Bitwarden, a leading open-source password manager known for its native mobile applications and enterprise integration capabilities, has announced the implementation of mandatory email verification for users who have not enabled two-factor authentication (2FA), set to take effect in February 2025. The new security measure will require an additional verification step when logging in from unrecognized devices.
Under the new system, users without 2FA or enterprise Single Sign-On (SSO) will need to enter a verification code sent to their registered email address when attempting to access their Bitwarden vault from an unfamiliar device. The extra security layer aims to protect against credential stuffing and phishing attacks, which have seen a significant increase in recent years according to security researchers.
Several user categories will be exempt from this new verification requirement, including those who have already enabled two-step login, users accessing through SSO or passkeys, those using API keys, and self-hosted users. Additionally, the verification step will not be required for devices where users have previously logged in successfully.
The email-based verification system introduces specific considerations for users who store their email credentials within Bitwarden. To prevent potential access issues, users are advised to ensure they maintain separate access to their email accounts or enable two-step login to bypass the verification requirement entirely. The recommendation follows similar industry practices, as shown by GitHub’s recent mandate for 2FA among code contributors.
While email verification provides an additional security layer, security experts note that implementing multi-factor authentication through authenticator apps or FIDO-compliant passkeys remains the recommended approach for optimal account security. Users who activate any form of 2FA, use API keys, or implement SSO will automatically be excluded from the new verification requirement. The approach matches industry best practices, as demonstrated by major platforms like Microsoft’s move toward native passkey support in their authentication systems.
The measure represents a significant enhancement to Bitwarden’s security infrastructure, requiring potential attackers to gain access to both a user’s master password and their email account to successfully breach a vault. The dual-layer approach adds substantial protection against unauthorized access attempts, particularly for users who have not yet adopted stronger authentication methods. The implementation timing comes amid increasing concerns about password security, with recent research indicating that over one billion passwords were compromised through malware attacks in 2024.
Sources: Cyber Insider, Bleeping Computer, Bitwarden
Follow Us