I recently saw an interesting post where another poster suggested that while Bitwarden is unable to access a customer’s vault, they may have the ability to change the user’s settings. One example he gave out is if a person’s has 2FA enable on their account, Bitwarden may be able to disable the 2FA setting. I was wondering if anyone know if this is true or not and what settings Bitwarden can actually change on the server side on their customer?
Here’s my question then, let’s say I lost my Yuibkey and don’t have a backup. Can I call Bitwarden and have the 2FA disabled? If this can be done, what does Bitwarden use to verify that the caller is who they say they are?
A similar question: if you are a premium subscriber and the subscription fails and you were using Yubikey, I assume your 2FA will just get disabled?
This question is very clearly answered in the help page that was shared by @Peter_H (and again by @dh024):
Two-step Login
You will not be locked out of your Vault, however you will not be able to use advanced Two-step Login options like Yubikey, FIDO2, or Duo for authentication.
- If you have a core Two-step Login option enabled (authenticator app or email), you will be prompted to use the enabled option.
- If you do not have another Two-step Login option enabled, you will authenticate into your Vault without Two-step Login.
A more interesting question (which is not answered in any of the linked documentation) is this:
That is to say, is there a plausible attack vector using social engineering and/or counterfeit identification credentials?