Taking care of your passwords in a reliable and secure manner cannot be understated in today's cybercrime-ridden world. That is why many people use open source password managers to enhance their privacy game.
And no, you should not be relying on a web browser's password manager to handle such sensitive data. That's what I believe.
I have been a long-time user of Bitwarden and can confidently vouch for its reliability and security. However, one thing has always bothered me: the absence of a gatekeeping mechanism for my account that doesn't have 2FA enabled.
Luckily, that's about to change. 😃
Bitwarden Tightens Up Security
Starting February 2025, Bitwarden will require a verification code when users without two-factor authentication (2FA) log in from an unrecognized device.
This verification code will be sent to the registered email address of the user, so losing access to that email won't bode too well for their Bitwarden account. The criteria for a device being considered as a new one are the following:
- You uninstalled and reinstalled the mobile or desktop app.
- Cleared your web browser cookies or uninstalled the Bitwarden browser extension.
- This is a new device that you haven't used before to log in to your Bitwarden account.
Bitwarden has started sending in-app alerts and email reminders urging users to either turn on one of the 2FA login methods or to ensure reliable access to their email address.
I have already gotten a notice on my Android smartphone to confirm whether I could reliably access the email address associated with my Bitwarden account.
Of course, if you want to avoid all that, then you can choose to enable 2FA, which will eliminate the need to enter a verification code whenever you log in from a new device. In doing so, you will also greatly strengthen the security of your password vault.
However, there are a few cases where this email-based verification can be skipped. One is the soon-to-be added opt-out setting in the Bitwarden accounts page, and the other is for users who log in using SSO, a passkey, or an API Key; they are exempt from this.
If you don't fit in the above-mentioned criteria, then the next best bet is to either self-host Bitwarden or switch to an alternative password manager like Proton Pass. It has some rather interesting features that can further safeguard your online identity.
For learning more about this change, you can refer to the announcement blog and the FAQ.
Suggested Read 📖
Ankush Das
- Even the biggest players in the Linux world don't care about desktop Linux users. We do.
- We don't put informational content behind paywall. Your support keeps it open for everyone. Think of it like 'pay it forward'.
- Don't like ads? With the Plus membership, you get an ad-free reading experience.
- When millions of AI-generated content is being published daily, you read and learn from real human Linux users.
- It costs just $2 a month, less than the cost of your favorite burger.
Become a Plus Member today and join over 300 people in supporting our work.
