Worried loosing access with 2FA - Revert back to 1FA

Hi,
I’m worried about the new changes about your requirement for additional verification through email or two-factor authentification. While I understand the importance of these measures for most users, I prefer to retain single-factor authentication for my Bitwarden account, using a strong password.
For me, the risk of losing access to my passwords—due to a lost or stolen device, or in extreme circumstances like a house fire —is greater than the likelihood of someone brute-forcing my exceptionally strong password. One of the features I really value is the ability to securely access my essential passwords (or even just phone numbers of my family) through a simple web browser, even if I somehow find myself stranded in a foreign country without phone, laptop and wallet.

I appreciate the security benefits that two-factor authentication offers, and it should absolutely be the standard option. But I would be deeply grateful if an option could be made available to disable it in specific cases.
Thank you for your understanding, and I hope you’ll consider this request.

I’ll leave it for others to comment on this, but purely from a security standpoint I would urge you to reconsider using single-factor authentication on your Bitwarden account. If you use it to store all your other credentials, then it’s the single most important account you need to protect. Even with a very strong password that may be nigh on impossible to brute force, there are credential stealers, keyloggers, various malware, etc. Having an additional factor on such an important account isn’t just desirable, I would say it’s a necessity.

1 Like

Yeah, I totally get that. Some other passwords I’ve used in the past actually got stolen (through leaks) so I’m well aware of the danger.

But on the other side, there’s the danger of completely being locked out of your digital life. There are 3 types of authentication:

1 Something you know (Can be forgot)
2 Something you have (Can be lost or taken away)
3 Something you are (I don’t think there’s any app which uses server side biometrics, so basically attached to 2)

Since the german police took away many digital devices for possession of a minor amount of marijuana some years ago, I’m not keen on possibly locking myself out (with absolutely no way in) in case something happens to my electronics.

Welcome, @LennardPlay to the community!

This is why you need an emergency sheet that includes your email credentials, your Bitwarden credentials, the Bitwarden the recovery code and the TOTP secret key for both your email and Bitwarden. And the emergency sheet needs to be securely stored in at least two venues (to protect against fire).

An “in case of emergency” card should contain the phone numbers for family. Keep a copy in your wallet, your passport, your luggage, etc, when travelling. If you need the emergency sheet itself, you can call family and instruct them to find and fax the emergency sheet and maybe a credit card so you can purchase a new phone, laptop and wallet to securely regain access.

You mentioned “leaks” before… everything that you type in somewhere, can also potentially get phished. The strongest master password doesn’t help, if you type it in on a phishing site and send it to the villains.

So, initially, I was also very sceptic with this change of the new “device login verification” (because of the potential to lock oneself out, circular dependencies…). Now, I would say, maybe let’s wait and see… because:

First, maybe you could enable 2FA: set up a new email account without 2FA - possibly with a passphrase you can remember → and then set up email-2FA for Bitwarden with that new email account (the 2FA-email address can be different than the Bitwarden account email address) → with the passphrase for that email account and the Bitwarden master password, you could login just with knowing these two “passwords”

Second, I’m not sure, but maybe an option for opt-out will be possible?

Third, it seems there will come a change with how (2FA?)-recovery-codes work - see the current roadmap from January:

2025-01-14--15-26-10-vivaldi_6VyToGL0Jx

I didn’t see more information to that yet… so I’m not even sure, if this is a change for the existing 2FA-recovery codes, or if there will come another new recovery code?!

Fourth, until now, I considered “login-with-passkey”-passkeys (though in Beta) as at least one additional “backup”-method, to get at least into the web vault without master password and 2FA… (only true for the “with encryption” ones)… if that mechanism isn’t going to change with the device verification, then that would be also a possible fallback-option. (though with restrictions, maybe, and until it get’s out of “beta”)

(and of course, what @danmullen and @DenBesten wrote I can only “double down” on)

PS: To my comment before: if you “prepare” for that new situation, I’m not that sceptic as in the beginning - see my points above, emergency sheet with email address credentials etc. - but of course, for someone who steps “blindly” into it, it remains possibly dangerous

Thanks for the tips. I will definetly print some emergency sheets and ICE cards.

I feel like the general advice is to just turn 2FA on without considering the implications.

Take this scenario as an example: You lose your bag with both your phone and wallet inside. Luckily, you know your phone has a “find my device” feature. So, you borrow a friend’s phone to log in and track it down. But when you try to log in, 2FA kicks in, requiring verification through the very phone you’ve just lost. Now you’re stuck until you get home to use your laptop or a backup security key. By then, someone else might have already found—or worse, stolen—your belongings.

What’s the solution to this? A security key? That’s something less than 2% of people own, understand, or even bother to carry around. And that key is probably in the same bag you just lost. This doesn’t seem like a practical solution at all.

Sure, hackers tracking your location is a big security rist. But on the flip side, losing the ability to track your phone and accessing banking services, flight tickets or just basic email, even if it’s only temporary can be just as bad. And if I’m honest, I know what’s more likely to happen to me.

I feel like these downsides of 2FA are rarely discussed. Everyone just encourages you to enable it without acknowledging the potential problems it can cause. For some people, like me, just using a password manager might enough. With a password manager, you can use unique, super-strong passwords for each site while only needing to remember a single master password.

I would love if you were able to set your own recovery-phrase, in case you loose acces to 2FA. Of course you would need to remember it, write it down somewhere safe and guard it like gold.

It’s a bit bigger than that. The general consensus amongst security “experts” and policy makers is that passwords are no longer good enough because they have been compromised too often.

A few options:

  1. Call home and have them login to your laptop and read the TOTP code to you.
  2. Set up location sharing (iPhone and Android both have it) so that your trusted contact could just look at their phone and tell you where your phone is.
  3. Get a smart watch with its own mobile data and use its inbuilt “find my phone” feature.

I think this may be Bitwarden’s response to requests to waive New Device Verification if the 2FA reset code has been used, but more detail would certainly be helpful. Currently, using the 2FA reset code only disables 2FA, but does not log the user in to the Web Vault; it seems that the user will now be automatically logged in to the Web Vault when disabling 2FA via the recovery code. At a minimum, the benefits of this would be that the user has an opportunity to immediately re-enable some 2FA method, which would then waive the requirement for New Device Verification. Possibly, the browser used to submit the 2FA reset code would also be automatically registered as a known device upon login to the Web Vault, so that further Web Vault logins using the same browser would be possible without requiring New Device Verification (provided that browser data is not cleared).

2 Likes

I concur with your prediction. It is pretty much what I too am expecting to happen.