Hi. I use bitwarden for all my password management needs. It’s set up for 2-factor Authentication using Google Authenticator. I had my phone stolen last week (yes, I wiped it remotely!). I just replaced with new one, and restored all the backed up apps and settings from my Google account. I removed my old phone from my google 2-step verification page, and linked theapp on my new phone by scanning the QR Code from Google. The app is generating codes. But when I tried to log into My Vault on a browser that wasn’t already logged in, I got an error messages saying that the “two-step token is invalid.” I was already logged into my vault on a couple of other browsers so I was able to export my vault in case I needed to start fresh, but I would much rather recover this account. Any help would be greatly appreciated. Thank you!
There are 2 likely things that could cause this:
- Clock Sync Issue. TOTP codes rely on accurate time, the time on your phone may be off by a few seconds.
- The QR code you scanned isn’t for your Bitwarden account, it may have been an earlier code you setup but then later replaced.
Hi @uMAnicIo. Thanks for your reply. I actually did run the time correction routine for codes so I don’t think it’s a time mismatch issue. The QR Code I scanned into my phone was from the Google Authenticator app setup page. I think it was syncing my google account to the app. And that went successfully. Is there a way to generate a QR code for the bitwarden account?
It seems you did not re-setup the Bitwarden 2FA in Google Authenticator.
So unless you have a backup of your Bitwarden 2FA QR Code or Secret, or you have another 2FA option for Bitwarden already enabled (such as email codes), or you have your Bitwarden 2FA Recovery Code - then you are permanently locked out of your Bitwarden account.
Hi @uMAnicIo. I am confused. When I restored my data on the new phone, the authenticator app was automatically installed. I then synced the app to my Google account by scanning the QR Code on google. What should I do (or have done) to “re-setup” the Bitwarden 2FA in Google Authenticator? How is that done? I do not have bitwarden set up for email authentication. Also I do not have the recovery code that was generated when first setting up the 2FA. It was a long time ago.
When the Authenticator App was reinstalled, did it also restore all the 2FA entries you had added? Was there a specific Bitwarden entry listed?
Honestly, I don’t know. The app was reinstalled as part of the initial (and automatic) device restore process. The first time I accessed the app was this afternoon when I tried to log into bitwarden on a new browser. When I did, the app made me go through the setup process, which involved scanning a QR Code from my google account. When the app the opened, there was one entry there. There was no label to say which site it was associated with. Before this fiasco, I used the authenticator for just two sites: bitwarden and Newegg. There were two entries in the app back then but no labelling on them either. (P.S. I uninstalled and reinstalled the app just now. Re-synced it to my google account. It didn’t help.)
It seems like you have lost all accounts you had set up 2FA codes for. Honestly it’s a miracle you were able to re-add the Google one, you must have had a browser you were already logged in to that didn’t ask for a new 2FA code.
Please take this as a learning opportunity and learn to set up 2FA properly AND back up your 2FA (or 2FA recovery codes). There is a good chance you are now locked out of every account you had enabled 2FA for.
Just because the App was reinstalled does not mean it backed up all the 2FA codes you had previously set up (it did not/does not/will not when you re-add them this time).
If you are still able to login to the Bitwarden web vault because your browser is trusted and is not currently prompting for 2FA, you can easily restore your TOTP authentication on the Google Authenticator app.
Just login to your vault at https://vault.bitwarden.com, then from the top menu select Settings → Two-Step Login. In the window that appears, click the Manage button to the right of the entry labelled Authenticator App (and confirm your master password), and you should see the QR code you need to setup Bitwarden again with your Google Authenticator app. Hope that helps! Cheers.
And yes, as mentioned above, please print out your two-step recovery codes and hide them in a safe place just in case!
@uMAnicIo Thank you. Yes, I seem to have lost the authenticator account for Newegg as well. Not a big problem there since I have secondary access through email. Regarding bitwarden, I suppose my only recourse is to create a new bitwarden account and restore my vault through backup? It has been a learning lesson indeed that I’ll take to heart.
@dh024 Unfortunately, no. I am logged into my vault through the extension on a few browsers, but I don’t have a webpage open to vault.bitwarden.com. That was one of the first things I tried.
Yes, you can delete your current Bitwarden vault without needing a 2FA code after which you can create a new account using the same email address and import your backup.
Darn - I wasn’t sure what you meant by logging in to your Web Vault, so I guess that was wishful thinking.
What kind of Bitwarden backup did you do? If you do an unencrypted JSON backup of your vault, you should be able to delete your vault and import to start again. Note, you CANNOT do this if you backed up an encrypted JSON! So, make sure you have everything now.
Also note that file attachments will be lost if you delete your account and start over, if you had any.
@uMAnicIo @dh024 Thank you both for your support! One more thing I’m thankful for. I do have an unencrypted .json backup so I’m good to go. All things considered, after the nightmare of losing a phone this seems like a relief, knowing that I can simply recreate the vault.
Note, you CANNOT do this if you backed up an encrypted JSON!
Exactly why the encrypted export is useless!
Actually, I have found the encrypted export handy - I always export one before making a series of bulk changes to my vault, for example, just in case I want to “roll back” those changes easily.
I use an encrypted container that gets synced to the cloud for regular, unencrypted backups, but that is a tedious process - with the encrypted JSON I don’t have to bother with any of that.
But if you ever lost access to your account the encrypted export would be useless.
It gives people a false sense of security that they have a functional backup when they do not.
Same thing happened for me. Google Authenticator app, haven’t set up a new 2FA code since I created my account. Other 2FA codes still work from the authenticator. Going to delete and then recreate my account from the json export but this feels like a bug to me. I think I’ll be setting up a backup 2FA method this time!
I agree. If it’s easy to backup then you do it more often. A logical routine might be export an encrypted backup once a week (or whenever you’re about to make big changes as you mentioned) and an unencrypted backup once a month… taking extra care to make sure that unencrypted backup is subsequently encrypted or otherwise protected.