New Device Login Protection (February 2025)

To keep your account safe and secure, in February 2025, Bitwarden will require additional verification for users who do not use two-step login. After entering your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email to complete the login process when logging in from a device you have not logged in to previously. For example, if you are logging in to a mobile app or a browser extension that you have used before, you will not receive this prompt.

Must users will not experience this prompt unless they are frequently logging into new devices. This verification is only needed for new devices or after clearing browser cookies.

If you regularly access your email, retrieving the verification code should be straightforward. If you prefer not to rely on your Bitwarden account email for verification, you can set up two-step login through an Authenticator app, a hardware key, or two-step login via a different email.

Users affected by this change will see the following in-product communication and should have received an email informing them of the change:

When will this happen?

This change will go into effect starting February 2025.

Why is Bitwarden implementing this?

Bitwarden is implementing this change to enhance security for users who don't have two-step login activated. If someone gains access to your password, they still won't be able to log into your account without secondary verification (the code sent to your email). This extra layer helps protect your data from hackers who often target weak or exposed passwords to gain unauthorized access.

When will I get prompted for this verification?

You will only get prompted for this verification when logging in from new devices. If you’re logging into a device that you’ve used before, you will not be prompted. 

What is considered a new device? 

A new device is any device that hasn't been previously used to log into your Bitwarden account. This could include a new phone, tablet, computer, or browser extension that you’ve never logged in from before. When you log in from a new device, you'll be asked to verify your identity via a one-time code sent to your email. 

Other scenarios that will initiate a new device will be:

• If you uninstall and reinstall the mobile or desktop app

• Clearing browser cookies 
  

My email credentials are saved in Bitwarden. Will I be locked out of Bitwarden?

Email verification codes will only be required on new devices for users that do not have two-step login enabled. You will not see this prompt on previously logged in devices and you will log in as normal with your account email and your master password. 

If you are logging into a new device, your Bitwarden account email will receive a one-time verification code. If you have access to your email, i.e. a persistent logged in email on your mobile phone, then you will be able to grab the one-time verification code to log in. Once logged in to the new device, you will not be prompted again for the verification code. 

If you regularly log into your email using credentials saved in Bitwarden or do not want to rely on your email for verification, you should set up two-step login that will be independent from the Bitwarden account email. This includes an authenticator app, security key, or email-based two-step login with a different email. Having any 2FA method active will opt the user out of the email-based new device verification. Users with 2FA active should also save their Bitwarden recovery code in a safe place.

Who is excluded from this account email-based new device verification?

The following categories of logins are excluded:

• Users who have two-step login set up are excluded.

• Users who log in with SSO, a passkey, or with an API key are excluded.

• Self-hosted users are excluded.

• Users who log in from a device where they have previously logged in are excluded.

My organization users SSO, do my users have to complete new device verification?

No. Users logging in with SSO will be exempt and not asked to verify the login on a new device. However, if a user, without two-step login enabled, logs in with a username and password without going through SSO, they will be asked to verify the new device.

I do not want to share my real email with Bitwarden, how can I set up my account?

Users who want to remain anonymous have several options available:

• Use a two-step login option that doesn’t require an email, including an authenticator app, security key, or email-based two-step login with a different email.

• Use an email alias forwarding service.

• Self-host Bitwarden.

Bitwarden encourages users to have an active email, as Bitwarden sends important security alerts like failed login attempts.