Account AccessLog In & UnlockMore Log In Options

Log in with Emergency Access

Emergency access allows you to designate and manage trusted emergency contacts, who can request access to your vault in cases of emergency. Contacts can be granted either view or takeover user access, giving you control over what they can do if they ever need to step in:

  • View: When an emergency access request is granted, this user is granted view/read access to all items in your individual vault, including login items' passwords and attachments.

  • Takeover: When an emergency access request is granted, this user must create a master password for permanent read/write access to your vault. This will replace your previous master password and remove any two-step login methods that were previously set up.

Add trusted emergency contacts

Only premium users, including members of paid organizations (Families, Teams, or Enterprise) can appoint trusted emergency contacts. Anyone with a free or premium Bitwarden account on the same Bitwarden server can be designated as a trusted emergency contact. There is no limit to the number of trusted emergency contacts you can have.

Setting up emergency access is a three-step process:

  1. You invite another user to become your trusted emergency contact.

  2. They accept the invitation.

  3. You confirm them as your trusted emergency contact.

As someone who wants to grant emergency access to your vault, invite a trusted emergency contact:

  1. In the Bitwarden web app, go to SettingsEmergency access.

  2. Select Add emergency contact:

    Emergency access page
    Emergency access page

  3. Enter the Email of your trusted emergency contact. Trusted emergency contacts must have a Bitwarden account (free or premium) and be on the same server geography:

    Invite an emergency contact
    Invite an emergency contact

  4. Set a User Access level for the trusted emergency contact, View or Takeover.

  5. Set a Wait time. This is how long your trusted emergency contact must wait after requesting account access before it's granted, unless you manually approve the request earlier. The minimum wait time is one day.

  6. Select Save to send the invitation.

Your trusted emergency contact must now accept the invitation.

note

Invitations to become a trusted emergency contact are only valid for five days.

Use emergency access

Once set up, a trusted emergency contact can request access to your account. If you can still log in to your account, you can approve or deny the request during the specified wait time. When you no longer want a trust contact to be able to access your account, you can revoke their emergency access.

To request access to an account:

  1. When logged in to the account that's set up as a trusted emergency contact and in the Bitwarden web app, go to SettingsEmergency access.

  2. In the Designated as emergency contact section, select the Menu icon:

    Request emergency access
    Request emergency access

  3. Select Request Access from the confirmation that appears. An email is sent to the account holder, telling them that access to their account was requested.

You will be provided access to the grantor's vault after the wait time specified or when the grantor manually approves your emergency access request.

Manage trusted emergency contacts

You can update your trusted emergency access contacts at any time. To change an emergency access contact's user access or wait time:

  1. Go to SettingsEmergency access.

  2. Click on the user's email, which will open their details.

  3. Update the User access or Wait time as desired.

  4. Select Save.

To remove someone as a trusted emergency contact:

  1. Go to SettingsEmergency access.

  2. Select the Menu icon.

  3. Select Remove.

  4. Select Yes to confirm.

After access to your account is granted to a trusted contact, you can revoke their access.

How it works

note

The following information references encryption key names and processes that are discussed in hashing, key derivation, and encryption. Consider reading those details first.

Emergency access uses public key exchange and encryption/decryption to allow users to give a trusted emergency contact permission to access vault data in a zero-knowledge encryption environment:

  1. A Bitwarden user (the grantor) invites another Bitwarden user to become a trusted emergency contact (the grantee). The invitation specifies a user access level, includes a request for the grantee's RSA Public Key, and is valid for only five days.

  2. Grantee is notified of the invitation via email and accepts the invitation to become a trusted emergency contact. On acceptance, the grantee's RSA Public Key is stored with the user record.

  3. Grantor is notified of the invitation's acceptance via email and confirms the grantee as their trusted emergency contact. On confirmation, the grantor's User Symmetric Key is encrypted using the grantee's RSA Public Key and stored with the invitation. Grantee is notified of confirmation.

  4. An emergency occurs, resulting in grantee requiring access to grantor's vault. Grantee submits a request for emergency access.

  5. Grantor is notified of the request via email. The grantor may manually approve the request at any time, otherwise the request is bound by a grantor-specified wait time. When the request is approved or the wait time lapses, the Public Key-encrypted User Symmetric Key is delivered to the grantee for decryption with the grantee's RSA Private Key.

    Alternatively, the grantor may reject the request, which will prevent the grantee gaining access as described in the next step. Rejecting a request will not remove the grantee from being a trusted emergency contact or prevent them from making access requests in the future.

  6. Depending on the specified user access level, the grantee will either:

    • View: Obtain view/read access to items in the grantor's vault.

    • Takeover: Be asked to create a new master password for the grantor's vault.

Frequently asked questions