For peace of mind I’d like to add a time delay (24 hours) when someone is using the security readiness kit (emergency sheet with Bitwarden credentials).
What I want: when someone with the emergency sheet wants to log into my vault they have to wait 24 hours. Meanwhile I get notified of this activity and have a chance to stop it.
If Bitwarden doesn’t support this, do you know any third party solutions?
My ideas:
encrypt the master password with a key
write the encrypted password on the sheet
save the encryption key to an online service
anyone can request the key, but the service enforces a 24 hour delay with owner notifications
easy to follow instructions for anyone using the sheet (somehow)
What you want to set up sounds like the emergency access feature built into Bitwarden. You should check that out to see if it fits your needs.
What you would need is:
A premium or family plan to originally assign the emergency contact account. (Once you assign it, the designated account will have the desired configured access regardless of whether you keep the paid subscriptions.)
The person needs to have a Bitwarden account and must be able to competently protect their own account. (The compromise of the person’s vault can weaken your account protection.)
I think this is possible, but I’ll comment on just the more technical part:
Unless you also set up 2FA on both accounts (and write down the appropriate 2FA recovery codes), you’ll want to write down your email credentials (account ID, password, 2FA recovery codes) as well, because Bitwarden enforces new device login protection by emailing OTPs to the accounts.
You still want to have an emergency sheet for your main account as well. It’s a standard recommendation for any Bitwarden account.
@AlinS It is also possible to disable New Device Login Protection (from the “Danger Zone” section of the Account Settings in the Web Vault). This is normally not recommended (unless you have 2FA for the account), but in your use-case, I think it would be acceptable — assuming that you would have an uncrackable master password (e.g., 6-word random passphrase) on the emergency access account, that you would not re-use or disclose this master password (i.e., it would exist only in your Security Readiness Kit and nowhere else), and that your Security Readiness Kit document would be stored securely (on paper only) in a location known only to those with a need to know.
For the emergency access account, I would also recommend changing the KDF setting to Argon2id.
Finally, a completely different approach would be to encrypt your Security Readiness Kit (one that has your own account credentials) using Shamir’s Secret Sharing. Instead of a time delay, added security would come from the fact that you can require at least two different individuals to agree to decrypt the Security Readiness Kit (because the document could not be decrypted without the presence of the “shares” possessed by each individual).
Now I have an important non-technical comment. If you have two free accounts that belong to the same person, you would be violating the Bitwarden Terms of Service, which is probably inadvisable, as it could give the company grounds to revoke your accounts. You definitely should not set it up like this, unless you will always be paying for one account.
