Bitwarden to enable two-step login for all users in the next days, sort of

Martin Brinkmann
Jan 28, 2025
Updated • Jan 28, 2025
Security
|
6

Bitwarden is a popular open source password management solution that we have mentioned several times in the past. It is one of our recommended password managers.

Bitwarden announced recently that it is changing how users sign in to their vaults. Up until now, users can be divided into two groups: those that sign up with just the username and password, and those that use two-step authentication or other additional protection steps.

Starting February 2025, all users will have enabled two-step login automatically in some circumstances.

Here is what is changing:

  • Users who sign in with just their username and password are affected.
  • An email with a code is send to their linked address.
  • This code needs to be entered on the sign in page to complete the authentication.
  • This affects new devices only (including old devices, if cookies are deleted or apps are uninstalled)

Bitwarden says that this is done to improve the security of users who have not enabled two step login. It does not apply to self-hosted solutions, SSO, passkeys, or API key log ins either.

What this means for affected Bitwarden users

If you sign in to Bitwarden with just the username and password, you are affected.

  1. Make sure that you have an email address linked to the account.
  2. Or, enable two-step login or the use of passkeys before February.

Tip: check out our guide on creating and using Passkeys in Bitwarden.

How the new process works for affected users

The company describes the process for these users in detail on a new support page:

  1. The first steps of the sign in process remain unchanged. Users are asked to enter their username and password.
  2. One of the following scenarios happens next:
    1. If the device is know, they are signed in.
    2. If the device is not known, the linked email address is displayed.

A code is sent to the email and the user needs to enter the code on the sign in page to complete the authentication.

Note that this requires that an email address is linked to the account. Bitwarden recommends it, but is aware that some users may prefer otherwise. These may then either enable two step login, use an email alias forwarding service, or self-host Bitwarden.

The change is problematic in the following scenarios:

  • When users do not have added an email address to their Bitwarden account.
  • When the email account password is stored in Bitwarden exclusively.

Users may lock themselves out of their Bitwarden account in the second scenario under certain circumstances. Bitwarden recommends that users secure access to the linked email account through other means (not exclusively in the Bitwarden vault), or enable two step login protection instead, as it deals with the issue.

Bitwarden configure two step login

Bitwarden users may configure two-step login on this page on the website after logging in. Bitwarden supports authenticator apps, email, passkey as well as select security key solutions for premium customers.

Do you use password managers? If so, which is your preferred application and why? What is your take on the change? Feel free to leave a comment down below.

Summary
Bitwarden to enable two-step login for all users in the next days, sort of
Article Name
Bitwarden to enable two-step login for all users in the next days, sort of
Description
Bitwarden is changing how some users sign in to their vaults. Here is what you need to know about it.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. David said on January 29, 2025 at 7:31 pm
    Reply

    If you have a free Bitwarden account and have been using only email and master password to log in, you will have to go to either 2FA or Passcodes.

    Passcodes can be used much like passwords (you put a monstrously long phrase in the password field in Bitwarden), but because they generate a truly randomized key they are more secure and Bitwarden exempts you from the additional hokey-pokey of providing a six digit code as in the case with most 2FA schemes.

    2FA on the other hand uses your existing passwords and automatically generates the 6-digit codes in an authenticator. UNLIKE receiving the code by text or email, an authenticator does so by algorithmically generating the unique code. Using a QR code or by importing a secret verification code that your website gives you permits setting up one, two, three, or more authenticators to generate the digits (they all use the same algorithm).

    But here’s where Bitwarden makes it tough on free users. Unlike 1Password or Apple Password, for example, FREE Bitwarden won’t automatically pass along the generated codes to the login process. Instead you have to use an external authenticator. To get the convenience of having Bitwarden handle the codes for you, you gotta pay them some money.

    So this new rule of Bitwarden’s either (1) locks you into passphrases, (2) requires you to use external authenticators, or (3) necessitates coughing up cash for a Premium account. I hope this helps people pick the option that makes the most sense.

  2. Eu said on January 29, 2025 at 11:50 am
    Reply

    Deliberate awkwardness engineered by big players makes 2FA far less attractive than it should and deserves. Using 2FA through different platforms/ecosystems/browsers that is.

    Might be the low attention to these issues is due to 2FA users are embarrassed because they believe their troubles are due to own technical competence/understanding and don´t pick up the real reason – big players trying to lock users to their platforms.

    They need to stop doing that and allow users to obtain best possible security.

    The hazzle of using secure DNS in some browsers needs to be sorted out too.

  3. FIRE said on January 29, 2025 at 10:40 am
    Reply

    Two factor security methods are unesufil. If you have the secind device open you have the two keys. If you catch one open phone you can do whatever you want if two factor is enabled.

  4. Tiago said on January 28, 2025 at 6:34 pm
    Reply

    I questioned Bitwarden support.

    If the user wants to avoid 2FA and is forced to verify the code via email, how will that user access the code sent if the password/security key for the email account is stored in the vault?

    Part of the response was “”Bitwarden users who store their email account credentials within their Bitwarden vaults would have trouble accessing the sent codes if they are unable to log in to their email.”

    The change adopted by Bitwarden is problematic and will cause issues for many users.

  5. Peter Parker Kent said on January 28, 2025 at 6:18 pm
    Reply

    Eep, I gotta keep an eye on this. Thanks for posting, Martin.

  6. Father Rustskull said on January 28, 2025 at 10:47 am
    Reply

    Martin, maybe “An email with a code is sen[t] to their linked address.”

    My password manager is somewhere within my head.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.