Am trying to log into web vault via "lost 2FA" link
1-Enter email address
2-Enter password
3-Enter recovery key
4-Get a message saying 2FA has been removed from my account and to login
5-Enter email address
6-Enter password
7-Get prompted for the verification code sent to my email address
8-Verification code never arrives GOTO 1
@JLC I don’t think it’s broken (in the way you think it is).
As soon as 2FA gets deactivated for a Bitwarden account/vault, the New Device Login Protection (NDLP) gets activated automatically.
So, after your step 4, it is expected that you then have to use an NDLP email verification code. Though I think, when using the 2FA recovery code, you should have been logged in then automatically - and that may be a bug, if that didn’t happen.
The good news is, you can contact Bitwarden support to temporarily deactivate the NDLP, when you can convince them you are you and don’t receive the verification emails.
1 Like
Interesting use of the concept “good news” there.
I maintain it is broken. We know it is broken because it doesn’t work.
A trivial - almost idiotic to omit - tweak would be to allow a user to choose what method of 2FA they use. That way when BitWarden emails are borked (which seems to be more often than not) it’s no big deal as long as you have your 2FA authenticator.
And since we can guarantee (here’s 1$ 
) that the billing emails are getting through, then I stand by my previous comments.
It’s hardly a vote of confidence in your own product that you advise users on how to move away from it. Although I guess we should be grateful you can export your vault from your browser plugin.
E2A: re-logging in to my “2FA deactivated account” on a private window browser still bought up the 2FA (via authenticator) screen. So the challenge on my main browser was nothing whatsoever to do with “new devices” and everything to do with the 2FA removal not working.
So yes. It is broken. And badly.
If you want to, you can activate all five 2FA methods (FIDO2/passkey, TOTP/authenticator app, email, Yubico OTP, Duo) at the same time and choose which you want to use for login.
First, it’s not my product – I’m only a volunteer moderator and not a Bitwarden employee (the same goes for @grb and @DenBesten). Second, an export makes sense for all critical situations (and regular backups are also recommended), so that in itself is no “advice to move away from it”.
That would be a bug then and should be reported on GitHub. I understand, you got the message that 2FA was removed?!
And didn’t you wrote this:
?!
Please clarify if this is email-2FA - or the NDLP email verification. Best by a screenshot.
There was a similiar issue reported - though I think there was no “success” message but just a redirection to the login page after using the 2FA recovery code. And it is not clear, if the codes were still valid or not.
Again, you probably should report that on GitHub. If you did screenshots, especially with the message that your 2FA was removed, when it wasn’t removed, that would be valuable info.
Did you try it on a different browser / different device / different BW app again?
If the NDLP was active, then a private browser window would be a “new device”. Could you post a screenshot what you are getting there now? (but redact all personal information!)
PS: Does your 2FA recovery code, that you used, look like this:
?
I have email and authenticator selected (and the authenticator works)
Sorry if I come across spiky - I appreciate all people who work for free for companies with commercial offerings - and am engaging to try to help others in my own special way
That was my point. Yes, I did get a message that 2FA was removed. And even if we accept that the subsequent redirect to login and request for a verification email was correct (I don’t) then trying again on another browser on another machine and still getting the 2FA challenge definitely means something is broken
As requested. Please notice there is no option to select an alternative method. If there was, this entire post would never have been made.
But in a private browser window I get 
:
Luckily that works. So I was able to login and get my so called “Recovery Key” and full access to my account.
My threshold for doing free work for others is quite low, so I’ll just leave all this here.
And as of now, I still have not received any emails. I handle all my own email so it hasn’t been filtered or rejected at my end. Having setup DKIM and all the tweaks needed to ensure mass emails don’t get killed at a network level, I’d start looking into that. (I know AWS SES has tools to look at such things).
Obviously with access to my vault and data exported I am much more relaxed than I may have been otherwise.
Just to be clear here - even with the “recovery key” it is not possible to log into my account. Maybe that should be the headline ?
Hm… question: by “private browser” you mean something like an incognito browser window, right? – If yes, did you close it in between? And if no, did you try to clear cache in the meantime?
And did you try it on another browser, ideally one where you never logged in to the Bitwarden vault before (no cache)?
If you indeed would be subjected to both 2FA and NDLP at the same time, then I would agree with you that there is something very wrong right now. 
PS: The email-2FA dialog would look like that:
So your first screenshot does show the NDLP! – Compare the wording I underlined in my screenshot with yours.
PPS:
If I understand you correctly here: I’m glad you got access.
But I’m also confused now: You only now got your “Recovery Key”? – I thought you used it (“unsuccessfully”) before you could login now?
So, to just get the sequence of events right:
- Couldn’t login. (emails don’t arrive)
- Use 2FA recovery code
- You got the message that 2FA was removed from your account
- But: NDLP and 2FA (TOTP/authenticator app) both in different browsers and at the same time for new login
- NDLP login didn’t work (no email received), but login with TOTP worked
- You got your 2FA recovery code from the web vault (again?!?!)
Right – or something wrong?!
And another thing I don’t understand now: why did you use the 2FA recovery code in the first place, when you could login with TOTP/authenticator app alternatively to email verification the whole time?
I actually use Brave. And opening a “New Private Window” bought up the login which then asked for the authenticator details. From there I was able to login and therefore access my recovery key (which I annoyingly misplaced 
)
Clearing cache in my browser still brings up the failing email verification prompt with teh changed wording noted.
Yes
Because trying to login “normally” I do not get a choice of not entering the email verification. So am stuck. I am currently still unable to access the web vault in my everyday browser. And BitWarden decide to “improve” their security and remove that option, then as I am not getting their verification emails I would be even more struck.
As noted in my OP, I will guarantee that all their emails about billing are getting through.
I have an incident logged with their support channel. However they have yet to actually read it (despite replying twice). Presumably because they rely on unpaid volunteers to pick up the slack. And thank you again for replying. 
Things will be wonderful when AI is invented.
Hey, just three short things again:
-
I’m still confused: you misplaced your recovery code, but could use it then before you got it from the web vault? – BTW, can you compare if it is still the same 2FA recovery code as before? Because if it was used successfully, the web vault would automatically create a new recovery code… Another BTW: in the 2FA settings in the web vault you can see if the 2FA options are still active. – Are they? Or are they deactivated? (–> if you still can login with TOTP-2FA, that should be still active then…)
-
Clearing cache brings also still up the TOTP prompt?
- When you have set up any or all 2FA options for Bitwarden, after entering your master password, you always get offered the “highest ranking” of your 2FA options automatically – but you should always be able to cancel that and “Select another method” (right above “Use your recovery code”) and use another one of your 2FA options:
BTW: If you have both email-2FA and TOTP/authenticator app as 2FA activated, I think you should be offered TOTP as default - and not email first (see also here: Two-Step Login Methods | Bitwarden)… so that also sounds a bit odd…
Smells like a bug to me.
I haven’t read the entire thread in detail, but I surmise that you used your Recovery Code and received a confirmation that the code had been applied. The expected behavior when the Recovery Code is entered would be:
- You are immediately logged in to your Web Vault with no further requirements for verification (no NDLP).
- NDLP email codes will only be required when logging in from a new “device” (i.e., any Bitwarden app or browser extension that does not already have persistent user data including a record of a previous login — which includes new devices, new Bitwarden installations, and new “private” browser sessions).
- Logging in from an “old” device should not prompt for any 2FA or NDLP verification codes.
- Your old Two-Step Login Recovery Code will no longer work (the code one-time use only, and will be automatically rotated when you use it).
It looks to me that #4 did work, but that #2 (and #1?? please confirm) may not have worked; and my interpretation of your screenshot above is that #4 may have worked partially (it seems to have removed your “alternative methods”, but not the TOTP method — please confirm that you did have some alternative 2FA methods configured before using the Recovery Code).
Before all of this nonsense started, I couldn’t find the recovery key (my bad, so I didn’t start with it ) However since logging in via a private browser + TOTP then I have now got it.
Good call about “has it updated ?” - no it hasn’t. So clearly BW do not think it has been successfully used (despite the message when I did). And yes - 2FA options in the web vault are still enabled.
No, it just says to enter the email verification code
This is where my screen does not match yours. If it had “select another method” the neither of us would be here, as there would be no thread
As you can see, I get no choice in the matter.
More info.
Logged into web vault and changed 2FA email address to a gmail one. That received a code which allowed BW to accept it as a 2FA method.
However, trying to log in, again I get no email code to complete the process.
Three questions:
-
Was that (your screenshot showing only “Authenticator app” as enabled) the setup before you used your recovery code? (and if so, why were you expecting to see the “Select another method” option, if there were no other options enabled?)
-
When you entered your recovery code at
https://vault.bitwarden.com/#/recover-2fa/, were you immediately logged in to the Web Vault, or not? (and if not, what happened to thehttps://vault.bitwarden.com/webpage after you entered the code?) -
When you entered your recovery code at
https://vault.bitwarden.com/#/recover-2fa/, were you using a private/incognito browser window, or a regular browser window?
Actually, I would also appreciate your clarification to the following, fourth question.
You had stated:
But now you have also stated:
(claiming that your recovery code is still the same as before you used it)
So — is it the case that the recovery code currently displayed in the Account Security section of your Web Vault is not a valid code? Do you get an error message when you try to use it?
You don’t have email 2FA active. Just look at your own screenshot – there is no “check” on “email”:
And correspondingly, the screenshot you posted here (see down below) doesn’t show email 2FA, but the NDLP (which you normally should not see as long as you have any 2FA activated). And because it’s the NDLP you don’t see “Select other another method”.
(but even if it were the a “2FA screenshot”, you wouldn’t see “Select another method” as you only have TOTP/authenticator app 2FA active – there is no other method for you to select as 2FA than the one: TOTP)
A number of posts regarding this topic have been posted by in another topic. To prevent confusing the two issues (the putative 2FA recovery bug and issues with email delivery), I am moving the discussion of 2FA recovery from the other thread into this thread. The posts will be inserted below (not in chronological order relative the the existing posts in this thread).
I have no anti-spam measures in place. However I do use Zoho as my mail handler, so maybe they are rejecting the email before it reaches my mailbox.
Have engage with BW support who are suspiciously clueless and not really seeing it as a “big thing”. The fact I’ve been given a guide to exporting data from BW suggests they’d rather I went away
Also my problem is trying to access my web vault via a browser, and their support are obsessed with my browser specs. So they haven’t read the ticket yet.
Just to add that using a private window and trying to access my vault, I was prompted to use my authenticator - which worked.
HOWEVER from there, I got my supposed “recovery code” which I then used to try and login on my main browser via the forgotten 2FA link. That worked and said it had disabled 2FA and to log in again. Which I tried and guess what ??? I was prompted for the email verification code again
This tells me that it’s not the email that is failing. The entire 2FA mechanism is broken, and that a lot of people may be looking in the wrong place.
I hate doing free support work for companies who sell products.
If that recommendation came from any of the Volunteer Moderators, I can assure you that our reason for recommending ZIP or JSON exports is so that you don’t lose everything if the situation gets worse.
In bitwarden lingo, an export is a synonym for a backup. We tend to recommend they be taken periodically, before undertaking “large-scale” changes (e.g. cleaning up, changing master password), and at the first sign of login problems that may get worse as one tries to fix the issue.
That is exactly my suspicion, based on @grb’s belief that Bitwarden has a defective DKIM config.
That is exactly how the recovery code is supposed to work. And, since using it generates a new recovery code, you ought to write the new one down before doing anything else.
This also risks making things worse because you are totally dependent on email to login to your vault. And, since email has proven janky for you, I highly recommend reenabling TOTP before you do much else.
Not exactly, but let’s continue this discussion in the thread dedicated to the potential 2FA recovery bug.