Two-step Login FAQs
This article contains frequently asked questions (FAQs) regarding two-step login.
A: Bitwarden does not support SMS 2FA due to vulnerabilities, including SIM hijacking. We do not recommend SMS 2FA for other accounts unless it is the only available method. Any second factor is recommended over having none, but most alternatives are safer than SMS 2FA.
A: You can require your organization's users to use two-step login by enabling the two-step login policy. Additionally, you can setup organization-wide Duo 2FA to ensure that all of your users have a secure two-step login method at their disposal.
A: Yes! Please see two-step login via FIDO2 WebAuthn.
A: In most cases, one of two things is happening:
You may be already logged in to Bitwarden and only unlocking your vault. Two-step login is required to log in but not to unlock. For more information on the difference between logging in and unlocking, see Vault Timeout Options#vault-timeout-action.
You may have previously checked the Remember me checkbox on a device when accessing your vault using two-step login.
The Remember me options is enabled per-device, not globally for the account, and will be active for 30 days once turned on. You will need to Deauthorize Sessions from your web vault (Settings → My Account) to make any/all devices continue asking for your two-step login method.
A: Yes, Log in with Device will substitute the need to enter your master password. Users will still need to complete an authentication request if two-step login has been enabled on your account. Using Log in with Device will send you directly to the authentication step if:
You are using a remembered device.
Remember me has been previously selected on the login screen.