Starting in February, Bitwarden will bolster user account security for those users who are not utilizing two-step login (2FA) for their Bitwarden account. When logging in from an unrecognized device, users will be asked for an emailed verification code to confirm the login attempt and better protect their Bitwarden vaults. Read on to learn what this means for you and why this is being enacted.
1 Like
Why this doesn’t work properly* for select use cases:
Let’s say you’re trying to set up a new computer you buy having lost all your devices. And your email password is saved in your password manager with 2FA enabled. This system will fail then.
Not a fan of getting verification code emailed when I have good opsec and maintain a strong and unique password for my password manager with no 2FA since I prefer to have full independence in the worst case and not rely on an additional 2FA app for my password manager - for my use case and the way I like to have my opsec set up.
1 Like
Emailed verification codes are common today, and everyone is generally used to receiving them. However, Bitwarden users who store their email account credentials within their Bitwarden vaults would have trouble accessing the sent codes if they are unable to log in to their email.
To prevent getting locked out of your vault, be sure you can access the email associated with your Bitwarden account so you can access the emailed codes, or turn on any form of two-step login to not be subject to this process altogether.
I don’t buy this opinion from Bitwarden.
So, by this logic and understanding - Bitwarden now wants a user to remember two strong and unique passwords, one for your email associated and one for Bitwarden. On top of that, they also would prefer we don’t have 2FA enabled on said email account becuase one would normally store them in your password manager.
And if you are using Ente Auth just to store your email 2FA, then you also need to remember its credentials which also must be unique for all of this to work. To me, all of this simply adds to the complexity of simply accessing your password manager as you want it.
I think Bitwarden shoulds still give freedom to its users for how they want to use and access their accounts.
Someone please explain how all of this is a good thing overall.
4 Likes
You’re probably not going to be locked out from every client with access to your email. Chances are you have mobile apps (BlueMail etc) and desktop apps (Thunderbord etc) that can receive the 2FA email. What this update does, is it makes it even harder to link new devices to your account.
For situations where you have to bootstrap entirely (say your house and all devices burns down), you will want to keep your backup passwords in another environment, whether it’s a bank’s safety deposit box, and/or a micro SD card hidden in a dead drop spike etc.
You’re assuming everyone in the world who uses Bitwarden has access to this or will be able to have additonal backups elsewhere.
Sorry, but your logic is still following what Bitwarden is saying. To me, this is a bad move by them when they don’t even give you an option. It sitll makes no sense to me for my use case and preferences - which I am sure I am not the only one with such a requirement/preference/need case.
2 Likes
Now that I think about it, yeah, you could easily get locked out of your account if all you do is remember your master password and nothing more.
At a glance, this seems like a good change. Those who didn’t have 2fa enabled will have additional protection against threats, but if they were completely reliant on Bitwarden, i.e their email saved on it and not memorized, and say their phone die on them or they simply lost it somewhere, it would completely lock them out. Not great for an average user, which this seems to be targeted at.
I haven’t received any email about this change as of yet either and I don’t think your average joe is lurking on any privacy forums. Bitwarden just hasn’t been it these past few months…
2 Likes
Companies can never satisfy everyone. Time to start saving for pen, paper and a dice so you can store the bitwarden recovery email and its secure password somewhere. Or use LastPass where the 2FA is opt-in.
A lot of downvotes and not a whole lot of arguments.
Writing down your passwords is something experts have recommended Bruce Schneier Writes Down Passwords. So Can You - Schneier on Security It’s still a good strategy: It’s impossible to access remotely, and you only need it when you’re setting up client software for your email.
You’re going to have to use more than your Bitwarden master password anyway. Your OS FDE needs a password, as does your OS login. It was never going to be a one-stop show.
Also, I find it unlikely people only have a smartphone or only have a laptop, and that they never replace their hardware. HW becoming obsolete to run software like games is still happening.
Finally, my message may have come across as condescending, for that I apologize.