There was a tweak made to the query as you were not the only one who reported similar. The emails are going out in batches giving us the opportunity to adjust.
- It is not in the language of my web vaultā¦
- I find the expression of āreliable accessā (to the BW email account) a bit vague and possibly misleading for non-tech savy peopleā¦ I think, something like āreliable access independent of your Bitwarden accountā would have been more straightforward and better to understand the (not so obvious) situation / consequences.
- The emails are only being sent in English.
- I will pass this feedback along to the team, thank you. There are ongoing discussions and feedback gathering regarding improvements to processes like this in the future.
When designing this feature, were there any thoughts about making it so that unrecognized devices are subject to a waiting period (e.g. 2 days, but adjustable by the user) before getting auto-approved? The user will get notified about the unrecognized device, via emails, notifications in the desktop/mobile app, notifications in the browser extension, etc. and can either explicitly accept the device as verified to skip the waiting period, or reject the device (and then change the vault password if needed). That way, in the worst case scenario where the user canāt access their trusted devices, the only consequence would just be an annoying waiting period as opposed to being 100% unable to access their vault.
When designing this feature, were there any thoughts about making it so that unrecognized devices are subject to a waiting period (e.g. 2 days, but adjustable by the user) before getting auto-approved? The user will get notified about the unrecognized device, via emails, notifications in the desktop/mobile app, notifications in the browser extension, etc. and can either explicitly accept the device as verified to skip the waiting period, or reject the device (and then change the vault password if needed). That way, in the worst case scenario where the user canāt access their trusted devices, the only consequence would just be an annoying waiting period as opposed to being 100% unable to access their vault.
I canāt speak to whether this was considered, but it sounds like a valid feature request nonetheless. I would recommend submitting via the Feature Request forum for consideration.
Thank you. I have created a new topic in Feature Requests here.
Professor Farnsworth: āGood News Everyoneā - proceeds to announce terrible news.
On a more serious note, is there any room for negotiation on this feature? Offering an opt-out option for users who are willing to accept the risk seems like a reasonable compromise. Why can this not be done? Would paying for the engineer time for someone to add this option to the settings be too expensive? What if an open source contributor did the code for free? I canāt imagine making this feature mandatory is driven by customer requirements given the consistent negative feedback youāve received.
Others have pointed out the circular dependency this creates between the email and the password manager. My password manager is something I expect to be there for me when I lose all my devices when I am mugged while travelling abroad. In that situation, I expect to be able to buy another phone, and have zero drama installing my password manager on the new phone, and be ready to go. I have no intention of disabling 2FA and changing my email password from the strong, randomly generated password to a weak password that I can actually remember.
If a user is unable to access their email or a known device, they would need to reach out to Bitwarden support.
Now, I donāt know what sort of identity verification procedure Bitwarden support would do, but on the surface, this does appear to open the door to social engineering. If a social engineer can bypass this feature anyway, then whatās the point?
I donāt have a lot of commercial negotiating power here. Iām not some corporate client with 5000 seats - Iām just one guy with a family plan. But if this policy change goes into effect without an opt-out, then Bitwarden would no longer meet my resiliency and availability requirements, and Iāll have to take my family plan somewhere else.
I donāt want to take my family plan somewhere else, I like Bitwarden. Self hosting Vaultwarden, or Nextcloud to sync a KeePassXC database is more expensive, more work, and less resilient. Can we negotiate?
Welcome, @goldfish6454 to the community!
Not an employee, so only speculating. An opt-out would not reduce Bitwardenās risk of appearing in the news and being judged in the court-of-public-opinion due to supporting single-factor authentication.
Bitwarden provides an opt-out of sorts in that they already clarified that this only applies to accounts that do not have some sort of MFA enabled on them. Since you already are familiar with 2FA, add it to Bitwarden upping the security posture for your vault and mooting your concern.
The only real gotcha is that Bitwardenās TOTP should not be stored (solely) in Bitwarden as that would become a circular dependency. This can be as simple as Google authenticator (uugh). Just be sure to record the TOTP secret key on your emergency sheet so that the TOTP authenticator can also be recovered from paper.
Hi @DenBesten , thanks for the warm welcome! Iām glad to be here.
Thanks for the advice. Keeping the TOTP secret in the emergency sheet is a great idea, and it would definitely not be much of an additional burden to my existing disaster recovery plan / estate plan, which includes offline vault backups, etc.
However, I have a hard requirement that I be able to access my password vault from a brand new device using only information from my brain (A backup of this info would be in the emergency sheet in case of death or memory loss, of course). Memorizing a diceware passphrase for the master password is reasonable, memorizing a TOTP secret is not. I must be able to recover with minimal interruption in the event of losing all my devices while traveling by purchasing a new device. This requirement is non-negotiable.
I really like Bitwarden, and I donāt want to switch. Though I feel this new policy is not based in common sense, especially when you consider that it may (and I donāt know for sure, because I have no idea how Bitwarden support verifies identities) be bypassed through social engineering anyway.
Iād really like to attempt a good-faith discussion about this before āfiring the vendorā and looking for another solution. Other solutions will be more work and cost more, and losing the organizational vault that I use with my family, along with the emergency access feature will be a bummer.
The way I get around this is by memorizing the phone number of a few trusted family/friends who can retrieve my emergency sheet and fax it to the phone store.
Another possibility would be to write the TOTP secret on a piece of paper with no context as to its purpose and store it in your suitcase.
The thing is that you probably have already lost that battle. A mugging likely would also result in loss of your wallet (credit cards and ID), making it really difficult to get the new phone.
For travel emergencies, the single best resource one can have is a trusted friend/family who can act on your behalf ā contacting lawyers, reaching out to embassies, wiring money, offering a shoulder to cry on, etc.
Forgive me if Iām raising points already discussed before.
Suppose I have the following setup:
- Bitwarden account that only has security keys as 2fa.
- Emergency sheet with 2fa recovery code, mp, and email.
Now, suppose every device I own, every security key, and my 2fa to my email is gone because of some unfortunate event beyond my control. Fortunately, my emergency sheet is stored off-site.
In this scenario, will the new requirement allow me to log back in successfully?
What happens if I get accidentally disconnected after I log back in and donāt set up a 2fa method?
Said circular dependency concern was raised almost immediately after the announcement.
My suggestion, setup TOTP as an additional factor and store the TOTP secret key on your emergency sheet. This way you can (temporarily) set up google authenticator to regain access without ever needing to disable MFA.
The current status is that you would need to contact Bitwarden Customer Support and convince them to allow you to bypass the New Device Verification. I have proposed that the New Device Verification requirement should be automatically relaxed when the Two-Step Login Recovery Code is used, and Bitwarden seemed to be reasonably open to this feedback (@Micah_Edelblut Any developments in this area?).
In the meantime, it would be essential that you immediately save the new 2FA Recovery Code and set up a new 2FA method as soon as you are logged in to the Web Vault after using the Recovery Code method. This will significantly reduce the risk of the lock-out scenario that you (and I) have envisioned.
Hello!
I just found this topic by accident. Iām a free user and didnāt receive any information about this change yet.
Iām stuck with the thought of a circular dependency, where my email pw is inside bitwarden.
For different reasons Iām travelling a lot and I honestly donāt know what to do in case of losing my phone or being robbed.
Either way, I would lose access to a possible separate authenticator as some recommended.
Not only that, but I would also lose access to backup logins.
Having the possibility of logging into my vault from any other device is the reason why I donāt use an offline password manager.
And for that reason I have one long password to remember.
My emergency sheet is not with me when travelling and no second person has access to it for obvious reasons.
If I canāt opt out of having 2FA on my BW account, what are your recommendations for that case?
Thanks for your support!
I think the best solution is to 1-2 Yubikeys when you travel, and to store at least one key separated from your devices.
Alternatively, write down the username/password for your email account (or for a cloud-based TOTP authenticator app) on a piece of paper, and tape it to the inside of your passport when you travel.
I understand your reasoning.
But I think if things go sideways, I wonāt have my passport left either. And the yubikey is probably with my wallet or my keys - which got all stolen in my scenario.
Anyways, I think if a 2FA is going to be enforced by bitwarden, Iām screwed. I was thinking about having TOTP at bitwarden, too (thatās how I first found out about the enforced 2FA) as this would be the best solution for me.
Of course, this comes with other risks, but losing access to my phone and valuables is more likely to happen to me in my specific situation than phishing or malware.
2FA is needed for my emails as well - thereās no solution for my scenario to break the circular dependency I guess.
Probably I have to start searching for another service as an all in one solution without enforced 2FA which is really a pity as I enjoyed bitwarden for years!
@Ludomesa I think I may have read somewhere here before an idea that might work:
Bitwardenās email-2FA can be set up to a different email address than your BW accountās email.
If you set up an extra email address - best would be only for Bitwarden 2FA - and secure that email address with a memorable random-words-passphrase (probably without any 2FA for that email address thenā¦), you would be able to login to that email, and get the email-2FA-OTP/verification code for the Bitwarden login.
Essentially, with knowing the Bitwarden master password and the passphrase to that email address, you would be able to login to Bitwarden.
(if I didnāt forget a piece of the puzzle right nowā¦)
Though beware, email-2FA is normally not the recommended 2FA-method for the Bitwarden account (FIDO2 would be best). If you hadnāt written, that you travel a lot, I might have said, you could only activate that email 2FA for the account in case you travelā¦
What do you expect to have left? You donāt anticipate being abducted by aliens who leave you naked and property-less in some desolate meadow, do you?
Depending on your answer, I may offer additional suggestions.
In this scenario, to where do you envision installing Bitwarden? Without an ID and a credit card the phone store probably will not hand you a new phone.
When travelling you really do need to memorize the phone number for a trusted contact back home that can contact embassies, wire you money and yes, fax a copy of your passport and your emergency sheet to you.
This is not obvious to me. They donāt need to have access today; they just need to be able to follow verbal instructions. I can tell them under which rock my front door key is hidden and after they are in, my vaultās combination.
I like the alien theory
When travelling (for work or private) I travel with less than 8kg baggage. Imagine it as backpacking. But not always in touristy areas in secure countries. So being robbed, I left with the clothes on my body is what I want to solve.
For backup, I have eg passport copies and other docs as well as a possibility to wire money or get money wired encrypted in a cloud.
All well protected by bitwarden and all I need is a hopefully secure computer in a police station.
I donāt expect to have the possibility to buy a phone or even network coverage.
Iāve been in similar situations before, so my thread model is maybe a bit less mainstream but itās reasonable for backpackers, vanlifers or people in more special work-life situations outside of the society standards.
But for me itās solvable without having a circular dependency introduced by Bitwarden enforcing 2FA.
Regarding the emergency sheet, it would take someone at least a day to access it.
If BW enforces 2FA, I might have to split the backup code for my vault into two pieces and give it to two different trusted prople.
A second email address solely for BW 2FA could be an option. It just requires a separate account without 2FA. That could work until 2FA becomes mandatory there, too
I get that Iām maybe not the standard user that BW targets but Iāve read about people asking about circular dependency on email as well. So it seems to be a topic.
What is it that BW wants to achieve with enforced 2FA - or whatās the initial motivation to introduce that now? Is it to make all vaults safer as a lot of vaults are getting hacked or is it to obtain some industry certification or just meeting internal KPI of ā2FA secured vaults 100%ā?
Either get a dedicated email for email 2FA, or register for an Ente Auth to use TOTP as your Bitwarden 2FA.
Then youāll only need access to the login credentials for one additional account (either the email account or the Ente Auth account) in order to supply 2FA for your Bitwarden login (thereby avoiding the new device verification).
To ensure that you will have access to the required login credentials after being robbed, you could do one or more of the following:
-
Memorize the credentials.
-
Make them identical to (or easily derivable from) your Bitwarden login credentials (e.g., if your Bitwarden master password is
everyone-buddy-reissue unbitten
, then your Ente Auth password could beunbitten-reissue-buddy-everyone
). This does introduce some additional risk, but it is not much worse than disabling 2FA. -
Write the credentials in indelible ink on a piece of fabric or plastic, and sew this piece into the lining of your jacket or into your underwear.