Emergency Access enables users to designate and manage trusted emergency contacts, who may request access to their Vault with a configurable level of permissions.
Only Premium users, including members of paid Organizations (Families, Teams, or Enterprise) can designate trusted emergency contacts, however anyone with a Bitwarden account can be designated as a trusted emergency contact.
If your premium features are cancelled or lapses due to failed payment method, your trusted emergency contacts will still be able to request and obtain access to your Vault. You will, however, not be able to add new or edit existing trusted emergency contacts.
How it Works
A Bitwarden user (the grantor) invites another Bitwarden user to become a trusted emergency contact (the grantee). The invitation (valid for only 5 days) specifies a user access level and includes a request for the grantee's public key.
Grantee is notified of invitation via email and accepts the invitation to become a trusted emergency contact. On acceptance, the grantee's public key is stored with the invite.
Grantor is notified of acceptance via email and confirms the grantee as their trusted emergency contact. On confirmation, the grantor's Master Key is encrypted using the grantee's public key and stored once encrypted. Grantee is notified of confirmation.
An emergency occurs, resulting in grantee requiring access to grantor's Vault. Grantee submits a request for emergency access.
Grantor is notified of request via email. The grantor may manually approve the request at any time, otherwise the request is bound by a grantor-specified wait time. When the request is approved or the wait time lapses, the public-key-encrypted Master Key is delivered to grantee for decryption with grantee's private key.
Depending on the specified user access level, the grantee will either:
Obtain view/read access to items in the grantor's Vault (View).
Be prompted to create a new Master Password for the grantor's Vault (Takeover).
Trusted Emergency Contacts
Trusted emergency contacts must be existing Bitwarden users, or will be prompted to create a Bitwarden account before they can accept an invitation. Trusted emergency contacts do not need to have Premium to be designated as such.
A user's status as a trusted emergency contact is tied to a unique Bitwarden account ID, meaning that if a trusted emergency contact changes their email address there is no reconfiguration required to maintain their emergency access. If a trusted emergency contact creates a new Bitwarden account and deletes the old account, they will automatically be removed as a trusted emergency contact and must be re-invited.
There is no limit to the number of trusted emergency contacts a user can have.
You can reject an emergency access request by your trusted emergency contact at any time before the configured wait time lapses.
Trusted emergency contacts can be granted one of the following user access levels:
View: When an emergency access request is granted, this user is granted view/read access to all items in your personal Vault, including passwords of Login items.
You may revoke access to a trusted emergency contact with View access at any time.
Takeover: When an emergency access request is granted, this user can create a Master Password for permanent read/write access to your Vault (this will replace your previous Master Password). Takeover disables any Two-step Login Methods enabled for the account.
If you are a member of an Organization, you will be automatically removed from any Organization(s) for which they are not an Owner on takeover. Owners will not be removed from or lose permissions to their Organization(s), however a Master Password Policy will be enforced on takeover if enabled. Policies that are not usually enforced on Owners (e.g. Two-step Login) will not be enforced on takeover.
Setup Emergency Access
The following sections will walk you setting up Emergency Access, separated by whether you want to Give Access to your Vault or Receive Access to another user's Vault:
Use Emergency Access
Once setup, the following sections will help you Initiate Access as a trusted emergency contact or Manage Access as someone who has designated a trusted emergency contact: