Bitwarden is a popular open source password management solution that we have mentioned several times in the past. It is one of our recommended password managers.

Bitwarden announced recently that it is changing how users sign in to their vaults. Up until now, users can be divided into two groups: those that sign up with just the username and password, and those that use two-step authentication or other additional protection steps.

Starting February 2025, all users will have enabled two-step login automatically in some circumstances.

Here is what is changing:

• Users who sign in with just their username and password are affected.
• An email with a code is send to their linked address.
• This code needs to be entered on the sign in page to complete the authentication.
• This affects new devices only (including old devices, if cookies are deleted or apps are uninstalled)

Bitwarden says that this is done to improve the security of users who have not enabled two step login. It does not apply to self-hosted solutions, SSO, passkeys, or API key log ins either.

What this means for affected Bitwarden users

If you sign in to Bitwarden with just the username and password, you are affected.

1. Make sure that you have an email address linked to the account.
2. Or, enable two-step login or the use of passkeys before February.

Tip: check out our guide on creating and using Passkeys in Bitwarden.

How the new process works for affected users

The company describes the process for these users in detail on a new support page:

1. The first steps of the sign in process remain unchanged. Users are asked to enter their username and password.
2. One of the following scenarios happens next:
   1. If the device is know, they are signed in.
   2. If the device is not known, the linked email address is displayed.

A code is sent to the email and the user needs to enter the code on the sign in page to complete the authentication.

Note that this requires that an email address is linked to the account. Bitwarden recommends it, but is aware that some users may prefer otherwise. These may then either enable two step login, use an email alias forwarding service, or self-host Bitwarden.

The change is problematic in the following scenarios:

• When users do not have added an email address to their Bitwarden account.
• When the email account password is stored in Bitwarden exclusively.

Users may lock themselves out of their Bitwarden account in the second scenario under certain circumstances. Bitwarden recommends that users secure access to the linked email account through other means (not exclusively in the Bitwarden vault), or enable two step login protection instead, as it deals with the issue.

Bitwarden users may configure two-step login on this page on the website after logging in. Bitwarden supports authenticator apps, email, passkey as well as select security key solutions for premium customers.

Do you use password managers? If so, which is your preferred application and why? What is your take on the change? Feel free to leave a comment down below.