Something that is perhaps not coming across clear is that the new device verification is not the same thing as email two-step login, although they appear very similar.
- Users are prompted only on devices that are not known to the server. A device being recognized by the server is different from the token stored on device when a user selects “remember me” in the two-step login flow. Any device that has logged into a given account previously is known.
- Users are prompted only when logging in with email and password. Other login methods are exempt.
- Users do not have a recovery code to disable this feature, because it is not two-step login. If a user is unable to access their email or a known device, they would need to reach out to Bitwarden support.
This is being done to ensure that accounts without two-step login set up are less vulnerable to credential stuffing attacks. For the best protection, Bitwarden continues to recommend two-step login. However there are no changes coming soon to how two-step login works.