Why YSK: Because if you are like most people, you also store your email’s password in your Bitwarden Vault and not bother remembering it, causing you to potentially get locked out (since you wouldn’t be able to log in to your email to get the verification code, because your email’s password is in the vault itself 👀)
(Imagine leaving your key in your house, lol)
Source: https://bitwarden.com/help/new-device-verification/
Excerpt:
To keep your account safe and secure, in February 2025, Bitwarden will require additional verification for users who do not use two-step login. After entering your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email to complete the login process when logging in from a device you have not logged in to previously. For example, if you are logging in to a mobile app or a browser extension that you have used before, you will not receive this prompt.
Good thing I noticed, otherwise I might’ve had a bad time next month 😖
Edit: Updated title to clarify that people who have 2FA are not affected.
This is a good thing. Any account you care about and don’t want to be accessed by anyone without your consent should have multifactor authentication enabled. Use an app like Google Authenticator or a hardware token like a Yubikey. 2FA through text or email is insecure and easily bypassed.
Friends don’t let friends raw dog the internet. Don’t be dumb and get your shit stolen. Use MFA everywhere.
Cant wait for someone to use bitwarden to store their bitwarden 2FA codes and recovery codes, thus locking themselves out of their account.
This is just a dumb move by bitwarden.
I’m fine, I use Aegis to store my bitwarden 2FA code. I just need my Aegis password to access it that is stored in … Bitwarden …
I might not be the sharpest egg in the basket, thanks OP to have made me realize my mistake and I’ll change that.
Multi device. If you have more than one device with your vault configured and protected with MFA then the risk of locking yourself out of the account drops logarithmically with each additional device.
When they turn this on, all your devices will have to reauthenticate simultaneously. There are absolutely going to be some people who get locked out when this goes live, which could be just as bad as an attacker gaining your credentials.
Oh dear lord, no. That’s absolutely wrong. Stop panicking and read.