First of all, sorry for my poor English and I’m newb to this forum
I recently stumbled upon this great service by chance, and have been using it very well.
I(note: admin below means me) want to host this service and want to let others to use this with their own account.
Among a lot of features, I’ve noticed the Admin Password Reset(or Account Recovery: https://bitwarden.com/help/account-recovery/) feature and tried it out.
The problem I think is that, this feature seems to let admin to provide temporary password value directly, so that admin could access to sensitive information for that account, even if it’s for a short period of time.
A part retrieved from the link above:
… should be made aware that account recovery could allow an administrator to access their individual vault data …
For example, I would like to know whether the following scenario I’m asking is possible.
- The way I’ve noticed: User enrolls in account recovery → Admin could manually(directly) set the password value for that user.
- The way I’m asking: User enroll in account recovery → Admin could request to send an email to the user’s email account, which contains a temporary password(or verification method to reset password by user directly) that is automatically generated by a system.
– It will great that this temporary password(or verification method) in email expires after some amount of time.
In the latter case, I think admin could not know even for a temporary password(or verification method) generated by a system, unless the admin has access to that(whether it’s user’s email account, or the email account that is registered on SMTP information) email account itself.
Of course, I’m aware that the current method send notification to the user’s email address to notify that the password has been reset by admin and account is logged in by others.
However, I’m writing to ask if there is a way to reduce the possibility in which admin can gain access to private information for particular user during the use of Admin Password Reset feature.
If this service doesn’t support a way I’ve mentioned above, I’d also like to know why.
I apologize if this is an inappropriate topic or place for this forum.
Thank you.