Reminder for Bitwarden users: Starting in February, users without two-step login (2FA) enabled will need to enter a verification code sent to their email when logging in from an unrecognized device
-
So I need a 2FA application? Just seems a little ridiculous as that is what I use email for. So my bw pass is well over 25 chars and I need to have another app that requires an equally strong pass. Just seems a little overkill! Especially changing passwords every year.
-
Shit no.
-
yes, that's the whole point, to recover your account if you lose your MFA device. what are you even trying to say?
If you can login without the second factor then what's the point?
-
This is why I turned on 2FA with Aegis and soon as I heard this news. I set them up with two passwords I remember well, and have biometrics set on both apps so fingerprint is all I'll need 9/10 times.
-
Find a new single point of failure?
-
On my home PC. Same with the 2fa export of aegis.
"What if you can't access blah"
There's a limit to interoperability, if you want access to everything everywhere even when you lose access for whatever reason, you will have to concede security.
You could save a keepass file with secure notes of both the bitwarden 2fa and recovery codes and save it in drive or whatever, you don't need passwords nowadays to access the Google account.
"But what if I lose access to my phone?"
Well you are fucked, what else do you want? I guess you could print the recovery keys and store them in a secured box at home.
-
You provided a situation where your phone was robbed and you didn't plan for it so you didn't print the relevant information.
So... Prepare ahead? Go to a relevant office with identification to get access to the relevant tickets again?
"What can I do if all the tools at my disposal to get the relevant information are stolen?" You get fucked. Idk what else to tell you.
-
You can also register a MFA app and lock recovery codes in your PC.
This has been announced with enough time, you still have time to download another app like aegis or whatever. This is only for new logins however, you will still have access to bitwarden wherever you are already logged on.
-
I did it years ago when they sent me an email suggesting to do exactly that.
-
Sorry, basic question here. I'm running vaultwarden, I host my own vault that bitearden apps access. I don't think my vault has a mail server, how fucked am I?
-
This is the first I'm hearing of this, but, honestly, I'm all for it. I have Aegis and will add this mfa step, but needed to change email anyway and this was a great reminder of that.
-
I like to just use passwords I know with my brain.
-
Thats fine if it works for you.
My comment on all of this was purely that Bitwarden password was a single point of failure.
Now we can shift that single point of failure somewhere else!I'm not sure what the solution is.
-
You're good. Self hosted vaults are not affected by that
-
I also host my own vaultwarden and don't have a mail server. I was able to put SMTP settings in vaultwarden so it's able to send the email out.
-
Never underestimate the human capacity for short-sighted laziness.
-
Probably my mail
-
Me losing my devices is much higher on my threat model than someone trying to brute-force my Bitwarden password.
-
shit, why can't i just keep the secondary password instead of relying on notoriously insecure sms, or notoriously privacy invading email?
-
because you keep the recovery codes unexposed to the internet, unlike your usual password. Therefore you can have confidence that they haven't been hacked, leaked, or whatever.
