New Device Verification (Early 2025)

To keep your account safe and secure, in early 2025, Bitwarden will require additional verification for users who do not use two-step login. Once you enter your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email to complete the login process when logging in from a new device or after clearing browser cookies. This verification is only needed from new devices or after clearing browser cookies.

If you prefer not to rely on your Bitwarden account email, you can set up a two-step login that is independent from the account email, such as an Authenticator app, a hardware key, or two-step login via a different email.

When will this happen?

This change will go into effect starting February 2025.

Why is Bitwarden implementing this?

Users with weak or reused master passwords and without two-step login do not have strong security profiles. Bitwarden aims to improve user security by adding a layer of authentication when such a user is logging in on a device for the first time.

My email credentials are saved in Bitwarden. Should I be worried about a circular dependency?

Users can set up a 2FA method that is independent from the Bitwarden account email, including an authenticator app, security key, or email-based two-step login with a different email. Having any 2FA method active will opt the user out of the email-based new device verification. For users without 2FA enabled, they will need to retain access to your email account outside of Bitwarden. For example, a user can write down their email password on an emergency recovery sheet that they keep in a safe, physically secure location. Users with 2FA active should save their Bitwarden recovery code in a safe place.

Who is excluded from this account email-based new device verification?

The following categories of logins are excluded:

• Users who have two-step login set up are excluded.

• Users who log in with SSO, a passkey, or with an API key are excluded.

• Self-hosted users are excluded.

• Users who log in from a device where they have previously logged in are excluded.

My organization users SSO, do my users have to complete new device verification?

No. Users logging in with SSO will not be asked to verify the login on a new device. However, if a user logs in with a username and password, without going through SSO, they will be asked to verify the new device provided they do not have two-step login set up.

I do not want to share my real email with Bitwarden, how can I set up my account?

Users who want to remain anonymous have several options available:

• Use one or more of a variety of two-step login options, many of which are free, to secure your account.

• Use an email alias forwarding service.

• Self-host Bitwarden.

Bitwarden encourages users to have an active email, as Bitwarden sends important security alerts like failed login attempts.