What’s your best 2FA strategy to avoid a lockout? Share your best tips and tricks and we’ll share a few in the next Vault Hours session.

Resources:

• Why Use Two-Step Login?

I recommend this 3-pronged strategy:

1. Regularly create backups of your vault contents, by creating exports. Among other benefits provided by backing up your data, this will give you a way to start over, should the other two strategies fail.
2. After enabling 2FA, obtain your 2FA reset code (a.k.a. the "two-step login recovery code), and record it on your emergency sheet (a.k.a. the “security readiness kit”). This will allow you to disable the 2FA requirement if you lose access to your 2FA.
3. After enabling 2FA on your Bitwarden account, disable New Device Login Protection (under Settings > My account >Danger Zone in the Web Vault). This step may be controversial because it carries some risks*, but I personally recommend it because otherwise you may only have one chance to ensure continued account access after using the 2FA reset code — there is a risk you will get locked out of your account if something goes wrong (e.g., problems with your device or your internet connection after you use the reset code) before you have finished setting up your account configuration.

*Risks associated with disabling New Device Login Protection can be mitigated by enabling only a secure form of 2FA, such as FIDO2/WebAuthn hardware keys (and avoiding possibly insecure 2FA methods such as email verification codes).

I agree with @grb. So, only minor additions:

• to remind of “the usual”: put at least your BW email address, master password, 2FA recovery code, maybe server region on your emergency sheet(s) – optional: login credentials to your BW email address (especially if you have the New Device Login Protection enabled)

  • PS: maybe also include scenarios, where you might have an accident (or worse) and your family etc. might need access (–> up to “digital legacy”)

• use FIDO2-2FA-”passkeys” if possible – with at least one backup (e.g. one backup hardware security key in a safe place)

• decide for yourself if you want to use more than one 2FA method (to avoid a lockout) or use only one 2FA method (to make it more secure)

• if you use TOTP/authenticator app: put that authenticator key / TOTP seed code also on your emergency sheet, so that you can set it up easily again, if necessary

• test your scenario – and check it for possible “circular dependencies” –> especially ask yourself, if you could still login to your Bitwarden account/vault, if you had nothing in your hands but your emergency sheet (and obviously, make sure you have emergency sheet(s) )

  • example: if you used email-2FA and realize, you couldn’t login to your email account with just the emergency sheet, then you have to change something with your setup

• in theory, a “login-with-passkey”-passkey would also be a nice “backup login method” – but only when they can be used for all BW apps and when they get the ability to authorize all actions and could really “replace” the master password (and 2FA)

(Further) remarks for Bitwarden :

• it would be good to be able to test if the 2FA recovery code I “wrote down” is valid or not (feature request: Test/check the two-step login (2FA) recovery code )

• it would be good, if nobody could forget to store the 2FA recovery code (feature request: Require Recovery Code Prompt on Initial Two-step Login Setup )

• it would be good, if we could easily rotate the 2FA recovery code (at the moment, only using it, rotates it) (feature request: Add an option to rotate the two-step login recovery code from the web vault )

I’d add that whenever part of the user’s Bitwarden credential is changed, that Bitwarden ought to display a link to a pre-filled emergency sheet, along with a recommendation that it be printed and stored in a safe location. And, maybe store a copy of it inside the ZIP export.