Especially for personal accounts.
I get why a corporation would require it for employees…
But I hate it when Apple, Samsung, etc. are forcing you to have 2fa, especially by requiring a phone number.
Side note: Bitwarden will be requiring email verification codes starting in February 2025, for those who haven’t enabled 2fa yet (see my Post in YSK). Most people store their email credentials in their password vault… so a lot of people are gonna get locked out of their bitwarden vaults. I kinda hate it, especially on such sort notice (less than 10 days).
I hate it. I already agreed to use unique unmemorizable password for every account and store them all in Bitwarden and now this is not enough? Yeah, I store my email password in Bitwarden too. With phones it’s even worse, since it’s way more probable to lose your phone than to lose your money due to database password breach. I don’t understand why those probabilities are not estimated when introducing practices like this. Also, I don’t remember the details but in the past I lost some accounts and passwords just by factory resetting the phone which had password manager app installed (probably forgot to transfer passphrases from the phone before wiping it).
Absolutely necessary.
Bitwarden will only ask for 2fa when signing in from a new device.
Problems is, I still haven’t received any notice, and I’m assuming nobody received that notice either. Only knew because I happen to see it on the webpage.
Imagine someone with only a phone (most people have their phone as their only device) and then lose their phone, then try to log in and… “Wtf is this?!?” and their email password is in the vault.
There are probably a lot of people that this scenario will happen to.
They should’ve gave at least 3 month of advance notice befote implementing this, this is rushed and a lot of people are gonna get locked out. (I know you’re supposed to backup, but like do you think the average person just expect Bitwarden to shut down, or just do a policy change with inadequate notice?)
I hate it. It should be my choice. Not all of my accounts need to be super secure. It sucks enough already when my phone breaks or something I don’t need to be locked out of everything
This is something thats actually scary. Phones are so necessary now that when it breaks you could be digitially stranded, unable to log in to anything
I remember reading of a privacy-aware couple who were each others’ “backups” in case one lost access. Well, they lost their house in a fire, along with their personal backups, and their “backup person” couldn’t access their cloud backups either.
I’m an old-fashioned believer in the 3-2-1 -rule. Three copies of important data, two of them on different media, and one offsite. And make sure you can access all of them without the other two.
So like one password database on phone (even if it’s offline, like most password apps have); one on the computer (like you probably want for use too?), and one in the cloud without need of either device or anything onsite to unlock (in my case, I’ve set up Bitwarden emergency access to someone in another country, and have a second Yubikey with a more local friend).
It should be required everywhere.
Username+password alone is not safe.
But if someone store all their 2FA in their password vault, wouldn’t that just be 1FA with extra steps?
