Bitwarden is turning 2FA on by default for new devices

I just want to point out that the title is wrong. 2FA is on by default, but not mandatory. Dang, can we change the title?

This is terrible, honestly. One of the reasons I use Bitwarden is to be able to not know all my passwords besides the Bitwarden one. I don&#x27;t know my email password, so can&#x27;t use that for 2FA. Same for using my phone number or an authenticator app, if I lose my phone, I would also be locked out of my account.<p>The risk of someone stealing my phone is much higher than someone stealing my main password where I live. I intentionally decided not to use 2FA, because that is what makes most sense for my context. I&#x27;m ready to take full responsibility for not using 2FA, but now I can&#x27;t.

I can understand adding some friction to discourage using Bitwarden without 2FA, but requiring it seems very wrongheaded to make it mandatory. I&#x27;ve been using 2FA on Bitwarden for a while and it adds a lot of friction and made me very nervous that if I lost my phone that I&#x27;d be locked out of literally every account I have. I mentioned elsewhere (link below) that I have solved this issue for myself, but people shouldn&#x27;t be required to jump through these hoops and introduce a greater opportunity to lose access to their accounts if they should lose their phone.<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42853696">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42853696</a>

I like bitwarden, but there are a lot of weird things that make me want to move or find a self-hosted solution. This feature may actually cause me to leave. I actually ended up buying a subscription and then refunding it in less than an hour.<p>So what&#x27;s going to happen? Are they going to cache my location? Or are they storing a cookie on my side? Neither sounds great. Ever hear of a VPN? That&#x27;s going to make my life easier....<p>Some more general complaints:<p>The storage thing is really weird. Did you know it is just stored on their server? So you can&#x27;t store locally. But the worst part, when you want to retrieve the item then you download it and it just appears in your download folder. This is TERRIBLE and both of these make it absolutely useless. I got to download it when I need it, hope I have internet in that situation, and then delete it after because I&#x27;m... storing sensitive information, right?<p>The new design is just terrible and could only be designed by someone who assumes you never open the panel to fill in the website. Yet... that&#x27;s the *most common* reason I open that.<p>Things like this give me concern that those designing the tool aren&#x27;t thinking about other things. When it comes to security, all the little things matter a lot.<p>Of course there&#x27;s frustrating things that I know they have little to no control over, like all the dumb Microsoft logins I&#x27;m forced to have and then annotate because I keep logging into the wrong account. But I do like that it integrates with Firefox&#x27;s relay. The only thing I wish is that it wouldn&#x27;t name the mask &quot;Generated by Bitwarden.&quot; but &quot;the fucking website name&quot; (sure, append &quot;Generated by Bitwarden&quot; but no one cares and this does nothing to help brand recognition, it just makes things confusing).

If anyone works at bitwarden can you get your UI people to stop retheming for the upteenth time and instead make the &quot;detailed view&quot; of any entry read-only by default? Every time I need to access my notes on an entry I&#x27;m scared that I&#x27;ll accidentally typo a letter into my password or a 2fa code or something

I get the desire to make the Bitwarden login more secure, but this is very likely to cause problems for users who don&#x27;t have their email password memorized. 2FA already carries the burden of needing a backup if you lose your phone. This change means users will need to come up with an alternate way to log in to their email account. I&#x27;m not sure it&#x27;s worth it.

I&#x27;m taking this opportunity to Ask HN: what do you think of the new Bitwarden browser extension?<p>Sure it looks more modern and a few things are better.<p>But personaly I HATE the new &quot;copy&quot; button.<p>With the old version there was a button for each field : one to copy the login, one to copy the password, one to copy the TOTP.<p>Now there&#x27;s just a single button that will display a list of options to choose from depending on what you want to copy.<p>So instead of copying a field with one click, now I need to do one click, go on the right option, and another click.<p>Even worse: if the account contains only one field, the copy button will still display the list of options, with just one option.<p>How could nobody think that when the user want to copy something from a list, and this list contains only one item, the right thing to do is to copy this single thing, not ask them what they want to copy...

This one is not too bad since it&#x27;s only once per device, assuming they define a device by generating some unique value at first login so I really won&#x27;t have to go through it again despite any updates, changes in network, etc.<p>In general though I have become incredibly sick of mandatory 2FA for every-goddamn-thing. I do use it very often, but it should be my choice and not forced on me. The usual retort is blah blah blah I might understand the trade-offs but normies don&#x27;t and so forcing it is a net positive, but I&#x27;m me — not them, so that usual response is just to tell me that my feelings don&#x27;t matter.

I very carefully added 2FA to my wife’s Bitwarden account a while ago. I got her a Yubikey and added mine as well as my backup keys in case one ever got lost.<p>I discovered much later that they call email “2FA” so her account isn’t actually protected by the hardware keys at all. Like others here, this doesn’t make sense to me since it’s circular.<p>(and separately, the Yubikey seems to often not work on Android anyway)

And the &quot;mandatory&quot; part will probably lose them at least one customer (me).

while we&#x27;re bitching about the bitwarden UI my pet peeve is that 99% of my accounts use my email as the username but i still have to type it in every time i create a new account. how about having auto-suggest?

I&#x27;m paying for Bitwarden now, but after they enforce 2FA, I&#x27;ll stop.

Today, I almost had a heart attack cause I couldn&#x27;t log in into BW Web. Strangely, both mobile and Desktop versions worked fine with the same password... The issue resolved automatically in a few hours, still no idea what this was.<p>Still, I backed up my passwords as soon as I logged into the mobile app, so like some people here say I highly recommend everyone do periodic backups and not be like me (:. I would have lost everything if something did happen to my vault access

2FA on a password manager is a stupid, stupid idea and will surely lock out many people from non-tech-savy pool.<p>Even engineers have trouble noticing or understanding circular dependencies, does Bitwarden, a password manager that tries to cater to this specific target audience really expect them to figure out they&#x27;re set up to be locked out once they lose their device?

I encourage everyone to update your email address (user login) by adding some novel characters to your email like youremail+bw1234@gmail.com because there are active attacks against Bitwarden right now.<p>Thankfully Bitwarden warned me about the attempts. For the rest of the customers it&#x27;s a matter of time before you are a target.

This is very bad news

For someone who has only used offline, local password vaults, what is the advantage of a cloud-based solution (for personal use, not enterprise)? I&#x27;m interested in their self hosted option, but not sure what the advantages would be over keepass and syncthing.

This is why I like generating passwords with a 1 way SHA-256 hash, no need for any storage or encryption and no reliance on some website service being up.

Any good alternatives that do not require 2FA ?

Yet we still don&#x27;t have any tags &#x2F; labels for passwords...

still didn&#x27;t implement showing credential information when searching so that you don&#x27;t end up with 10 credentials with the same name across folders? shame

Reminder: Dump your password manager database into cleartext backups regularly. Store them on encrypted media (eg. USB stick with FileVault, VeraCrypt, or similar)<p>Then you will not be totally screwed if your password manager does a rug pull against you such what Bitwarden is doing with this change.

Why is this news? 2FA is quite basic is it not?

If you want to be truly secure, use a Bitwarden random password for your email and wipe your device!

Great example here of HNs ignorance of basic security in this thread. Bitches and moans about companies&#x27; data breaches. Bitwarden turns on 2FA by default to kill 99.9% of attacks (you all should be smart enough to be using this already) and y&#x27;all are crying about it.<p>I hope the companies you work for have security teams to protect the company from your crazy attitudes.

I didn’t realize it was not required. This is a good change.<p>I could see this being one of those no-brainer decisions that requires herculean effort to push through all the product politics.<p>I would love to hear how this change came about and what hurdles needed overcoming from someone in the know.

SMS-based two-way login would be a better way to do 2FA.<p>Think of it from the user perspective - now they have to download and use yet another app on their cellphone just to log in.<p>Yes, I am aware of SMS&#x27;s vulnerabilities - but the weakest link is always the user.