I changed my master password and use 2FA with the Bitwarden authenticator. After I changed my password I’m not able to get a verification code.
Did I something wrong and should I toggled the 2FA temporarily off? Am I able to get in Bitwarden?
@werb Welcome to the forum!
Was your “2FA” for your Bitwarden account/vault stored in your Bitwarden vault – and synced to the BW authenticator app? And now, due to the master password change, it isn’t synced and you can’t get the TOTP code?
You mean toggle off 2FA for your Bitwarden account/vault? That would only be possible in the web vault, where you seemingly can’t login to at the moment.
If you can’t get access to the 2FA TOTP code, this would be a perfect time to look for your 2FA recovery code on your emergency sheet…
Was your “2FA” for your Bitwarden account/vault stored in your Bitwarden vault – and synced to the BW authenticator app? And now, due to the master password change, it isn’t synced and you can’t get the TOTP code?
I don’t know whether my 2FA is stored in the vault and is synced to the authenticator app. Maybe it wasn’t and this caused the problem. The problem is indeed that I can’t get a TOTP-code which is needed to logon.
You mean toggle off 2FA for your Bitwarden account/vault? That would only be possible in the web vault, where you seemingly can’t login to at the moment.
If you can’t get access to the 2FA TOTP code, this would be a perfect time to look for your 2FA recovery code
I didn’t made a recovery code so this is of no use for me. The big question is: am I able to logon into Bitwarden again or is a reset necessary. I only changed my master password.
When you activate 2FA in the web vault, a 2FA recovery code always gets created automatically.
When you try to log in now with your email address and master password… the “request” you then see – does it look like this (option 1):
… or does it look like this (option 2):
?
What matches the most with what you see? (the exact wording is more important here than the design)
And if you’re not sure, then please post a screenshot of what you see. (please redact any personal information before posting)
What matches the most with what you see?
Option 1 it is. The only difference is that I don’t see the option ‘Select another method’.
Okay, thanks. Unfortunately, that’s bad news now for you, as you then lost access to your Bitwarden account now, as it seems.
Option 1 means, you indeed set up 2FA for your BW account. Bad news is: that can’t be circumvented by BW support. And when you don’t see the option “Select another method”, then that means you didn’t set up any other method than “authenticator app” 2FA.
So, as long as you don’t find either your “authenticator app” codes or the 2FA recovery code (which would deactivate 2FA for your BW account so that you then could log in), then there is no way to log in now.
(one option to at least log in, though, would be if you ever set up a “login-passkey” for your Bitwarden account/vault – that would allow you to login without the need of your 2FA option)
Do you have an export of your vault?
After you changed your master password, all BW apps that were connected to the internet got logged out. – If you have any BW app that is still “offline” (not connected to the internet) and still logged in, then let it stay offline under all circumstances – and you should try to make an export of your vault with your old master password there. (Unfortunately there is a current bug with password-protected exports from the mobile app, so I would recommend to make an unencrypted JSON export now.)
Best thing: create a new BW account and try to import directly, to see if the import worked.
After you did all that and made sure you “rescued” all data, you can consider deleting your old account.
Don’t forget to create an emergency sheet now for your new BW account (with at least the email address, server region, master password and 2FA recovery code on it…). Also make regular – or at least casual – exports/backups of your BW vault a habit. (here is a backup guide: bitwarden_reddit/backups.md at main · djasonpenney/bitwarden_reddit · GitHub)
Thank for your support. That is bad news. I didn’t set up a login-passkey. I have an encrypted export of my vault of a few months ago.
The system does not surface a warning during master password rotation to inform the user of potential side effects of this operation.
So I need to reset my account.
That is better than nothing.
That is true – indeed, I can’t understand why that warning is missing. There even is a feature request about that: Recommend vault export before changing master password
As a general rule: make an export of your vault before making any critical change (like changing your BW email address, master password, KDF, setting up 2FA, …), just in case.
On the other hand: all 2FA settings should be unaffected by changing the master password – and that alone can’t explain why you lost your “authenticator app” 2FA. – As implied before, my guess would be that you only synced your TOTP codes from your vault with the authenticator app. And when you changed your master password, you also “cut off” the sync between the password manager and authenticator app. (as the password manager app got logged out due to the master password change)
If you had stored your TOTP code locally on the authenticator app, a master password change shouldn’t affect that in any way.
Anyway, can’t be changed now – but for the future: don’t store your “authenticator app” 2FA in only one location. (hence the emergency sheet… where you can also store the “authenticator key” / TOTP seed code for “authenticator app” 2FA)
This may well be your path forward. If you know the password for your export, it can be imported into KeepassXC. KeepassXC can be used to view TOTP codes stored in the vault.
Once you do get back in, do create an emergency sheet and be sure to include your MFA Recovery code and the TOTP secret key on the kit.
3 Likes
@DenBesten is right! – @werb If you really stored your “TOTP code” in your vault, and it is contained in your export, then you could get access to your 2FA for Bitwarden again.
If you don’t know how to handle KeePassXC, you can also create a temporary new Bitwarden account and import your previous export there. When you get your TOTP code, you can login to your “old” BW account and delete the new BW account.
1 Like
Only if it was a password-protected export (and if OP still has the file password). An account-restricted export would unfortunately not be “better that nothing”…
1 Like
The complication with this approach is the need for premium or setting up a sync with Authenticator. But yes it would be possible to solve within the “family”.
That said an occasional import into keepassxc is a great way to validate one’s export was successful (
) and that there is a path forward if Bitwarden were to vanish off the face of the earth.
Also with a free BW account, you can access and “grab” the TOTP seed code (/ BW terminology: “authenticator key”). That can be added and used in any authenticator app to produce the TOTP verification code.
Maybe I should have added that previously (@werb) – and maybe we can agree (@DenBesten) that both approaches have their (dis)advantages. 
1 Like