2FA Codes In Enterprise Version

I am currently utilizing a trial for Bitwarden Enterprise edition and for the most part have been happy. However, upon doing some of my testing, I ran into a possible issue with 2FA.

If I had a user who lost their phone (and therefore their 2FA code) and that user did not have a recovery code, it doesn’t appear that an admin can remove 2FA from their account.

I also figured that I could get around this by forcing email to be setup as a 2FA option. But the 2FA policy is just enable/disable and therefore the user can disable email at will.

Doing some research I came across this page (Lost Secondary Device | Bitwarden Help & Support), but it seems to indicate that even with an Enterprise account admin’s are unable to reset / enable another form of 2FA for a users account.

Is this all correct, that there is no way for an admin to reset or remove a user’s 2FA setting, and in turn the only option is for the user to delete their account (and all their saved credentials) and start over?

Depends on your 2FA solution for securing Bitwarden. If using a simple TOTP authenticator such as Authy or Microsoft Authenticator these can provide “backups” of your secret seed and allow you to restore 2FA in the case of a lost device.

For more Enterprise solutions most will use Duo, which integrates into Bitwarden Enterprise for 2FA. This provides more admin management of 2FA access, also can provide backups and restore capabilities for lost & new devices, and can be set to a “bypass” mode which coupled with Admin password reset, could allow an admin to gain access to a users personal vault or restore access for a user if needed.