that the options we’ve provided users, including the in-development option to opt-out of this new security measure, give users the flexibility they need to avoid lockout.
2 Likes
This is useless because you haven’t adequately notified users.
You need to send out emails to the recovery mail, and add a popup in the app.
And you need to do this well in advance to allow users to make the necessary changes.
As it stands you are introducing a breaking change that requires action – quietly.
Bitwarden is doing both of these things.
1 Like
I just found this thread after being told when logging in that 2FA will be enforced from Feb…
I am very much on the fence of 2FA. I find it grief a lot of the time but having a tech background I understand why.
That being said as much as I try to opt-out of 2FA, for a password manager I am more inclined to opt-in
My question is: IF I opt-IN can I opt-OUT?
IIRC (and this may have changed) but when Apple asked(/forced) you to opt-in to 2FA you couldn’t then disable it and if you did you lost access to certain features.
I would be happy to trial 2FA but switching between multiple accounts I can sense this would just create delays and grief for retrieving passwords and I would be happy to forgo the risk involved in disabling 2FA.
I fear I would opt-in and be stuck with this going forwards.
Thanks!
Hi Rhys, welcome to the community!
Yes, if you turn on two-step login for your account, you can always turn it off. If you do turn it off, following the release of this feature, you would then be opted in to email verification when you log in on a new device. This will also be something you can turn off, but Bitwarden does not recommend it.
1 Like
I urge you to push the rollout back to the 1st of March to give users a month long advance notice.
Some people have busy lives and cannot react in the day or two you seem to have planned
Rest assured, this isn’t going to be coming on February 1st. We’re targeting the end of February, so that users have time to see the in-product messaging and make any necessary adjustments to how they log in.
1 Like
I’ve noticed that most of the people who complain about 2FA saying it’s too intrusive and an unneeded step, are people who haven’t been hacked yet. I have them in my own circle of friends and family.
I really don’t see what all the fuss is about on this issue. Bitwarden is giving every user multiple options.
I’m pretty sure that if there ever was a hack of Bitwarden data, everybody would crawl out of the woodwork to complain about how the company didn’t do enough to ensure security.
Awesome! Thank you, really appreciate the response.
If it’s something I can easily revert then I am inclined to check it out.
Thanks!
Thanks for the clarification!
Yeah… unless they use a browser that deletes cookies, right? If you logged out of Bitwarden after that procedure, close the browser, that deletes the cookies… and what then?
Another thing: because of stories like this: https://www.reddit.com/r/Bitwarden/s/3kngmd1Jpp I really think the expression shouldn’t be just:
Because the normal user could think “Of course I have reliable access - my email credentials are in my Bitwarden vault! That’s why I use Bitwarden!” and doesn’t “decrypt” what you are trying to say / imply here (and the possible consequences).
The expression should be something like:
“Do you have reliable access to your email, [email protected], independent (or outside) of your Bitwarden vault?”
(also @dwbit @Micah_Edelblut @RyanL )
2 Likes
Then you’ve shot yourself in the foot. Bitwarden is making changes to the recover code flow so that you can, after using a recovery code, set yourself up for future logins. If you don’t do this, then you risk locking yourself out.
(emphasis my edit)
Okay… I guess what I’m trying to say is: please implement clear warning messages in the UI (and probably also when someone presses the log out button) that “if you leave now without having set up 2FA again, the device verification takes place again” or something like that. Please don’t expect the normal user - or any user - to think everytime three steps ahead. (also if a browser deletes cookies, that may also not everyone connect directly with consequences for the device verification… I wouldn’t even trust myself here, being aware of that at any time)