I´ve been accessing my account with no issues using my fingerprint.
Today I´ve tried to access it and this is not enabled. I´ve tried with my master key but I get stuck after that as the app (web as well) requests my a 2fa code (which I never enabled).
So I´m stuck and don’t know how to proceed.
Thanks in advance!
Hello Marco, and welcome to the community👋
The 2FA code is in a New Device Login Protection email sent to the address registered with Bitwarden. Do you not have access to that email account?
ps: I edited the thread title and tags to reflect your questions.
Hi Neuron, thank you.
I do have access to that email, but I haven´t received anything.
Just in case, have you checked your spam folder? Are you receiving emails on the account itself?
Another way to see if Bitwarden would send you an email is to request an account deletion (without following through) using this link, assuming you are using the Bitwarden.com server: https://vault.bitwarden.com/#/recover-delete. Obviously, don’t interact with the email received; you just want to see if Bitwarden would send you an email.
PS: I checked; Bitwarden is sending NDLP emails normally. Bitwarden may be having a problem sending to your specific email for whatever reason.
Yes, I´m receiving emails from Bitwarden.
It asks me for a 6 digit code, but I´ve never set up the 2f authenticator app.
Bitwarden started requiring OTP from the email for a “new” client it hasn’t seen before from the end of May. See:
Normally, you wouldn’t need to supply this on a client that you have used before (and you haven’t reinstalled, or cleared the site’s data and cookies).
It is highly recommended to set up a 2FA, preferably TOTP or Passkey, which would negate this requirement until you remove the 2FA.
@MarcoP Welcome to the forum!
The “request” you see, does it look like this (option 1):
… or does it look like this (option 2):
?
(the exact wording is more important here than the design)
Hi Nail, the first one, but it doesn´t say sent to my email, it says sent to my authentication app and that´s the problem 
@MarcoP Okay, then there’s good news and bad news.
When it asks for your authenticator app, then you did set up authenticator app 2FA before. – It shouldn’t say “there is something sent to your authenticator app” though, but in your authenticator app, there should be an entry (that you stored there) which says “Bitwarden” (or whatever you called it). That entry should give you the necessary code.
If you can’t get that authenticator app code, then it would be the perfect time to search for your 2FA recovery code on your emergency sheet(s).
Bad news is: if you don’t find anything of that, then there is no way to circumvent it.
Do you have any other BW app still logged in? Do you have any recent export of your BW vault?
Then I´m fucked. I´m 100% sure I did not set up an authenticator for Bitwarden and of course I don´t have the recovery code.
I only use BW on my phone and never exported my vault.
@MarcoP Just to be sure again: it’s this prompt you’re seeing, right?
If you really think so, then you honestly should also consider that someone else entered your vault and set up authenticator app (TOTP) 2FA for your BW account, as that doesn’t happen just by itself.
I’m Sorry, that there is no better message for you now.
(If you ever had set up a login-passkey for your Bitwarden account/vault, that could at least log you in now.)
Personally, I probably would wait a few days and search everywhere three times now… In the end, if there’s nothing there, you have to start anew – and should consider deleting your BW account.
If positing that Marco’s vault started with no 2FA, then someone else added TOTP 2FA on the account without leaving any other traces, this would be puzzling.
The person most likely wouldn’t be stealing tokens, like the “familiar client” token, from the phone, so logging in remotely would generate 1) an NDLP email, 2) a new device login email, and 3) login traces within the email account itself. If there are none of these, then one possibility is that somebody else has remote access to the phone, meaning they were deleting all these traces when Marco wasn’t looking. Maybe this is technically possible, but we haven’t heard about such a case. 
Yeah… I personally would think, it’s far more likely that @MarcoP set up 2FA and forgot about it. (no offence) – But if indeed @MarcoP never set up 2FA themselves, I would furthermore think it is very unlikely (if not impossible) that it happened just on it’s own. (I think I can’t remember any report about that happening ever – in the end, it was always the user remembering it again, IIRC…)
I guess I will just delete my vault an create a new one, not a very big deal, I just need to reset some passwords and problem solved XD
Thanks to both of you for your help
@MarcoP Thanks for the update! And I guess you were lucky then after all, as it seems no critical data was lost for you then.
Just to reiterate some of the things that were mentioned before – and to avoid this the next time – it is recommended…
to create an/several emergency sheet(s) – here is a template: Bitwarden security readiness kit | Bitwarden
to set up 2FA for Bitwarden – in that case, don’t forget to write down your 2FA recovery code on your emergency sheet(s)… and if it’s “authenticator app (TOTP)”-2FA you could also write down the TOTP seed code on your emergency sheet(s), so that you could set up the “authenticator app” at any time
to start regular (or at least intermittent) backups/exports of your vault (here is a guide: bitwarden_reddit/backups.md at main · djasonpenney/bitwarden_reddit · GitHub)
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
