Is it me, or is it like those who came up with these “alternative” options never travel outside a major city limits and are never without their phone, HW tokens on their keychains, printed recovery codes in their wallets, or have their strong BW email PW safely stored in BW.
Now, imagine any of the rest of us who go off-grid occasionally and lose everything: phone, wallet, everything… and you suddenly need your Passport number, so you log into to bitwarden.com on some random computer at an internet cafe in an unknown country … and are prompted for a “verification” code that you cannot possibly get?
Whatareyagonnado, sport?
I think THAT is the question everybody has been asking over and over since January. We need a real solution that works for worst case. I was reminded of this today when I logged into bitwarden.com for the first time in a LONG time (I use browser add-on, or PC app), and was asked for a verification code. I had not set up an login in my vault with the built-in Authenticator for this, so I couldn’t use my browser extension, there is no Desktop Authenticator app, and the email option never sent an email code, and if I hadn’t had my phone with the BW Authenticator on it, I would not have been able to log in. Of course I had all the other options for access, but it brought this issue to the forefront for me once again.
The best solution I’ve seen thus far is to store your BW recovery key (perhaps jumbled in some memorable way) on some nondescript, publicly available (or easily remembered PW protected) web page somewhere on the Internet. This nondescript set of characters will be useless to anyone but you, and you could always access it. Presumably you’d have access to it if you were simultaneously trying to log in to bitwarden.com.
Alternatively, you could leave your BW email PW lying around on the same public web page. Or perhaps, replace your 35 random character BW email PW with a 10 character word you can remember.
You can return to that practice, if you log in to the Web Vault and disable New Device Login Protection (in the “Danger Zone” section under Settings > My Account). Might be a good idea to re-enable this protection after returning from your off-grid (mis-)adventure, though.
However, on re-reading your previous comment, it seems that your login troubles were in fact not caused by the New Device Login Protection, but by the Two-Step Login method(s) that you had previously enabled:
It would definitely be a good idea for you to retrieve and store your 2FA reset code in a safe location, so that you can use it to log in to your account should you have trouble getting your two-step login authentication codes again in the future.
I have the reset code in my safe, at home. But as I indicated, that wouldn’t do me much good on my misadventures. I stand by my comment that there needs to be a better (thought-out) solution for those who don’t expect to always have a phone with them, or their wallet, or remember their random passwords they use BW to store for them (remember that?), but just an old, worn out PC with a modem dialup to the internet between them and getting home… and they can’t log into BW. Yeah.
Phone a friend/spouse/parent/offspring. In addition to your passport number, they probably will need to help you buy a new airplane ticket and work with the phone store to transfer your number to a new phone. This trusted person should also be able to retrieve your emergency kit to help you rebuild your digital access.
This same event that caused you to lose everything could have resulted in hospitalization with memory loss. The doctors and your loved ones would appreciate you carrying a wallet card containing your emergency contacts . And, to address the lost-wallet scenario, keep a copy of the wallet card in your luggage too.
Just disable your Two-Step Login methods and disable New Device Login Protection — then your master password will be the only thing that stands between you and your vault (or between a snoop and your vault, for that matter).
Though I see the general predicament, it could be argued, that it’s probably a good thing not to be able to access your Bitwarden vault from an “old, worn out PC” which is not your own machine, and therefore with (at least to you) unknown security status where you are completely in the dark, if some kind of malware is installed or not (e.g. sniffing on your master password)…
I can’t argue with that, but if it is the only way to get home, then that leads us back to days of remembering the one PW you use on EVERY account you own, making BW irrelevant. THAT’s not a good solution either. And agreed, I could revert back to just a PW and hope for the best. I use MFA on every account that has it, and rely on BW to keep it ALL safe. So losing access to EVERYTHING because of MFA is ironic.
I guess my point is that it seems sometimes like people making decisions for all users don’t really put the necessary thought into their solutions, or they don’t care or consider anything but the expected mainstream user base. They had to backtrack a bit here and create “options”, seemingly after the fact. Not a good look, IMO.
I don’t have to use BW, but I choose to, and I am a premium subscriber because I believe in OSS and BW’s mission. I also want to CONTINUE with that too.
I truly don’t know the solution to this issue.
On another note, let me ask this: I assume the vault is stored locally on your device in encrypted format in a file that I also assume is subject to a file-based brute force attack (if someone has access to the file), without going through the BW app. If that is true, then under those circumstances, MFA would be irrelevant. Also, is there a forced timeout on the web-vault login, say 10 minutes after 3 wrong tries? (Can’t recall and never faced it). If not, why not? That would at least help with rogue password “guessing”.
All good advice, and would be extremely helpful in many circumstances; but not all. Barring memory loss, with access to my vault and accounts, I could do ALL of the above myself without assistance, with a computer (even if infested - I know how to look for all but the most sophisticated keyloggers on unknown computers).
That is my ultimate goals which may require converting to PW only (if that is still indeed an option) when traveling as someone suggested (if I remember).
One thing BW could provide is an option upon login to the web vault to make it a “last-time normal” log in until you log in again with DIFFERENT credentials, e.g., your active PW IN ADDITION TO another unsaved, but memorized, passcode that must be entered the next time you log in (this is preset). This would prevent keyloggers from being able to subsequently access your account with the PW you entered to log in the first time, while allowing you full control in such circumstances. Once back in safe territory you turn that option back off.
It’s unclear what specific decision you are complaining about.
Yes, if an attacker has a access to the encrypted local vault cache, then they could in theory decrypt it by brute-force guessing the master password (or the unlock PIN, if applicable), and the MFA would be irrelevant. For that reason, you need to use a randomly generated master password that has sufficient entropy to make a successful brute-force guessing attack implausible (e.g., impossible to achieve without a multimillion dollar investment). It is recommended that you use a master password that has at least 50 bits of entropy, such as a randomly generated 4-word passphrase.
The issues you described in your first comment were not related to “New Device Login Protection”. As I pointed out previously, the problems you were encountering when you were attempting to log in to the Web Vault yesterday were caused by the fact that you had enabled TOTP authentication as MFA on your account (and subsequently had trouble getting the required TOTP code). Whenever you enable any form of MFA on your Bitwarden account, the “New Device Login Protection” is automatically disabled — consequently, this new feature (the topic of this thread) did not play any role in your woes.
Yes it remains an option. @grbdescribed the process earlier today. But do keep in mind that anything you can memorize can be replayed by a keylogger, shoulder surfer, adversary in the middle, etc. There really is no substitute for one-time-passwords.
One other possibility would be to get a spare physical TOTP token (or better yet, FIDO2) to keep back at the hotel in your suitcase. Then, the keylog-infested worn out PC will not have enough to be replayable.
Your “last-time normal” concept sounds much like a look-up secret table. Perhaps open a separate feature request for it.
A locally stored vault exists only if you are logged in. You can minimize its presence by setting your vault timeout action to logout.
Bitwarden does have rate limiting; IIRC, It limits you to something like 6 attempts per minute and turns on a captcha after a few failures.
If interested in the details, you might check out Bitwarden’s Security White Paper.
I look at it a bit differently. Bitwarden gets to define the baseline controls because that determines the fate of their corporate reputation. Our ability to identify border cases should not require them to decrease the baseline, but rather it should encourage us to come up with equally secure mitigations, such as the emergency sheet.
@GrizzlyiAK As your issue wasn’t based in the “New Device Login Protection”, I now moved our discussion into a separate topic. (if there is any criticism with the title - please express it as I’m not sure myself if I’m that eloquent today)