the security loophole is, if master passcode is leaked somehow, BitWarden does not ask for for 2-FA when you change the email address. That is wrong!
Say I have previously had opened bitwarden vault from email id ‘ABC’.
Now, to change it to ‘PQR’, it only requires the master password and sends verification code to the new mail address, i.e to PQR.
It does not send any notification to ABC nor asks for any 2-FA code to do that.
In short, to hijack your bitwarden account, someone simply needs to know 1-factor auth key, which is your master password. That is bad
1 factor if they have access to your computer. If they have access to your computer, they already have access to your vault, which is just a password away from being broken. If they already know your password, your vault is already lost.
But I do agree. I would like to have an option to require one of the 2FA methods to change account settings.
you just need 2FA with OTP code or a U2F e.g. with yubikey and you’re safe, they won’t change your e-mail address cause they wont be able to log in to your vault.
