Bitwarden Announce Enforcement of 2FA on New Sign Ins

jetblack on 05/12/2024 - 10:24
Last edited 05/12/2024 - 11:49

From Bitwarden:

To increase account security, Bitwarden will soon require additional verification when logging into your account from a new device or after clearing browser cookies. After entering your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email.

https://bitwarden.com/help/setup-two-step-login

This is going to be an absolute nightmare for anyone travelling and losing/damaging their phone (can't get into email to get the 2fa code if your email password is stored in Bitwarden).

Computing

Related Stores

bitwarden.com
bitwarden.com

Comments

  • ihfree on 05/12/2024 - 10:36
    +2

    It just requires a little more planning. When I travel, I take a Yubikey in my main luggage as a backup to access my Google account/Bitwarden account.

    You could also stash the recovery codes in your luggage as backup.

  • soan papdi on 05/12/2024 - 10:46
    +5

    This is going to be an absolute nightmare for anyone travelling and losing/damaging their phone.

    Over the top reaction for a simple change. Have the Google Authenticator app on your phone for the 2FA code. If your phone dies, use email as the other method. Not that hard.

    • jetblack on 05/12/2024 - 10:53

      use email as the other method.

      The entire point of a password manager is to create and store your passwords. So if you're using it properly in the first place you wind up in a loop of can't get into email because can't get into password manager because can't get into email…

      • soan papdi on 05/12/2024 - 10:58
        +2

        Do you not access your email from multiple devices? Are all of them going to be signed out at the same time? Also, the 2FA method gives you ten backup codes that you can print out if the phone 2FA is not available. Keep that in your wallet without any other information next to it.

        • jv on 05/12/2024 - 13:54

          Keep that in your wallet

          pickpockets ?

          • soan papdi on 05/12/2024 - 14:43

            @jv:

            without any other information next to it.

            Rest of the sentence you omitted is more important. Don't write down bitwarden username next to the codes. Just the codes.

            • jv on 05/12/2024 - 15:17

              @soan papdi: I keep the codes in a password protected page on OneNote and keep the password safe in Bitwarden for the win !!!

  • CaptainJack on 05/12/2024 - 10:56

    Seems like the recovery code is the important thing to have, if you can't get into your email/authenticator without Bitwarden, and you can't get into Bitwarden without your email/authenticator.

    I only access email from two devices (phone and PC), and the PC signs me out regularly.

  • Protractor on 05/12/2024 - 11:07
    +2

    Good.

    Ppl need to consider the 'bad guys' also use all the apps we do (when trying to be secure and protect our IDs) and data. Albeit most of it was compromised and harvested years ago.
    There's a good reason there's a trust deficit. It's called the internet.

  • NatoTomato on 05/12/2024 - 11:22
    +8

    Anyone who doesn't have MFA on their password manager is insane.

  • scrimshaw on 05/12/2024 - 11:43

    This is going to be an absolute nightmare for anyone travelling and losing/damaging their phone.

    Email authentication is listed as an option.

    iPhone + iwatch users can also install the authy app on their Apple Watch too.

  • DingoBilly on 05/12/2024 - 11:50
    +7

    You are an idiot if you think this is a bad thing.

    The same person who complains about this then turns around and complains they got hacked and why didn't their provider do more to protect them?

  • ozbs25 on 05/12/2024 - 12:12

    I have mine setup this way already but yeah it should be standard. New device requires yubikey authentication.

  • Buwwy on 05/12/2024 - 12:32

    I see this as a good thing. Always paranoid someone will find a way to hack into mine lol

  • ESEMCE on 05/12/2024 - 14:14

    As others have mentioned. MFA on a Password Manager is essential, I'm surprised it wasn't already a requirement and even more surprised you think it a bad enough idea that you didn't have it activated already!

    Best solution is a hardware MFA key, like a Yubikey.
    Secondary backup solution is to install and authenticate a MFA App on a second/multiple device/s (iPad/Tablet, old "drawer" phone, or partner's phone/Tablet).

    • jetblack on 05/12/2024 - 15:03

      Look, I'll agree MFA on pretty much everything is ideal. While the single point of failure of non-MFA protected password manager isn't ideal, the original idea behind them was to have a single extremely strong password and use precautions to protect it. This alone is miles more secure than the average person reusing passwords everywhere.

      The problem as I see it is all the solutions to being locked out of your MFA-protected PWM are themselves prone to insecurity, and ultimately lead to a inescapable loop should the worst case scenario happen.

      • SMS can suffer from number porting
      • Email is unencrypted
      • Physical keys can be lost/stolen
      • Not all authenticator apps can migrate seamlessly to a new device in case of device loss/damage
      • Backup codes need to be kept in a safe place, and unlabeled. Given the dozens of MFA services that provide backup codes, its somewhat impractical to not label them

      Yes, combined they increase your security, but with that increase also comes increased risk of forever locking yourself out of your own stuff.

      It seems a better failsafe to turn MFA on for everything but your PWM (+ keeping your authenticator options separate from your PWM) and be smart about protecting and rotating your master password.

      • ESEMCE on 05/12/2024 - 16:58 
        *Physical keys can be lost/stolen* - I have 2. One is kept at work, One is on my keychain.
*Not all authenticator apps can migrate seamlessly to a new device in case of device loss/damage* - So use one that can! (ie this is not an actual problem) 2FAS is my recommendation if you need one.

        There's nothing in my PWM that would utterly destroy my life if I could never recover access to it.

        Should my house and work both burn down simultaneously and I manage to escape with my life but all my MFA devices are toasted, yeah, that would be super annoying, but I think I'd have bigger issues to worry about.

        • ozbs25 on 05/12/2024 - 17:13

          That's why you have more than 1 MFA device, best if it's kept somewhere else.

  • trapper on 05/12/2024 - 15:54
    +1

    Just export your Bitwarden database as a CSV and use that ;)

    But more seriously the sweetspot for password managers is to use it for all your non-critical accounts - places you may have previously reused a password as it wasn't practical to remember 500 individual passwords.

    For the few critical accounts like banking and email (and Bitwarden itself) you should remember and use a strong and unique password.

    Don't put these in Bitwarden at all, memorise them.

  • Rako on 05/12/2024 - 22:06
    +1

    2FAS

    • ESEMCE on 06/12/2024 - 07:35

      Dunno what happened to the formatting of my previous post (I've copy-pasted it below), but yes, +1 for 2FAS
      Seamlessly migrates from one device to another.

      Physical keys can be lost/stolen - I have 2. One is kept at work, One is on my keychain.
      Not all authenticator apps can migrate seamlessly to a new device in case of device loss/damage - So use one that can! (ie this is not an actual problem) 2FAS is my recommendation if you need one.

Login or Join to leave a comment
Login Join