Send email notification when a 2FA recovery code is used

Hi!

Request

I think that Bitwarden should send an email notification whenever a 2FA recovery code is used to log in to an account, if it doesn’t already.

I looked at the email service in GitHub to see if this feature exists, but didn’t see anything.

Scenario

Imagine that you write down your 2FA recovery code. You give it to a trusted friend or family member for safe-keeping, worried that if you store the code in your own home you are vulnerable to losing it in the case where your house is destroyed in a natural disaster.

The 2FA recovery code is useless without the account email and master password. However, if the account email and master password are stolen, and my trusted party loses the 2FA recovery code, someone can access my account without my knowledge.

In this scenario, I would like an email to be sent to my Bitwarden account email address that says my account has been accessed using the 2FA recovery code. If I get an email like this from Bitwarden when I am not trying to access my account, I can take steps to mitigate the damage.

Isn’t Emergency Access better in this scenario?

Emergency Access is a great feature to use when your trusted party is also a Bitwarden user. However, many people aren’t.

It is reasonable to expect there are people I trust with keeping a piece of paper safe, but do not trust with keeping a web service account safe.

I did my best to search for this feature before posting–I apologize if I missed this!

Thanks for your consideration.

Hello @Tails - welcome to the community forums.

Bitwarden already sends an email notice if a new device is used to login to your vault, so it is unclear to me if this feature is really necessary. Can you elaborate a bit, perhaps? Thanks.

1 Like

Hi @dh024: thank you for your prompt reply!

I agree that “a new device has signed into your vault” emails are sufficient in most cases, so I wouldn’t describe my feature request as strictly necessary.

That said, the “2FA recovery code was used” email might still be useful in some narrow cases:

  • People who use Bitwarden in private browsing environments may get a lot of “a new device has logged in” emails, and become desensitized to them.
  • A timing attack could make a vault owner believe that they triggered the “a new device has logged in” email, when it was a simultaneous login from another user with access to the 2FA recovery code.

In these situations, the “2FA recovery code was used” email would still have value. Here I assume (but do not know for certain) that using a 2FA recovery code is an extremely rare event, even less frequent than logging into your Bitwarden vault from a new device.

As always, thank you for your consideration.