Did I f*ck up completely? (Lost 2FA and logged out, but have encrypted backup)

I already did a lot of reading after what happened this morning so I’m 99% sure my data is gone, but just I case I missed anything, here is what happened:

I lost access to my 2FA phone, and my bitwarden account is protected by 2FA. This means I can not log into the account on the web or in any browser.

HOWEVER, I created an encypted backup from the web and saved it. Unfortunately it is account restricted, as I didn’t think of getting locked out of the account, so I’m unable to use the backup.

I’m usually logged into my bitwarden-account on multiple computers with open browsers all the time, so I wanted to make an export from there. HOWEVER all of these sessions just logged out, because I just updated my KDF iterations in the account from 10k to 100k and apparently this caused all sessions to log out and they now require the same 2FA to log in again.

Do you have any new idea if there is something I could do? Is there any way to decrypt the encrypted backup without using the account?

@Newinspace Welcome to the forum!

Unfortunately, you are correct about having permanently lost your vault data. The only possible avenues to save your data are the following long-shots:

• If you ever obtained and kept your account’s two-step login recovery code (a 32-character alphanumeric code), then this can be used to turn off 2FA for your account.

• If there is any browser (or Desktop app) that has not been opened since before your KDF update (perhaps on an old computer that you no longer use), then it is possible that you still have a logged-in Bitwarden session there. If this is a possibility, then it is critical that you completely disconnect the device from the internet before opening the browser or Desktop app to check (as soon as the extension or app connects to the internet it will log out your session without warning). While disconnected from the internet, you should be able to export your locally cached vault data (as an unencrypted .json file).

• If you have ever used disk imaging software to create backups of your computer contents, then it may be possible to extract your vault data from these backups.

• If any computer that you’ve used Bitwarden on has a hard-disk drive (of the spinning-platter type, not solid state), then you may be able to contract with a data recovery service to check if the previously cached vault data (and in particular, your “protected symmetric key”) can be recovered from the unused sections of your disk (or from the hibernation file).

As you suspect, your account-restricted vault export is pretty much useless. It cannot be decrypted without its 256-bit encryption key, which exists only in your account’s cloud database (and requires authentication to access). The methods described in bullet points #2–#4 above may also offer a way to recover the encryption key, but extracting it and then using it to decipher your export file would require some pretty intense scripting.

Wow, thanks! I actually have two windows PCs, which are disconnected and switched off at the moment. They should have bitwarden in chrome and firefox and were connected to the internet only about a week ago, which means before the KDF update.

So you are saying that I can log in there and get into the local vault, even though they have no connection to the internet? I didn’t know the vault is buffered locally.

I guess the vault will be encrypted, but I can get into it with my passphrase?

Of course, I will boot these PCs without any internet connection!

Yes, there’s hope!

Pull any Ethernet cables out of the computers before booting them up, or if they use WiFi, shut down your WiFi router (and then, to be sure, put the computer in Airplane mode as soon as you are booted up).

You should then be able to use your normal procedure for unlocking the browser extensions, and then you can go Settings > Export vault to export the vault contents. Choose the plain “.json” format — not “.json (encrypted)”.

Basically, anytime that you log in to Bitwarden using any app or browser extension, a local copy of the encrypted vault is downloaded and stored in the application’s data folder. Anytime that you unlock the app or extension, it decrypts the local vault cache, and then syncs the local cache to get any updated data from the cloud database. If there is no internet connection, syncing does not occur, but the app/extension will still decrypt and make available the cached vault data.

Dude, I can’t believe it, it actually worked. I got back all my data, I’m back in my account, everything is good now! (Except for probably 10 liters of sweat that I lost in the last 10 hours, trying to get back into all my accounts and resetting all passwords from accounts that were registered to my E-Mail addresses and phone numbers.)

I hope others can learn from my mistakes. What REALLY happened is even more crazy than I explained in my first post:

I use andOPT on my android phone to secure my OTPs. It’s database is encrypted and the decryption key is saved in bitwarden. So every time I open the app, bitwarden will auto-fill the password for decryption. I only needed to log into bitwarden once in the beginning with 2FA when I set up bitwarden, since then it stayed logged in. I also have multiple computers always online, so if I loose access to one of them, I just take another one to take the passwords from there. The database with my 2FA keys is also stored in bitwarden. So unless I loose all of my bitwarden-browsers at the same time, I should be safe. (I know that’s naive, but that’s what I thought)

I never imagined that I would get logged out of all my bitwarden-browsers at the same time, but that’s exactly what happened when I updated the KDF settings on the bitwarden website.

My second mistake was misunderstanding the explanation of bitwarden, what an encrypted vault-export is. It states: Use your account encryption key, derived from your account’s username and Master Password, to encrypt the export and restrict import to only the current Bitwarden account.

I thought that “derived from my accounts unsername and master password” meant that ONLY my accounts username and masterpassword was required to decrypt the backup. I know that this was only my interpretation at that time, but maybe bitwarden should make clear, that my account encryption key is also based on a third token which is protected by 2FA.

So after I booted up my old computer without internet access, I decrypted the vault with the masterkey, got the password to decrypt the andOTP database and was able to generate a bitwarden 2FA token to log back into the account.

So to sum it up, I made 3 mistakes:

1. Putting the OTP-database decryption key and the database into bitwarden and needing an OTP to log into bitwarden.
2. Assuming that I would not get logged out of all my clients at the same time.
3. Misinterpreting bitwardens explanation, on how to decrypt the encrypted vault-backup

I am so thankful for the quick help here!
@grb: Can you send me am PM? I’d like to send you a little something for saving my life!

You’re welcome, glad you were able to get back in!

I agree that it is possible to misinterpret the wording from the Web Vault export tool. The explanation of the “account-restricted” option from the Help documentation is much more clear on this point.

Going forward, the advice I would offer is:

• Only use the Password-Protected form of the encrypted .json export.

• Make yourself an Emergency Sheet (in one or more copies), which is a sheet of paper that documents the information you need to get access to your vault in an emergency: (1) your Bitwarden username/email address; (2) your Bitwarden master password; (3) your Bitwarden 2FA reset code; (4) the password to your password-protected exports. You may also want to include the URL to your web vault (e.g., vault.bitwarden.com, vault.bitwarden.eu, or your custom domain if self-hosted).

Also, I recommend using a hardware key (e.g., Yubikey) as the 2FA for accessing your Bitwarden account.

A bit unrelated, but I would suggest that you move to something else as andOTP hasn’t been updated for almost 3 years. For example, Aegis and Ente are both excellent options.

Thanks, I’ll check them out. It has been 4 years since I set up andOTP, I didn’t realize they stopped to develop it.

Also go to your BW vault and COPY/SAVE the recovery code for your account. With the recovery code you can always get back in as long as you know your master password.

DO IT NOW ----------------------------- > LOL!!

You may want to also keep a local (on your PC) password manager (I use KeePass on Linux but there are Windows versions too).

Periodically I export my Bitwarden vault and import it into my KeePass’s local file to update it.

This way, I have a 2nd password manager that doesn’t rely on any sort of network connection. Very helpful when I am having Internet issues and need to log into my router (no, I have no idea what its 30+ character password is).

Already did it. It’s printed out and hidden in a safe place!

But shouldn’t my browsers have cached the vault if there is no internet access? So I can open them with my master password?

“shouldn’t” has no place in security and critical data.

1. He who laughs last probably has a backup
2. You don’t know a backup is broken until you need it

Newinspace, that is correct, yes. But I rarely let my vault ‘lock’; I usually have it set to log me out of my browser extensions after 5 minutes. The only time I toggle it to ‘lock’ is if I am doing some lengthy account/password maintenance and know I’ll be in there for some time.

In other words I prefer to always require a 2nd authentication factor to access the vault.

My separate standalone (file-based) password manager allows me to have full access to my vault without any internet connection, browser extension, or browser period. I do this on my phone as well.

Agreed on what Ndi commented. I keep multiple local encrypted backups (of both my Bitwarden and file-based vaults) in various physical locations and also in multiple encrypted cloud locations.

It takes some discipline to keep all of this updated, for sure, but you get the hang of it quickly and then it becomes second nature.

This is true if the browser extension remains logged in. Most users do keep their apps and extensions logged in at all times (@bwuser10000 doesn’t, but they are in the minority), and therefore will normally be able to access their vault contents even when there are internet connectivity issues.

However, as you discovered, apps and extensions can sometimes be logged out automatically, which erases the locally cached vault copy. This happens when you make changes to your account security settings (master password, KDF, etc.), or when you use the option to de-authorize all active sessions, or when a login session token is too old. However, on occasion, a forced logout can also be triggered without any user action, when Bitwarden initiates a session reset from the server side during certain maintenance tasks; in my experience, this happens rarely (once every year or so), but one should be prepared for it.

For this reason (and for disaster recovery purposes), it is important to periodically make vault backups. The easiest and safest way to make a backup is to create a Password-Protected .JSON export from the Web Vault, as we already discussed. All your data (except any uploaded file attachments, which are not included in vault exports) will be available in this encrypted file. However, decrypting and accessing the contents of this export can be a bit cumbersome, especially if you are having internet connectivity issues.

To have a readily accessible backup for rare situation in which one has been completely logged out of all Bitwarden sessions and also is experiencing internet connectivity problems (or if one does have an internet connection, but does not want to go through the trouble of creating a new Bitwarden account and importing the .JSON backup, just to look up a single password that is needed quickly), it can be convenient to have an off-line password manager. @bwuser10000 uses KeePass for this purpose, but you can actually use Bitwarden itself as an off-line password manager that accesses a backup copy of the local vault cache.

What I do personally is to have the portable version of the Bitwarden Desktop App (which is available for Windows only) installed on a USB stick. Periodically, I plug in the USB stick and log in to my Bitwarden accounts using the portable app, which syncs the cached vault data. I then close the app without logging out (timeout action is set to “Lock”); in Windows Explorer, I then right-click the Bitwarden data folder (bitwarden-appdata in the same location where I installed the portable app) and select Send to > Compressed (zipped) folder.

If I am ever logged out of my usual Bitwarden apps, I just plug in the USB stick, disconnect the computer from the internet, and then launch and unlock the portable app from the USB. If I happen to make a mistake and forget to disconnect the internet, then the local vault cache will be erased from the bitwarden-appdata folder — this is the reason for creating the .ZIP file, as I can simply unzip the file and restore the bitwarden-appdata folder contents after disconnecting from the internet.

You don’t need to use an external USB stick to employ this strategy, and you don’t even need the portable version of the Desktop app. All that is needed is to periodically create a copy (the .ZIP file) of the Bitwarden data folder as it exists while the app is still logged in. The location of the data folder depends on the app and the operating system; information about where to find the data folder is available here: