We have some exciting news and wanted to give this community a heads-up on an upcoming change. You may receive (or have already received) an email notification from Bitwarden regarding an update to device verification as follows.
Note: This email is only being sent to users that did not have two-step login enabled or SSO via an organization.
To keep your account safe and secure, Bitwarden will require additional verification when logging in from a new device or after clearing browser cookies.
Once you enter your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email. Or, if you prefer, you can set up two-step login. Thanks for your understanding as we work to keep your data safe!
To be clear, this change does not affect users using 2FA or SSO to log into Bitwarden.
Can the email option be disabled, if the two-step login option is enabled?
And how is the two-step login method different from a normal login on any device (new or old) using current/old versions of the app?
Ooohhhhhh, wait, I think I figured it out:
What you’re actually saying is that the change being implemented is simply that two-step login is no longer going to be optional, but will now be required for all Bitwarden users (and will default to the email code option until a different method is configured). Am I correct?
If so, nothing will change for users who already have 2FA enabled.
If my interpretation is accurate, it may be helpful to frame the information in a way that makes sense for users who already have 2FA. On first read, I thought you were implementing something that would require additional steps and barriers for commissioning new devices (similar to the 1Password “secret key”, for example), and I was not happy about it!
Follow-Up Question: What happens if someone uses their Two-Step Login Recovery Code? Will this permanently disable 2FA, as it did previously, or are changes being introduced to this behavior, as well?
… like “falling back” to the new device verification? And what happens, when the person doesn’t have access to the email account then (in the sense of “not logged in at the moment to the email account” - and login data for the email account stored in Bitwarden…)? Locked out of everything then? (and I guess the same question arises to the change in general for everyone who has no 2FA activated)
If you can’t access your 2FA, you then need to use the 2FA recovery code, which then turns off your 2FA. With 2FA off, you’d be subject to the new device verification on the next unrecognized device unless you go turn 2FA on again.
Just as recovery codes belong on an Emergency Sheet, so do the creds for the email account associated with Bitwarden. The one I linked from PasswordBits does have fields for email creds.
Better though is to arrange so you will never need to use the recovery code by having multiple Yubikeys configured, storing your TOTP secret on your emergency sheet, keeping a full export, etc.
So this means that if I use an Incognito/Private browser (as I always do), then I have one and only one opportunity to get a new recovery code (or to set up a new 2FA method) if I use the recovery code. This increases my risk of losing account access permanently (e.g., if I have lost access to my email, and the post-recovery login session terminates before I was able to get the new recovery code).
Furthermore, the implication that “new device verification” will not be required on “recognized” devices raises the question of whether Bitwarden will now automatically enable the “Remember Me” option whenever 2FA is enabled. Is this correct? That seems like a reduction in security.
I understand the impetus for wanting to make 2FA mandatory for new users (and for old users who never enabled 2FA), but I think that the 2FA requirement should be relaxed when the recovery code is used — i.e., 2FA should not be automatically re-enabled in that scenario (a click-through warning message would be sufficient).
You’re welcome. If it isn’t already being done, with 2FA mandatory (and automatically enabled), it would be prudent to take steps to ensure that the user has obtained their recovery code.
Ideally, there would be a way (for both new and old 2FA users) to check the validity of the recovery code without using it (as it is one-time-use only). If this is implemented, then you could require users to verify their recovery code before 2FA set-up is finalized (e.g., as part of the “new device verification” workflow).
Something that is perhaps not coming across clear is that the new device verification is not the same thing as email two-step login, although they appear very similar.
Users are prompted only on devices that are not known to the server. A device being recognized by the server is different from the token stored on device when a user selects “remember me” in the two-step login flow. Any device that has logged into a given account previously is known.
Users are prompted only when logging in with email and password. Other login methods are exempt.
Users do not have a recovery code to disable this feature, because it is not two-step login. If a user is unable to access their email or a known device, they would need to reach out to Bitwarden support.
This is being done to ensure that accounts without two-step login set up are less vulnerable to credential stuffing attacks. For the best protection, Bitwarden continues to recommend two-step login. However there are no changes coming soon to how two-step login works.
@Micah_Edelblut Thank you for attempting to clarify this new behavior. But now I need to make sure that I understand:
Is it accurate that for a user who has already configured two-step login, they will not be required to complete a “new device verification”, even when logging in (using email, password, and 2FA) from a new device?
Also, I understand that a “recognized” device is not the same as an app for which “Remember Me” (i.e., the 30-day 2FA waiver) has been enabled. But is an “unrecognized” device the same as a device that triggers a “Login from New Device” email notice? If so, this is not an infrequent occurrence for someone (like myself) who regularly clears browser data and regularly switches IP addresses (by using the same laptop connected at home and at work, for example). If already having 2FA enabled does not exempt me from “new device verification”, this will get very annoying very fast.
Finally, could you clarify whether a “new device” is truly a new device, or if distinct Bitwarden clients running on the same device may be required to each undergo new “device” verification under some circumstances?
A “device” is an installation of a Bitwarden client. There may be multiple devices on the same machine, eg. browser extensions in multiple browsers, desktop app, etc. Each of these has a unique device identifier that it communicates to the server. If the server recognizes the identifier and it is associated to the user logging in, the device is “known”.
Use-cases like yours, where incognito tabs are used, destroy the client-side device identifier when the session ends, thus each incognito window is a new device.
Users who have 2FA enabled are exempt from the entire new device verification feature and can expect no changes to the way login works for them.
I also use 2FA, so I am not going to be immediately impacted. There are corner cases, though, that may make this setup less secure and upsetting to the user.
For a user with no 2FA and who clears cookies regularly (for whatever reason), if their BW and email accounts get taken over that they can’t recover quickly, they can’t login using the web vault and in effects cannot: change their password, deauthorize sessions, or delete their accounts (including getting an email which they still don’t have control). They were able to do this before this feature.
For the above population, maybe now we should tell them to never clear BW cookies! This will definitely be an antithesis of clearing cookies for security.
The 2FA population clearing cookies will be less impacted. But another scenario applies if they happen to lose access to their only 2FA device and the email access at the same time. If they login using their recovery code, changing the password (the first thing people do on perceived hack) but not changing the email and not re-enabling a form of 2FA, then they will lose control of their BW accounts as well.
So things to possibly do to not get impacted in corner cases: don’t lose control of the email (and if you do, change it “immediately”, even before changing the password; especially important as you get logged out on password change), always enable 2FA and get 2FA recovery code immediately even after recovery (you can’t slag off, so find another 2FA device quickly), have multiple 2FA devices, and don’t clear BW cookies regularly.
It seems that the point of the new feature is to eliminate this population, so this case will only be transiently relevant as old users are brought (kicking and screaming, perhaps) into this new era of mandatory 2FA.
However, your point about account lock-out after using the recovery code is very valid — so it is encouraging that @Micah_Edelblut has heard this concern (and will hopefully be able to effect some changes that will relax the “new device verification” requirement after use of the two-step login recovery code).
To add to your advice: After using the 2FA recovery code, immediately obtain and save the new recovery code, before doing anything else!
I think I am talking about the No 2FA population now, being forced to verify by email with this feature, who will be SOL if they can’t regain their hacked email account (and they don’t keep their cookies). Possibly very corner cases. Probably happens on other services with such scheme too. Except that in Bitwarden cases, you still get recommendations / retain some hope of deleting the vault, changing your master password or deauthorizing sessions, which you can’t.
So the result of this feature is that, you will safeguard some people who lose the password, maybe through phishing / password reuse / patterned password, but will lock out people who get hacked with no email access and cookies. Probably wouldn’t protect from an infostealer because it might be able to just lift both the password and “known device” cookie.
The other result that most likely will be common is circular dependency (i.e. email’s password in BW vault). People who use 2FA have this often. The even greater population of no 2FA will undoubtedly be even more prone to it.
It won’t be long that the infostealers not only steal the cookies, but will just delete them too just to make life more miserable for everybody.
Ooohhhhhh, wait, I think I figured it out:
(and I guess the same question arises to the change in general for everyone who has no 2FA activated)
(I have 2SV enabled, with WebAuthn)