Why YSK: Because if you are like most people, you also store your email’s password in your Bitwarden Vault and not bother remembering it, causing you to potentially get locked out (since you wouldn’t be able to log in to your email to get the verification code, because your email’s password is in the vault itself 👀)
(Imagine leaving your key in your house, lol)
Source: https://bitwarden.com/help/new-device-verification/
Excerpt:
To keep your account safe and secure, in February 2025, Bitwarden will require additional verification for users who do not use two-step login. After entering your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email to complete the login process when logging in from a device you have not logged in to previously. For example, if you are logging in to a mobile app or a browser extension that you have used before, you will not receive this prompt.
Good thing I noticed, otherwise I might’ve had a bad time next month 😖
Edit: Updated title to clarify that people who have 2FA are not affected.
I understand that perspective, but honesly, for me, the threat of misplacing 2fa is higher than getting hacked.
People are “hacked” all the time in massive breaches. Its accelerating, not getting less likely. Password managers are a huge target, and have been breached in the past.
If youre worried about it, use something like Aegis. Its an mfa app that lets you easily save password protected backups. You can set it up to automatically save a copy to a folder on your phone. Then just copy that file off and store it somewhere safe.
If thats too much work and you dont run syncthing/nextcloud/etc, they also have an option to let it it sync with the google backup service.
The above gives you the best of both worlds : strong security and strong redundancy.
Where TOTP is concerned is you enroll multiple devices for redundancy, and there are scratch codes. Plus you’ll eventually be forced to resolve this issue when passkeys become more mainstream.
Happy to help or talk through things if you’d like a hand getting comfortable with MFA 🩵
I don’t like MFA. If the password/passphrase is strong enough, why need MFA? If its software MFA (like an app) a malware that could steal the password would also be capable of stealing the MFA.
If its hardware, one fire in my house, and all the keys are dead. (And I do not want to deal with a safe deposit box or burying the backup hardware keys in the woods somewhere, honestly, I don’t know where I would put the backup keys)
Edit: Lmfao MFA cultists be downvoting 🤣
I’m not even advocating against MFA, I just personally dislike it. Wtf y’all 🤣
Please give MFA another look, it really is better security to use it.
The problems you mentioned: you keep the MFA backups in a password manager.
I know you’re worried about losing access to that password manager, use two different ones, write down your most important several passwords in a locked place, etc. it’s better.
I’m afraid I can’t help you with the ideological problem mate, only the practical one 😅 You’ve got sync or multiple devices, and you’ll have to pick 🤷