I tried to open the browser based Bitwarden site (on Chrome). It now requires 2FA, which I have not set up. Search showed that Bitwarden forced 2FA on all accounts recently and sent an email with the necessary recovery code to set it up. No email from Bitwarden arrived recently.
The only bit that is still accessible is the browser extension on Chrome. It only needs the master password and works ok. I exported my vault content to be sure.
So how do I generate a recovery code or reset the 2FA from the browser extension? Or is there any other way to recover the account to gain browser based access?
BW is planning to force users with no 2FA to verify new clients via email. This isnât in force yet; itâs supposed to come in February.
The email that they sent had no recovery code. This isnât a regular email 2FA that is set up automatically. For BW, itâs like a forced verification with no option (like a 2FA recovery code) to get around it. The only way to get around this is to set up a 2FA explicitly.
I verified this by setting up an account with no 2FA. Logging in from a different browser, or from an incognito window, still requires no email verification for the web vault.
AFAIK, you now actually have a real 2FA enabled on your account. Your only recourse is to delete the account, and re-setup the account, this time hopefully setting up your own 2FA instead of having a verification forced on you.
Yes I looks like my account has 2FA enabled, but not by me (or I am having a senior moment here). Otherwise I would have received an email to enable the setup, presumably?
How did this happen? I rattles my faith in Bitwarden somewhat, I must say.
Can I create a new account with the same email address once the old one is deleted?
Peter
Typically, when you set up 2FA, Bitwarden wonât send you any email confirmation, unless you set up an email 2FA, in which case, it would send an email to verify the address.
Once you delete the account via the link above, you can set up another account with the same email address.
The problem is, if you didnât set up the 2FA in your dementia/drunken/absent-minded state, someone might have access to your account. The most common cases where someone would have access to your account are:
They have your password.
There is an infostealer on your device(s).
If you re-use your master password or use simple patterned password, the fix may be to just use a different master password and change all your passwords in your account.
If itâs the 2nd scenario, you might have to reset the devices to get rid of the malware, or at least do multiple independent scans to make âsureâ that the devices contain no malware.
There is no known widespread BW account breaches. As far as we know, BWâs security and reputation are solid.
Thanks for the image. That would be a 6 digit code from an authenticator app. To set it up usually, that someone would have to take a photo of the screen to capture the secret, and type in a 6-digit code to confirm capture. Someone did this. If you didnât do it, somebody else has your master password.
Do you by any chance save your BW master password in your browserâs password manager, i.e., do you type in your master password everytime, or does the browser fill it in for you?
Neuron
âDo you by any chance save your BW master password in your browserâs password manager, i.e., do you type in your master password everytime, or does the browser fill it in for you?â
Really? I have my master PWD memorised and not stored in electronic form anywhere.
Also I have 2FA for other applications on an authenticator app and no doubt would have added Bitwarden to this as well - had it set this up.
Then I ran a scan on both PCs I use Bitwarden on - no nefarious activity detected.
If Bitwarden did not force the 2FA activation somehow, I am still at a loss what happened.
Letâs leave this here, I may have to close my account when the browser app stopps working and start again from the backup.
Thanks for your assistance
all exports (CSV and JSON) donât include file attachments, Sends and items in the trash
CSV exports furthermore donât include cards, identities and passkeys
So make sure, you exported some of those âmanuallyâ, if you had them in your vault.
I can confirm, what @Neuron5569 already wrote - the new device verification is 1) not in place yet, 2) would only set up email 2FA and not TOTP as in your case. The chances, that TOTP-/âauthenticator appâ-2FA set itself up are slim to none I would say.
If you can, I would recommend searching again every possible (and impossible) location, where you might have stored the TOTP seed code, assuming you setting it upâŚ
Thatâs actually a good idea. E.g. maybe email 2FA was also set up?
I opened a new account with a new and dedicated email to move content across.
But things are never that straight forward.
I also have a shared vault with my partner - I think it is called an âorganizationâ
I canât back this up to transfer it - at least not from the browser extension
this prevents me from closing the account
any ideas welcomeâŚ
If you (or your partner) have âCan Manageâ permissions for any collections within your organization, then you (or they) should be able to use the browser extension to export those collections for which your (or they) have this level of access (by selecting the organization vault in the âExport Fromâ dropdown menu):