Article Details
Scrape Timestamp (UTC): 2025-01-27 21:08:05.932
Original Article Text
Click to Toggle View
Bitwarden makes it harder to hack password vaults without MFA. Open-source password manager Bitwarden is adding an extra layer of security for accounts that are not protected by two-factor authentication, requiring email verification before allowing access to accounts. When a potentially suspicious login attempt is detected, like from an unrecognized device, the user will now prompted to confirm the action by entering a verification code they received via email. Those who fail to provide the code cannot access the password vault. "Starting in February, Bitwarden will bolster user account security for those users who are not utilizing two-step login (2FA) for their Bitwarden account," reads the announcement. "When logging in from an unrecognized device, users will be asked for an emailed verification code to confirm the login attempt and better protect their Bitwarden vaults." This security step is a form of two-factor authentication, so essentially, Bitwarden is enforcing it even for those who haven't activated it themselves. While this will provide additional protection, the best approach would be to enable multi-factor authentication via authenticator apps or, even better, FIDO-compliant passkeys. Activating any 2FA method or using API keys or SSO to log in automatically opts users out of this new security mechanism. Self-hosted instances are also excluded. As Bitwarden explained in a separate FAQ page, the following events will trigger the extra code prompt: Bitwarden is aware of a sub-category of users who store their email credentials inside the password manager's vault and warns about the practical problems that arise from the new verification step to be introduced next week. To avoid being locked out of both their email and Bitwarden accounts, users need to ensure they have independent access to their email credentials or simply enable 2FA on their Bitwarden accounts. This extra security step should not be considered an excuse for using weak master passwords or recycling passwords. Users should ensure their master password is hard to brute-force by picking something long and unique and including different character types.
Daily Brief Summary
Bitwarden, an open-source password manager, is implementing a new measure to enhance security for users without two-factor authentication (2FA) by requiring email verification for access from unrecognized devices.
Starting in February, users attempting to log in from a new device will need to enter a verification code sent to their email to proceed, effectively creating a form of mandatory two-factor authentication.
This new security protocol is aimed at protecting user accounts from unauthorized access, particularly for those who have not enabled optional 2FA methods.
Users utilizing 2FA methods such as authenticator apps, FIDO-compliant passkeys, API keys, or single sign-on (SSO) are automatically exempt from this new verification process.
Self-hosted Bitwarden instances do not fall under the purview of this new security update.
Bitwarden recommends that users not store email credentials within their password vault to prevent potential lockouts, as access to the vault will require independent email access.
Despite the enhanced security measure, Bitwarden advises maintaining robust, unique master passwords to prevent brute force attacks and ensure optimum security.