Security update - new device verification coming March 4th

So much depends on the situation. Every individuals situation is different, but for me enabling 2FA Bitwarden using the TOTP authenticator option means I do not need access to email.

In case of an emergency, instead of writing down Bitwarden and email credentials, it would be the credentials for Bitwarden and Ente.

Additionally, if I have the Ente app installed, I can load data locally into Ente from a file. The file can be encrypted.

Bitwarden team note. A future release of the BW Authenticator app that has the features of Ente Authenticator would be very useful.

There may be an account associated with this email address that was created in the past by a bad actor attempting to enumerate accounts. You can, if you would like, delete this account using the steps described at the bottom of this article.

You might want to try logging into this account first to make doubly sure it is no longer one you use!

Long absence of active users is more common than you may think. You would expect deployed service personnel (especially at forward bases, submarines, etc.) to not access their account for months or even a year and then go right back to normal usage upon return.

In that situation, maybe I would leave a BW recovery sheet in a lockbox at the bank, but only if I already need to store other valuables. I definitely would not take it with me! I would not leave it with another person, since there is no guarantee that person can/will keep it safe for a year or so. And I wouldn’t want to just start my online life over from scratch.

You and I are on the same page. Absolutely critical passwords (email, git, work, bank) are not stored in BW, and in the case of work and bank, I know I (or my next-of-kin) can show up in-person and resolve login issues if I lose everything. Everything else goes into Bitwarden, and I absolutely do not want to depend on something I have—whether that’s a device or piece of paper or fingerprint! All of these can be lost!

Plus, I’m not sure how my account becomes more secure by putting recovery passwords over there, a hardware key over here (and its backup key and own recovery codes in the junk drawer), a TOTP entry on my phone, etc. Might as well tape a post-it note to those infrequently used items with “Bitwarden, online password vault, <my master password>” so I don’t forget their purpose in two years and toss them in the bin!


What would be best for me would be the regular master password and no 2FA, but send me an email when a login has occurred. It takes less than a second to swipe that away after the fact, but if I see a login email when I haven’t just logged in, that would instantly get me suspicious.

If I’m without any devices—which happens a lot more often than my passwords getting stolen—then I could still access my vault quickly—as my email provider sometimes does the “hey, you’re on a new device or at a weird location, can you 2FA real quick??” ordeal.

If someone gets my password and logs in without my knowledge, the email would reveal this. I’d give very improbable odds of someone stealing my master password plus getting access to my email and being able to delete the login message before I see its notification on my phone or computer. It’s almost the contrapositive of 2FA; a malicious actor would need “what I know” and rely on me not having “what I usually have”.


Beyond that, 2FA is plain inconvenient. I’m not looking to extend my vault timeout so anyone walking by my unattended computer can explore. I’m not looking to lock my vault every time I take a pee. I’m not looking to fingerprint my smartphone every time I want to log in at bbforum.myweirdhobby.com (especially if that site has its own 2FA, as many now do)

Five seconds (ten max) to log in at any site. Longer than that and I might as well go back to a single, shared, insecure password.

“will be” ≠ “currently exists”

…or else I’m blind.

The devs are working very hard to make sure that this option is available before the new device verification feature is enabled. Please keep an eye on the release notes here for updates.

Maybe this was already suggested and I missed it, but a compromise could be to make this very good feature opt-in (device verification off) for existing users with the prompt on next login, and opt-out for new users (device verification on).

The devs are working very hard to make sure that this option is available before the new device verification feature is enabled.

Can we take this as a promise that the opt-out feature will definitely be available before the rollout?

For example, if despite the dev team’s efforts the feature doesn’t end up being ready, the rollout will be correspondingly delayed until the opt-out feature is finished and available to users?

Did you consider that perhaps logging into an email account uses a password that one might keep in Bitwarden?- How am I to see the verification code if I need to login to Bitwarden to get access to the mailbox that holds the verification code I need to login to Bitwarden to get access … etc… you get the idea.

You did not think this through.

Hey @fenke, you can use any of the available two-step login methods like authenticator app or hardware key, rather than email verification. More on this in the FAQ.

Yeah, I saw that. Authenticator apps are tied to accounts that are tied to email accounts. I really don’t feel comfortable with the possibility of login failure, how small that chance may seem. 2FA should be optional.

You can store a TOTP seed code in any “secure location” you like. Write it down on your emergency sheet(s), and you can set it up in any authenticator app at any time again.

No? Really??

You can write passwords on sheets of paper too. We know how well that works.

Exactly. That’s recommended for your master password, 2FA recovery code etc. - write those things down on an emergency sheet and of course store that in one (or more) secure location(s).

Here is one draft for that: Bitwarden security readiness kit | Bitwarden

Knowing Bitwarden after 5 yrs of use, I strongly suspect that the standalone authenticator will support convenient / automatic pasting of 2FA codes, it’ll be instantly available via browser pulldown, and it can export 2FA seeds for backup/restore on another device.
Better yet, it will be capable of multi-platform installation with sync, so it’d be on your phone, your laptop, your Yubikey while you travel. Like you say, similar to ENTE, plus a few useability integrations with BW Password manager too.

Will there be an option to disable to new nonsensical feature? I absolutely detest all those Gmail mails I get everytime I use it on a browser that has had their cookies deleted. I don’t want to have to deal with Bitwarden mail too. Bitwarden was fine as it is. If it cannot be disabled can someone recommend alternative software that doesn’t have this?

Welcome, @uncomfirmed to the community!

If you read the lead post in this topic, it directs you to the blog post for more information, which explains that opt-out will indeed be available.

Will the in-app notices stop when the New Device Verification feature is rolled out? It is quite annoying to see these notices over and over again. Are we still on target for a release at the end of February?

Please don’t make this mandatory. I love Bitwarden, but hate MFA with a passion and will switch to another password manager if you force this feature.