aa9e70659a
* Staging: Vault Mgmt (#380) * Commit #1 - Updated Master Password article, and removed old versions (w/ redirects) - Repurposed Account Encryption Key Article - Moved Fingerprint Phrase article - Requisite re-ordering of security articles - Change "Account Mgmt" title to "Your Vault" - Slight change to "Import & Export" category title * - Managing Items - Favorites & Folders (+images) - Sync & Search (+images) - Import Export title change - Clarification re: Login v. Lock in "Field Guide to Two-step Login" - Clarifiation re: Org Invite Expiry in managing-users.md - New link to Acct. Encryption Key in encrypted-export.md * Commit #3 -Custom Fields - URIs (+ images) - File Attachments - VH Reports - Required re-ordering * Commit #4 -BWDC Login recommendation -VH Reports images - Added Two-step FAQs, Import FAQs - FAQ Nav Item depricated, targetting FAQs for each category are now the last article within respective categories * Commit #5 -Edit & move Account/Org Deletion Article -config.yml to re-order global nav -encrypted export update * General FAQs (preliminary edits) * Features > Misc. * return forgot-master-password.md & downstream order changes * delete account warning * fixed link
8.7 KiB
layout, title, categories, featured, popular, hidden, tags, order
| layout | title | categories | featured | popular | hidden | tags | order | |
|---|---|---|---|---|---|---|---|---|
| article | Emergency Access |
|
true | false | false | 08 |
Emergency Access enables users to designate and manage trusted emergency contacts, who may request access to their Vault with a configurable level of permissions.
{% callout info %} Establishing Emergency Access to a Vault is available for Premium users, including members of Paid Organizations (Families, Teams, or Enterprise), but anyone with a Bitwarden account can be designated as a trusted emergency contact (i.e. your trusted emergency contacts do not need to have Premium).
If your premium features are cancelled or lapses due to failed payment method, your trusted emergency contacts will still be able to request and obtain access to your Vault. As a grantor, however, you will not be able to add new or edit existing trusted emergency contacts. {% endcallout %}
How it Works
Emergency Access uses public key exchange and encryption/decryption to allow users to give a trusted emergency contact permission to access Vault data in a Zero Knowledge/Zero Trust environment:
-
A Bitwarden user (the grantor) invites another Bitwarden user to become a trusted emergency contact (the grantee). The invitation (valid for only 5 days) specifies a user access level and includes a request for the grantee's public key.
-
Grantee is notified of invitation via email and accepts the invitation to become a trusted emergency contact. On acceptance, the grantee's public key is stored with the invite.
-
Grantor is notified of acceptance via email and confirms the grantee as their trusted emergency contact. On confirmation, the grantor's Master Key is encrypted using the grantee's public key and stored once encrypted. Grantee is notified of confirmation.
-
An emergency occurs, resulting in grantee requiring access to grantor's Vault. Grantee submits a request for emergency access.
-
Grantor is notified of request via email. The grantor may manually approve the request at any time, otherwise the request is bound by a grantor-specified wait time. When the request is approved or the wait time lapses, the public-key-encrypted Master Key is delivered to grantee for decryption with grantee's private key.
-
Depending on the specified user access level, the grantee will either:
- Obtain view/read access to items in the grantor's Vault (View).
- Be prompted to create a new Master Password for the grantor's Vault (Takeover).
Trusted Emergency Contacts
Emergency Access relies on public key exchange within Bitwarden, therefore trusted emergency contacts must be existing Bitwarden users, or will be prompted to create a Bitwarden account before they can accept an invitation. Trusted emergency contacts do not need to have Premium to be designated as such.
There is no limit to the number of trusted emergency contacts a user can have.
User Access
Trusted emergency contacts can be granted one of the following user access levels:
-
View: When an emergency access request is granted, this user is granted view/read access to all items in your personal Vault.
{% callout success %}As a grantor, you may revoke access to a grantee with View access at any time.{% endcallout %}
-
Takeover: When an emergency access request is granted, this user can create a Master Password for permanent read/write access to your Vault (this will replace your previous Master Password).
Takeover disables any [Two-step Login Methods]({% link _articles/two-step-login/setup-two-step-login.md %}) enabled for the account, but will not sidestep SSO if the Single Sign-On Authentication policy is enabled by a grantor's Organization.
Using Emergency Access
The following sections will walk you through establishing a trusted emergency contact, and executing on emergency access:
Invite a Trusted Emergency Contact
As a grantor, complete the following steps to invite a trusted emergency contact for your Vault:
-
Log in to the Web Vault{:target="_blank"}.
-
Select Settings from the top navigation bar.
-
Select Emergency Access from the left-hand Settings menu.
-
Select the {% icon fa-plus %} Add emergency contact button. In the Invite Emergency Contact window:
{% image /features/emergency-access/ea-invite.png Add emergency contact%}
- Enter the Email of your trusted emergency contact. Trusted emergency contacts must have Bitwarden accounts of their own, but don't need to have Premium.
- Set a User Access level for the trusted emergency contact (View-only or Takeover).
- Set a Wait Time for Vault access. Wait Time dictates how long your trusted emergency contact must wait to access your Vault after initiating an emergency access request.
-
Select the Save button to send the invitation.
{% callout info %} Emergency Contact invitations are only valid for 5 days. {% endcallout %}
Accept an Invitation
As a grantee, complete the following steps to accept an invitation to become a trusted emergency contact:
-
In the received email invitation, select the Become emergency contact button in the email to open an Emergency Access acceptance page in your Browser:
{% image /features/emergency-access/ea-invitation.png Emergency access invitation %}
-
Log in to your Bitwarden account to accept the invitation. If you don't already have a Bitwarden account, you'll need to create one.
Confirm an Accepted Invitation
As a grantor, complete the following steps to confirm an accepted invitation:
-
Log in to the Web Vault{:target="_blank"}.
-
Select Settings from the top navigation bar.
-
Select Emergency Access from the left-hand Settings menu.
In the Trusted emergency contacts section, the invited user should appear with an
Acceptedstatus card. -
Hovering over the user, select the gear icon and select Confirm from the dropdown menu.
{% image /features/emergency-access/ea-confirm.png %}
To ensure the integrity of your encryption keys, verify the displayed fingerprint phrase with the grantee before completing confirmation.
Initiate Emergency Access
As a grantee, complete the following steps to initiate an emergency access request:
-
Log in to the Web Vault{:target="_blank"}.
-
Select Settings from the top navigation bar.
-
Select Emergency Access from the left-hand Settings menu.
-
In the Designated as emergency contact section, select the grantor whose Vault you wish to access.
-
In the Request Access window, select the Request Access button.
{% image /features/emergency-access/ea-request.png Request Access%} You will be provided access to the grantor's Vault after the configured Wait Time, or when the grantor manually approves the emergency access request.
Manually Approve Emergency Access
As a grantor, you may manually approve an emergency access request as an alternative to the configured Wait Time. Complete the following steps to manually approve emergency access:
- Log in to the Web Vault{:target="_blank"}.
- Select Settings from the top navigation bar.
- Select Emergency Access from the left-hand Settings menu.
- Hovering over the user with the
Emergency Access Initiatedstatus card, select the gear icon. - From the gear dropdown, select Approve.
- In the confirmation dialog box, select Approve.
Access Grantor's Vault
As the grantee, complete the following steps to access the grantor's Vault once your request has been approved (manually or through lapsed wait time):
- Log in to the Web Vault{:target="_blank"}.
- Select Settings from the top navigation bar.
- Select Emergency Access from the left-hand Settings menu.
- In the Designated as emergency contact section, hover over the grantor the grantor whose Vault you wish to access, and select the gear icon.
- Select the option from the dropdown that corresponds with your assigned access:
- View - Selecting this option will display the grantor's Vault items on this screen.
- Takeover - Selecting this option will open the Takeover dialog box. Enter and confirm a new master password for the grantor's account. Once saved, log in to Bitwarden as normal, entering the the grantor's email address and the created Master Password.