Password management service Bitwarden announced a major security upgrade that will require email verification when logging in from unrecognized devices, starting February 2025. This change primarily affects users who haven't enabled two-factor authentication (2FA) on their accounts.
Under the new system, users attempting to access their password vaults from new devices or after clearing browser cookies will need to enter a verification code sent to their registered email address. Without this code, access to the vault will be denied.
The enhanced security measure will not apply to several user categories, including:
- Accounts with 2FA already enabled
- Self-hosted Bitwarden instances
- Users utilizing API keys
- Accounts configured with Single Sign-On (SSO)
"When logging in from an unrecognized device, users will be asked for an emailed verification code to confirm the login attempt and better protect their Bitwarden vaults," the company stated in their announcement.
Security expert James Carter supports the move but advises users to implement additional protection: "While this is a strong step forward, users should still activate true 2FA methods like authenticator apps or FIDO passkeys for maximum protection."
Bitwarden cautions users who store their email credentials within their password vaults to maintain separate access to their email accounts to prevent potential lockouts. The company also emphasizes the continued importance of using strong master passwords to protect against brute-force attacks.
This security enhancement represents Bitwarden's ongoing commitment to protecting user data, even for those who haven't opted into traditional two-factor authentication methods.