Bitwarden enabled 2FA - can't log in

I tried to open the browser based Bitwarden site (on Chrome). It now requires 2FA, which I have not set up. Search showed that Bitwarden forced 2FA on all accounts recently and sent an email with the necessary recovery code to set it up. No email from Bitwarden arrived recently.
The only bit that is still accessible is the browser extension on Chrome. It only needs the master password and works ok. I exported my vault content to be sure.
So how do I generate a recovery code or reset the 2FA from the browser extension? Or is there any other way to recover the account to gain browser based access?

Regards, Peter

Hi Peter,

BW is planning to force users with no 2FA to verify new clients via email. This isn’t in force yet; it’s supposed to come in February.

The email that they sent had no recovery code. This isn’t a regular email 2FA that is set up automatically. For BW, it’s like a forced verification with no option (like a 2FA recovery code) to get around it. The only way to get around this is to set up a 2FA explicitly.

I verified this by setting up an account with no 2FA. Logging in from a different browser, or from an incognito window, still requires no email verification for the web vault.

AFAIK, you now actually have a real 2FA enabled on your account. Your only recourse is to delete the account, and re-setup the account, this time hopefully setting up your own 2FA instead of having a verification forced on you.

Hi Neuron5569,

Yes I looks like my account has 2FA enabled, but not by me (or I am having a senior moment here). Otherwise I would have received an email to enable the setup, presumably?

How did this happen? I rattles my faith in Bitwarden somewhat, I must say.
Can I create a new account with the same email address once the old one is deleted?
Peter

Typically, when you set up 2FA, Bitwarden won’t send you any email confirmation, unless you set up an email 2FA, in which case, it would send an email to verify the address.

Once you delete the account via the link above, you can set up another account with the same email address.

The problem is, if you didn’t set up the 2FA in your dementia/drunken/absent-minded state, someone might have access to your account. The most common cases where someone would have access to your account are:

  1. They have your password.
  2. There is an infostealer on your device(s).

If you re-use your master password or use simple patterned password, the fix may be to just use a different master password and change all your passwords in your account.

If it’s the 2nd scenario, you might have to reset the devices to get rid of the malware, or at least do multiple independent scans to make “sure” that the devices contain no malware.

There is no known widespread BW account breaches. As far as we know, BW’s security and reputation are solid.

Maybe you should post an image of BW requesting for a 2FA code from you, just in case.

Peter,

Thanks for the image. That would be a 6 digit code from an authenticator app. To set it up usually, that someone would have to take a photo of the screen to capture the secret, and type in a 6-digit code to confirm capture. Someone did this. If you didn’t do it, somebody else has your master password.

Do you by any chance save your BW master password in your browser’s password manager, i.e., do you type in your master password everytime, or does the browser fill it in for you?

Neuron
“Do you by any chance save your BW master password in your browser’s password manager, i.e., do you type in your master password everytime, or does the browser fill it in for you?”
Really? I have my master PWD memorised and not stored in electronic form anywhere.
Also I have 2FA for other applications on an authenticator app and no doubt would have added Bitwarden to this as well - had it set this up.
Then I ran a scan on both PCs I use Bitwarden on - no nefarious activity detected.

If Bitwarden did not force the 2FA activation somehow, I am still at a loss what happened.
Let’s leave this here, I may have to close my account when the browser app stopps working and start again from the backup.
Thanks for your assistance

1 Like

What happens if you click “Use another two-step login method” ?

Just an idea as you having nothing to lose.

1 Like

:+1:

Before you leave your old account too soon:

  • all exports (CSV and JSON) don’t include file attachments, Sends and items in the trash
  • CSV exports furthermore don’t include cards, identities and passkeys

So make sure, you exported some of those “manually”, if you had them in your vault.

I can confirm, what @Neuron5569 already wrote - the new device verification is 1) not in place yet, 2) would only set up email 2FA and not TOTP as in your case. The chances, that TOTP-/“authenticator app”-2FA set itself up are slim to none I would say.

If you can, I would recommend searching again every possible (and impossible) location, where you might have stored the TOTP seed code, assuming you setting it up…

That’s actually a good idea. E.g. maybe email 2FA was also set up?

I get the choice between Authenticator app and Recovery Code.
On that note what format is the recovery code?

OK, that’s not what I had hoped for you.

My recovery code is 8 groups of 4 characters i.e. 32 characters (letters or numbers)

Here is a sample recovery code from the Help Center (Recovery Codes | Bitwarden Help Center):

Thanks - format does not ring a bell and I do save this stuff when it happens.
Time to shut this account down
Thanks for all your help
Peter

I opened a new account with a new and dedicated email to move content across.
But things are never that straight forward.
I also have a shared vault with my partner - I think it is called an ‘organization’

  1. I can’t back this up to transfer it - at least not from the browser extension
  2. this prevents me from closing the account
    any ideas welcome…

If you (or your partner) have “Can Manage” permissions for any collections within your organization, then you (or they) should be able to use the browser extension to export those collections for which your (or they) have this level of access (by selecting the organization vault in the “Export From” dropdown menu):

1 Like