Today I came home to find my account had 2FA enabled. In the past I have had used 2fa, however I turned it off having lost the device I was using. i recently updated my desktop app and found my account 2fa re-enabled. I left my recovery key within a USB with decided to expire itself somehow, leaving me with no way to access the account with my recovery code. Is there a way to fix this or am I out of luck? I had been able to login a week prior - I also checked my email to see if anyone had logged in elsewhere and have not been notified of such. I still have the email and the password associated with the account.
I assume when I updated the desktop application I lost my identifier? I have no idea - your help is greatly appreciated.
If you have any other devices that may still be logged in (e.g. your work laptop, you phone, etc.), you should be able to:
Put it in airplane mode or disconnect its network cable so it can not get any “logout now” messages from the mother-ship
Unlock the vault with the master password
export your vault into a JSON file (either unencrypted or password protected – just don’t use account-restricted).
Having a backup will not “get you back in”, but it will reduce the stress level knowing that your worst-case scenario is create a new account and import the backup.
Unfortunately, all my devices but my desktop had myself logged in. I tried to use my desktop without internet, but it states “unable to fetch” or some sort.
@Bit-warded Welcome to the forum, and Happy New Year!
I’ve moved your post into the forum section that is dedicated to Bitwarden’s Password Manager app, as it seems that is what you are having problems with. If I have made an incorrect assumption, then please let me know, so that I can move your thread back.
To be clear, Bitwarden’s two-step login recovery code does not expire, and only becomes invalid when you use it (it is a one-time use code, so you need to get a new code each time that you use one).
So it does sound like you may have used your original recovery code to get back into your Bitwarden account after you lost your 2FA device. This would have immediately rendered the code invalid for future use.
Updating your client apps cannot cause 2FA to become enabled on your Bitwarden account. What is more likely is that you had enabled 2FA again at some point after you disabled 2FA with the recovery code. It is possible that you were not required to supply the new 2FA second factor for a very long time after initially setting it up, if your desktop app (and other client apps, such as mobile apps or browser extensions) remained logged in continuously, and/or if you enabled the “Remember me” option when you first used the new two-step login method. If this is how you were using your Bitwarden apps, then it is hypothetically possible that updating the Desktop app may have caused your login session to be deauthorized — and this would have resulted in an unexpected 2FA prompt on your next login.
To ensure that there is no misunderstanding, can you describe (or even better, post a screenshot of) what you see when you are asked for 2FA? At the 2FA prompt, if you click the link that says “Use another two-step login method”, what do you see?
Logged in is what we are looking for. If the vault is logged-in, two-step login is not needed, If it is locked that is OK, because one can unlock a logged in account with only a master password. Take a moment to understand the difference between the difference between unlock vs. log in.
The reason I suggest disconnecting from the Internet is because it is possible for bitwarden to instruct all your clients to log out “immediately”. If this were to happen to you while you are in “disaster recovery” mode it makes the situation worse. But, if the device is not working without the Internet, there is little value in keeping it offline when there is hope that putting it online might help you get that backup.
So, if ANY of your devices are logged in, you ought to create an export using that device ASAP.
Maybe there is a language barrier, but I am having a hard time understanding whether you are currently logged in or logged out on any Bitwarden app or browser extension. It is extremely important to clarify your response to this question, because the answer will determine whther there is any hope of recovering your data or not.
Even though at least two of your previous comments state that you are logged in, it is evident from your screenshots that the at least Desktop app is logged out.
If you have ever used Bitwarden on any other device, or used any Bitwarden browser extension on any browser on your computer, then you should disconnect the computer or device from the internet, then open the Bitwarden browser extension or Bitwarden app, check if you there is a button that says Unlock (in which case there is hope), or a button that says Login or “Login with master password” (in which case there is no hope). If you find an app or browser extension that has an Unlock button, then it is essential that you shut down that app or browser before reconnecting the device to the internet (or better, just leave the device disconnected from the internet, if possible).
Please let us know what you find. If you do find an app or browser extension that has an Unlock button, there is some chance that you may be able to recover at least some of your vault contents. We can provide detailed instructions if you let us know what type of app or extension you found that still has a visible Unlock button when you open it.
Well, I regret to be the bearer of bad news, but unless you have the ability to do any of the following, it seems that your Bitwarden vault data have been irrevocably lost:
Use a data recovery service to extract the Bitwarden 2FA recovery code from the malfunctioning USB.
Obtain access to your original 2FA authenticator app, or to the TOTP authentication keys contained therein.
Restore the contents of the AppData folder on your computer, from a full backup of your system drive (e.g., a drive image) that you may have made while you were still logged in to the Desktop app.
Find an unencrypted .CSV or .JSON file that you may have created in the past, using Bitwarden’s Export Vault function.
Find a paper Emergency Sheet where you may have written down the 2FA recovery code in the past.
You can do this yourself. If you want to re-use the same email address as your Bitwarden username, or if you had a Premium subscription that you wish to keep, then you should start by deleting your original account. You can do so by submitting your Bitwarden email address in the form available at the link below, and then confirming the account deletion by following the instructions in the email notice that you will receive from Bitwarden; here is the link for account deletion:
Finally, if you had an active Premium subscription on the original account, you can contact support to request that theytransfer your subscription to the new account, using the following contact form: