What can Bitwarden the company change on the customer's setting

I recently saw an interesting post where another poster suggested that while Bitwarden is unable to access a customer’s vault, they may have the ability to change the user’s settings. One example he gave out is if a person’s has 2FA enable on their account, Bitwarden may be able to disable the 2FA setting. I was wondering if anyone know if this is true or not and what settings Bitwarden can actually change on the server side on their customer?

Yes, they are:
For details see here: Premium Renewal | Bitwarden Help & Support

1 Like

Here’s my question then, let’s say I lost my Yuibkey and don’t have a backup. Can I call Bitwarden and have the 2FA disabled? If this can be done, what does Bitwarden use to verify that the caller is who they say they are?

A similar question: if you are a premium subscriber and the subscription fails and you were using Yubikey, I assume your 2FA will just get disabled?

The online help pages may be useful to answer your questions, @paulsiu:

This question is very clearly answered in the help page that was shared by @Peter_H (and again by @dh024):

Two-step Login
You will not be locked out of your Vault, however you will not be able to use advanced Two-step Login options like Yubikey, FIDO2, or Duo for authentication.

  • If you have a core Two-step Login option enabled (authenticator app or email), you will be prompted to use the enabled option.
  • If you do not have another Two-step Login option enabled, you will authenticate into your Vault without Two-step Login.

A more interesting question (which is not answered in any of the linked documentation) is this:

That is to say, is there a plausible attack vector using social engineering and/or counterfeit identification credentials?