Bitwarden is turning 2FA on by default for new devices

Original Article ↗ Hacker News Discussion ↗

New Browser Extension UI & UX Changes

  • Many users dislike the new “copy” overflow menu: previously there were one-click buttons for username/password/TOTP; now it often takes two clicks, even when only one field exists.
  • Several people only later discovered Appearance/Autofill settings that largely restore old behavior:
    • “Show quick copy actions on Vault”
    • “Click items to autofill from Vault”
    • Compact mode, wider layout, disable animations
  • Criticisms:
    • Tiny “Fill” button instead of clicking the whole row to autofill; feels like a major UX regression for common workflows (manual login, 2FA codes, credit cards).
    • Extra clicks, wasted space, “mobile-style” design on desktop.
    • Slower load times, visible lag, sometimes double scrollbars; some report autofill now fails more often or can’t fill password fields reliably.
  • Defenses:
    • Some find it faster overall and like that it remembers where you were (e.g., stays on search results after refocusing).
    • Once muscle memory adjusts and settings are tuned, several describe it as “bearable” to “better.”
  • Self‑hosting/vaultwarden:
    • New extension initially broke for some self‑hosted instances; warnings about mixing new clients with outdated vaultwarden.
    • Suggestions to pin extension versions or use experimental flags.

Default New‑Device Verification / 2FA

  • Initial reading of the article looked like mandatory email‑based 2FA for new devices, triggering strong backlash; Bitwarden later updated docs to say it’s on by default but can be opted out in account settings.
  • Major concern: circular dependency and lockout risk:
    • Many store email passwords and 2FA secrets in Bitwarden; requiring email access to unlock Bitwarden can strand users after device loss.
    • Especially problematic for single‑device users, elderly/less technical people, or those who intentionally avoid 2FA due to context (travel, theft risk, medical events).
    • Recovery codes, multiple hardware tokens, and offsite storage are seen as too complex or fragile for typical users.
  • Supporters argue:
    • Password‑only vault access is too weak; providers shoulder loss/liability from account takeovers.
    • Once‑per‑device verification is a reasonable security baseline; serious users should maintain backups and multiple factors.
  • Critics counter:
    • Security friction on a password manager defeats its purpose and can push people back to bad habits.
    • 2FA should be offered and gently nudged, not effectively required; Bitwarden “protecting users from themselves” is seen as overreach.

Alternatives, Backups, and Misc

  • Several users discuss moving to Enpass, Proton Pass, Apple Passwords, KeePass/KeepassXC, pass/passwordstore, or self‑hosted vaultwarden.
  • Strong recommendation across the thread: regularly export and store encrypted offline backups of your vault to guard against service changes or lockouts.