This is terrible, honestly. One of the reasons I use Bitwarden is to be able to not know all my passwords besides the Bitwarden one. I don't know my email password, so can't use that for 2FA. Same for using my phone number or an authenticator app, if I lose my phone, I would also be locked out of my account.
The risk of someone stealing my phone is much higher than someone stealing my main password where I live. I intentionally decided not to use 2FA, because that is what makes most sense for my context. I'm ready to take full responsibility for not using 2FA, but now I can't.
Agreed. There is no way to rely on the simple model of 'my master password is the single point of failure' now. With any form of 2FA, there is now lockout risk in a way that cannot be mitigated fully. Bitwarden itself recommends printing out a recovery code and storing it in a safe, but what happens if you lose access to that safe? Or if you're traveling and need emergency access to your accounts after your phone gets stolen?
On the reddit post announcing this, Bitwarden added a response saying they will provide an opt-out option. It's unclear if this opt-out is temporary or not. It would be a huge step back for their product if 2FA becomes mandatory.
That actually happened to me a couple years ago. I was in a foreign country, and lost my phone. All I had to do was buy a new cheap phone and login to Bitwarden again. If I had 2FA enabled, I'd be completely screwed.
I have hidden recovery information in a few places on the internet - someone stumbling across it would not know what they are looking at, or what it's for. For example, you can hide the TOTP secret for an authenticator app, but it's useless unless you know what account and service it's for, and the associated master password.
So to mitigate lockout risk, you keep multiple Yubikeys, store recovery codes in multiple physical locations including presumably a fire-proof safe bolted into your home (at your expense), and use obscurity to store the TOTP secret on random places in the internet, presumably relying to external services or a self-hosted solution, which are themselves dependent on regular credit card payments going through.
Okay, I grant that you've reasonably mitigated the lockout risk. But I don't want to do any of this, and is it really reasonable to expect the everyday person to understand or implement all this? What happens in practice is that many users will not realize anything is wrong until they get locked out with no recourse.
This makes it hard for me to recommend Bitwarden to my friends who use typical insecure practices like password reuse or post-it notes.
Security has either been easy and weak, or difficult and strong. It will never change and so you will always have the option of weak security if you dont want to jump through the hoops for the peace of mind.
> my friends who use typical insecure practices like password reuse or post-it notes
IMO people who do those things will never change. Its like the environment, everybody knows what they should be doing but no-one cares enough to do it.
So Bitwarden should offer 2FA for users who want the additional security – they should never force users to enable it. It would be like refusing to save "password" as a password, because it is insecure.
If you have literally no other option than SMS 2FA because of bad support from websites, maybe. Otherwise it's probably one of the worst options (though I suppose unlike using your main number at least it's harder to discover the number for the 2FA phone to attack it with social engineering).
Same here, mine got pickpocketed. My mates laughed at me because they thought I was an idiot not be able to login to my accounts.
Was easily solved though, got a new SIM card from my network from the local store when I got back and recovered my Authy account via SMS which I can then generate 2FAs for my password app through. Was always a backup method I had up my sleeve. My browser keeps logged in as well so was able to get into most stuff through my PC once I got back.
> Bitwarden itself recommends printing out a recovery code and storing it in a safe, but what happens if you lose access to that safe?
I feel like your own creativity is limiting you here. There are lots of options to store those backup codes. Including giving them to multiple relatives to keep in a safe place so you can call and ask for it, creating a dedicated email account with no 2fa and email the code there, leave yourself a saved answerphone message with it on so you can dial in and listen, write it in the important info section of your passport so you always have it abroad etc etc...
It's great that recovery codes exist, but the security model can't rely on them. Unused email accounts get deleted, yubikeys get lost or reset, relatives lose documents, passports get renewed, house fires and car accidents happen, time passes, etc.
Any critical procedure needs to be exercised regularly to ensure it's still working. Normal people don't do that with recovery codes.
All of these things can be mitigated by a little care and attention by yourself.
What you are really saying is you want a way to be able to recover your account thats easy, quick, and you dont need to think about it. Unfortunately strong security will never be any of those things.
Any concept of "strong security" that doesn't consider losing access to be a security issue is, at best, amateur.
If a state actor can't access your email, but you also can't access your email (and receive notices of login attempts, password reset attempts, server intrusions, etc.), then you absolutely do not have a good security posture.
It doesn't matter how you want to describe it, keeping recovery keys available is an ongoing maintenance burden that most people aren't going to do perfectly. It's not appropriate to blame users for reasonably foreseeable problems with a fragile system and lock them out of their bank passwords.
> creating a dedicated email account with no 2fa and email the code there
Of course, that account could also decide to implement mandatory 2FA. Could even be unannounced, just "This login is suspicious, we sent a message to your recovery email to confirm this login"
I'm very frustrated about this because for a lot of my family members, their phone is the only computing device they have.
When they lose it, they lose access to email, and there is no backup plan here. Using bitwarden is far far superior to them using the same password everywhere, but this will drive them back to the same behavior.
>I'm very frustrated about this because for a lot of my family members, their phone is the only computing device they have.
That's actually a really good point. My 1Password setup is resilient to device loss because I have multiple registered devices, any of which can spin up a new device with just my master password.
But if you're in a situation where you only ever have one device and lose it, then you can't bootstrap a new registration going from 0 devices to 1.
There's definitely a security/resiliency tension here. Is it desirable to have your password manager protected by just a user-specified password? That can allow you to go from 0 devices to 1, but it also greatly lowers defenses against account compromise. You can have a paper recovery kit, but people will misplace that, if they even create it in the first place. Social attestation could be a decent if imperfect mitigation: if everyone is on the same family group, then maybe the admin or the group can recover access for any one person.
Email is not a good second authentication factor anyway. I have 6 u2f tokens on my high priority digital accounts, as well as printed recovery codes in several places. Only 1-2 tokens ever actually travel with me, the others are kept safely in different locations.
Given that most people are cracked wide open if their password manager is compromised, I do feel it's sensible for a password manager to insist on 2FA, but the email chicken and egg problem is a concern for those migrating, and hopefully they backed up their recovery codes.
Email can be a perfectly good second authentication factor.
It depends on the asset you’re protecting and your threat model.
I have quite a few accounts whose value does not cross a threshold where I care about the risks of email… and my workflows would be enhanced dramatically if I could use it as a second factor.
The reason I can’t is not because of security or anything at all to benefit me, the user. It is because the services themselves need to throw sand in the gears of the bad actors abusing their services.
My email address can't be SIM swapped, my emails aren't transmitted using weak 90s encryption algorithms over the air (and via dubious, largely unauthenticated 80s protocols on the wire), and my mailbox is itself guarded by 2FA.
Same here. I'm very sad about this 2FA thing. Bitwarden was so easy to use, I could always get an access to my accounts with just my secure master password. Does anybody know good alternative?
I solved this issue using pass-otp on my computers in addition to my mobile authentication app. This way my desktop, laptop, and mobile device all have the ability to generate my Bitwarden OTP code.
In addition to your phone, you can also set up to 4 other Webauthn tokens, Yubikeys or FIDO2 devices as well as a printed recovery key. If none of those fall-backs work for you, perhaps switching to a different password manager is best.
I hear you, and I somewhat feel the same. However, a workaround would be to save the TOTP secret safely like a password. I have started treating all my TOTP secrets as my secondary passwords.
I abandoned Bitwarden a while ago in favor of Enpass after the 2nd time in 3 weeks that Bitwarden refused to open my LOCAL vault because of a problem with BITWARDEN's servers.
similar. i switched to Apple Passwords, and pretty much stopped using Chrome except for gmail. I use a multitude of browsers, but I am 99% safari for sites where I need the PWM.
I hate building a lock-in to the ecosystem though, and have been meaning to look at Enpass.
If my irritation with BW had come later I might well have settled on Apple's solution, but I'm already entrenched at Enpass and, like you, don't really want to further enmesh.
I mean, I'm pretty tied to Apple in both hardware and service use, but it strikes me as unlikely that Apple's first swing at password management could really rival a purpose-built tool right out of the gate. I do think I'm going to push my thus-far-vault-avoidant wife to use the Apple tool, though.
The risk of someone stealing my phone is much higher than someone stealing my main password where I live. I intentionally decided not to use 2FA, because that is what makes most sense for my context. I'm ready to take full responsibility for not using 2FA, but now I can't.