Why YSK: Because if you are like most people, you also store your email’s password in your Bitwarden Vault and not bother remembering it, causing you to potentially get locked out (since you wouldn’t be able to log in to your email to get the verification code, because your email’s password is in the vault itself 👀)
(Imagine leaving your key in your house, lol)
Source: https://bitwarden.com/help/new-device-verification/
Excerpt:
To keep your account safe and secure, in February 2025, Bitwarden will require additional verification for users who do not use two-step login. After entering your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email to complete the login process when logging in from a device you have not logged in to previously. For example, if you are logging in to a mobile app or a browser extension that you have used before, you will not receive this prompt.
Good thing I noticed, otherwise I might’ve had a bad time next month 😖
Edit: Updated title to clarify that people who have 2FA are not affected.
Why would they ever force this?
The purpose of MFA is to:
Mitigate using the same password on multiple sites and one of them has a data breach.
Mitigate the impact of keyloggers/other kinds of malware.
Mitigate the bad security of bad passwords.
Mitigate the password manager’s own data breach.
If you have at least two braincells, you will chose a unique and secure password for your password manager. That’s the point of password managers, that you only have to remember 1 password so it can be unique and strong. Also, a password manager (specially open source) should have almost perfect security, so them being hacked should not be a concern.
The only thing MFA is doing on password managers is to mitigate malware. Which I don’t think is a good justification to force everyone the hassle of MFA.
Fine if the wanna give the option of MFA, but don’t force it on everyone.
I mean, I don’t necessarily oppose it, I just hate how they never gave any notices until like Jan 27, 2025 (according to this article: https://bitwarden.com/blog/adding-more-security-to-bitwarden-user-accounts/ look at the date on it).
They should’ve given at least 3 months notice for such a drastic change like this. I feel like there would be a lot of people getting locked out because they didn’t know about this.