Bitwarden has introduced an additional layer of security for accounts that lack two-factor authentication (2FA). From now on, logging into an account will require verification via email.
If the system detects a suspicious login attempt—such as access from an unfamiliar device—a verification code will be sent to the registered email address. Without entering this code, access to the password vault will remain restricted.
Starting in February, this security measure will become mandatory for all users who have not enabled 2FA. However, it will not affect accounts that have activated any form of two-factor authentication, automated authorization via API keys, or single sign-on (SSO). Additionally, the change does not apply to self-hosted instances.
While this method effectively serves as a form of two-factor authentication, Bitwarden emphasizes that using authenticator apps or FIDO security keys provides a more robust layer of protection.
Among the events that will trigger a verification request, Bitwarden highlights logging in from a new device, reinstalling the application, or clearing browser cookies. The company also warns of potential risks for users who store access to their email within the password vault itself. To prevent loss of account control, users are advised to maintain independent access to their email credentials.
It is worth noting that this measure does not eliminate the need for a strong and unique master password. The longer and more complex the password, the more resistant it is to compromise.
