Bitwarden makes it harder to hack password vaults without MFA

Open-source password manager Bitwarden is adding an extra layer of security for accounts that are not protected by two-factor authentication, requiring email verification before allowing access to accounts.

When a potentially suspicious login attempt is detected, like from an unrecognized device, the user will now prompted to confirm the action by entering a verification code they received via email.

Those who fail to provide the code cannot access the password vault.

"Starting in February, Bitwarden will bolster user account security for those users who are not utilizing two-step login (2FA) for their Bitwarden account," reads the announcement.

"When logging in from an unrecognized device, users will be asked for an emailed verification code to confirm the login attempt and better protect their Bitwarden vaults."

Verification code screen
Source: Bitwarden

This security step is a form of two-factor authentication, so essentially, Bitwarden is enforcing it even for those who haven't activated it themselves.

While this will provide additional protection, the best approach would be to enable multi-factor authentication via authenticator apps or, even better, FIDO-compliant passkeys.

Activating any 2FA method or using API keys or SSO to log in automatically opts users out of this new security mechanism. Self-hosted instances are also excluded.

As Bitwarden explained in a separate FAQ page, the following events will trigger the extra code prompt:

Bitwarden is aware of a sub-category of users who store their email credentials inside the password manager's vault and warns about the practical problems that arise from the new verification step to be introduced next week.

To avoid being locked out of both their email and Bitwarden accounts, users need to ensure they have independent access to their email credentials or simply enable 2FA on their Bitwarden accounts.

This extra security step should not be considered an excuse for using weak master passwords or recycling passwords.

Users should ensure their master password is hard to brute-force by picking something long and unique and including different character types.