2025-02-21 23:43:05 Pacfic
Bitwarden Implements Email Verification Security - 24d
Bitwarden, a widely used password manager, is enhancing security for accounts that do not have two-factor authentication (2FA) enabled. Starting in February 2025, users logging in from unrecognized devices will be required to verify their identity via an emailed verification code. This new measure is designed to prevent unauthorized access to user vaults, particularly for those who have not implemented 2FA. This security step is triggered by logging in from a device the system does not recognize, such as after app reinstallation or browser cookie deletion, and aims to provide better protection against credential theft.
This email verification requirement will not affect users leveraging self-hosted instances or those who have already implemented 2FA, API keys, or single sign-on (SSO) for logins. However, users who do not utilize these measures are strongly encouraged to ensure they have independent access to their associated email accounts so that they can retrieve the verification code. It is also advised to use strong and unique master passwords that cannot be easily compromised. The implementation of email verification is intended to add a layer of protection, especially given that users may store email account credentials within their Bitwarden vaults, which means they would need access to these credentials to get the emailed codes.
ImgSrc: files.cyberriskalliance.com
References:
- CyberInsider - Bitwarden Adds Email Verification for Unrecognized Logins - 24d
- SCM feed for Risk Assessments/Management - Mandatory email verification implemented by BitWarden for non-2FA accounts - 24d
- cyberinsider.com - Bitwarden Adds Email Verification for Unrecognized Logins - 24d
- @bleepingcomputer.com - BleepingComputer - When logging in from an unrecognized device, users will be asked for an emailed verification code to confirm the login attempt and better protect their Bitwarden vaults. - 24d
- bitwarden.com - Adding more security to Bitwarden user accounts | Bitwarden Blog - 24d
- thedefendopsdiaries.com - Bitwarden Introduces Email Verification for Users Without MFA | The DefendOps Diaries - 23d
Classification:
- HashTags: Bitwarden EmailVerification PasswordSecurity
- Company: Bitwarden
- Target: Bitwarden Users
- Product: Bitwarden
- Feature: Email verification
- Type: ProductUpdate
- Severity: Medium