Why YSK: Because if you are like most people, you also store your email’s password in your Bitwarden Vault and not bother remembering it, causing you to potentially get locked out (since you wouldn’t be able to log in to your email to get the verification code, because your email’s password is in the vault itself 👀)

(Imagine leaving your key in your house, lol)

Source: https://bitwarden.com/help/new-device-verification/

Excerpt:

To keep your account safe and secure, in February 2025, Bitwarden will require additional verification for users who do not use two-step login. After entering your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email to complete the login process when logging in from a device you have not logged in to previously. For example, if you are logging in to a mobile app or a browser extension that you have used before, you will not receive this prompt.

Good thing I noticed, otherwise I might’ve had a bad time next month 😖

Edit: Updated title to clarify that people who have 2FA are not affected.

  • Cala@lemmy.caEnglish
    121·
    2 days ago

    This is likely timed to meet the new PCI requirements, since they are designed to store your credit card info if you want to, and MFA will be a requirement as of April 1st this year. Everyone should be using MFA for this kind of information anyway, I know people hate inconvenience in the name of security, but if safety wasn’t forced on people we wouldn’t have things like seat belts, hand rails, and factory safety lockouts.

    • ERROR: Earth.exe has crashed@lemmy.dbzer0.comOPEnglish
      5·
      2 days ago

      but if safety wasn’t forced on people we wouldn’t have things like seat belts, hand rails, and factory safety lockouts.

      But like… They just posted the announcement on Jan 27. I literally didn’t get any notice before that, and I still have yet to receive a notice via email, only knew because I was logging in via the web. (Did anyone else even get a notice?)

      They should’ve given at least 3 month notice in advance for such a drastic change that could potentially get someone locked out.

      • Cala@lemmy.caEnglish
        7·
        2 days ago

        They should’ve given at least 3 month notice in advance for such a drastic change that could potentially get someone locked out.

        Absolutely. Their Lawyer/Risk/Compliance person probably just noticed and went “oh fuck”. With the short timeline they gave vs. compliance effect date, I hope it means they will have all hands on deck to support and work around the inevitable lockouts next month.

      • Pika@sh.itjust.worksEnglish
        1·
        2 days ago

        actually I would say one step further. It should give a notice for popular email service urls or tagged email saying the alert with a timed window (meaning it can’t just be clicked through)