Bitwarden is a beloved password manager for good reason—it’s feature-rich and its paid subscriptions cost bare pennies ($10/yr). The service is also proactive about continually strengthening security for its users.
Here’s the latest security update for cloud-hosted personal accounts: Starting in February, if you don’t have two-factor authentication enabled, a confirmation code will be sent to your email address when logging in from unrecognized devices. It must be entered to approve the sign-in attempt.
In its announcement of the new feature, Bitwarden says a unrecognized device is any previously not used to log in, one where the Bitwarden app was uninstalled or one that had its Bitwarden login cookies wiped. The service will treat all of these scenarios as new devices, forcing this verification step.
On the whole, this change is good—if someone guesses your password, your vault is protected against intrusion. But one big danger exists with this new layer of security, and Bitwarden specifically calls it out.
Bitwarden’s example screenshot of the upcoming verification check when logging in on a new (or “new”) device.
Bitwarden
Should you store your email credentials in your Bitwarden account, you could accidentally lock yourself out of both your email and your password manager, with little to no recourse. How? If you’re accessing your Bitwarden account to log into your email address and it sends the verification code to your email address, you have no way of accessing either site.
This potential doomsday scenario isn’t limited to Bitwarden, either—there are other password managers that insert an additional confirmation step for unrecognized devices.
Luckily, there’s an easy solution. You can simply memorize your email password separately from that of your password manager.
Alternatively, for Bitwarden specifically, this new security procedure can be bypassed if you log into your account with a passkey or enable 2FA. It is not applicable to users who login via SSO, an API key, or self-host their vault.
If you haven’t already started using passkeys or 2FA, you really should—whether or not you use Bitwarden. This style of limited verification check isn’t as strong as either of those two protections, and not all password managers send them out. At minimum, if you have a weak password securing your vault, upgrade it ASAP. A password manager can try to help save us from ourselves, but it’s never a guarantee.
