I think that Bitwarden should send an email notification whenever a 2FA recovery code is used to log in to an account, if it doesn’t already.
I looked at the email service in GitHub to see if this feature exists, but didn’t see anything.
Imagine that you write down your 2FA recovery code. You give it to a trusted friend or family member for safe-keeping, worried that if you store the code in your own home you are vulnerable to losing it in the case where your house is destroyed in a natural disaster.
The 2FA recovery code is useless without the account email and master password. However, if the account email and master password are stolen, and my trusted party loses the 2FA recovery code, someone can access my account without my knowledge.
In this scenario, I would like an email to be sent to my Bitwarden account email address that says my account has been accessed using the 2FA recovery code. If I get an email like this from Bitwarden when I am not trying to access my account, I can take steps to mitigate the damage.
Emergency Access is a great feature to use when your trusted party is also a Bitwarden user. However, many people aren’t.
It is reasonable to expect there are people I trust with keeping a piece of paper safe, but do not trust with keeping a web service account safe.
I did my best to search for this feature before posting–I apologize if I missed this!
Thanks for your consideration.