I recently saw an interesting post where another poster suggested that while Bitwarden is unable to access a customer’s vault, they may have the ability to change the user’s settings. One example he gave out is if a person’s has 2FA enable on their account, Bitwarden may be able to disable the 2FA setting. I was wondering if anyone know if this is true or not and what settings Bitwarden can actually change on the server side on their customer?
Yes, they are:
For details see here: Premium Renewal | Bitwarden Help & Support
Here’s my question then, let’s say I lost my Yuibkey and don’t have a backup. Can I call Bitwarden and have the 2FA disabled? If this can be done, what does Bitwarden use to verify that the caller is who they say they are?
A similar question: if you are a premium subscriber and the subscription fails and you were using Yubikey, I assume your 2FA will just get disabled?
The online help pages may be useful to answer your questions, @paulsiu:
You will not be locked out of your Vault, however you will not be able to use advanced Two-step Login options like Yubikey, FIDO2, or Duo for authentication.
- If you have a core Two-step Login option enabled (authenticator app or email), you will be prompted to use the enabled option.
- If you do not have another Two-step Login option enabled, you will authenticate into your Vault without Two-step Login.
A more interesting question (which is not answered in any of the linked documentation) is this:
That is to say, is there a plausible attack vector using social engineering and/or counterfeit identification credentials?