DUO 2FA Lock-out

I am new to this site. I have a major issue with Bitwarden - locked out of my account due to an issue on their side with DUO 2FA. How do I post my question to this forum?

  1. No, using for several years.

  2. No changes to Duo and their customer support tells me all looks good on their end.

  3. I have an integration key, a secret key and an API hostname from Duo. Is that what you mean? One of the options that I see is recovery code, lost all access to all of your two-step login providers? Use your recovery code to turn off all two-step login providers from your account. I have one person from Barden telling me they can’t be turned off and I have another telling me that it can. I also have a relative with a PhD in mathematics and computer science is telling me it can be turned off. I would appreciate any and all advice.

  4. Sadly, no.

Sorry I deleted my post, so now your comments are sort of orphaned. Let me put some back, just in case other people can help. These are the question to the above answer:

  1. Is this a new account? Once you turned Duo 2FA on, were you able to login into Bitwarden?
  2. Have you made changes to Duo app / account recently?
  3. Did you save a Bitwarden 2FA recovery code?
  4. Did you make BW vault exports for backup?
  1. This would have been the screen you get your BW 2FA recovery code from:

The code would look like this:

If you have this code, you can login with the recovery code, turning off all 2FA in the process:

Another question I should have asked was, do you still have any clients logged in? If you do, you should put the device in airplane mode and export the vault.

I saved everything from when I signed up and never got a code like the one you show. I received an integration key, a secret key and an API hostname, that’s it. I don’t understand why Bitwarden can’t simply turn off 2FA on my account and I can have DUO do the same. My brother uses Bitwarden and does not use 2FA.

@DLH2024 Welcome to the forum!

I moved your post into its own topic, since it was unrelated to the thread in which you had originally posted.

In addition to the advice you are getting from @Neuron5569 here, I would highly recommend that you get in touch with Bitwarden’s customer support for assistance immediately. If it is determined that the issue was caused by some technical glitch on their servers, then there is at least a small chance that the problem can be resolved by restoring a backup — but Bitwarden only stores server backup data for seven days, so time is of the essence.

1 Like

They can do it if you provide the Two Step Login Recovery code, as explained by @Neuron5569. Disabling 2FA on request from a user who does not have the recovery code would create a big security risk for all other Bitwarden users.

I understand that in general terms but in this case the service just stopped on their end. As I understand it 2FA is not required and no one will have the extremely lengthy and complex password that I have. I have provided them with logs from DUO that would clearly verify who I am and that it is my vault. I find the response time from Bitwarden to be lacking - it takes anywhere from 1 hour to an entire day to get a response.

1 Like

Out of curiosity: did you get any error message? Did you make a screenshot of that? Can you reproduce the (same?) error message if you try to login?

You are at risk of losing your entire vault. Before you do anything else, please reread and follow this advise from @DLH2024:

do you still have any clients logged in? If you do, you should put the device in airplane mode and export the vault.

Another possibility is that if you have previously designated a trusted emergency contact, they may be able to invoke emergency access.

Having a backup is key to reducing the stress in situations like this. If there is any possibility of finding or creating one, that should be your first goal.

This phrasing implies a scenario that likely would affect all Duo-authenticated accounts. Did support indicate “known problem; we are working on a fix” or did it seem more like they were treating your problem as impacting only a single-account? If its been a day or two, you might reach out again to ask if more reports have come in and if so, if there is an estimated time-to-repair.

Regardless, Bitwarden staff does need to follow their own rules. Two of the biggies are:

  • Bitwarden employees and systems have no knowledge of, way to retrieve, or way to reset your master password [link]
  • Losing access to your two-step login device can permanently lock you out of your vault unless you write down and keep your two-step login recovery code in a safe place [link]

When not waist-deep in a crisis, it is pretty easy to understand why they have these rules. Just as you might be able to convince them “you are you”, so could a determined bad-actor. By providing you an “official” way to identify yourself (the master password and the recovery code), they are protecting themselves and your account from the bad-actor.

I too have noticed this response time, but we differ in that I find it pretty impressive for a service that costs only $10/yr.

The silver-lining from this crisis will be an increased appreciation for disaster preparedness. After the dust has settled from this event, I do encourage you to read up on “You need an emergency kit”, “Export (backup) Vault Data” and “3-2-1 backup rule”. And then apply the lessons-learned not just to your vault, but to everywhere that you have stored data.

This screenshot hints at another possibility. Bitwarden supports registering multiple 2FA methods. By chance did you do that and if so, perhaps use the TOTP code (or whatever) that you registered.

I have used both DUO push and codes.

@DLH2024 This looks a bit like a loading-problem, maybe… Did you try another browser? (even it it always worked with your browser… maybe a browser update / change in another way or something like that “broke” something)

Yes, Chrome, Firefox, Edge, my phone while connected only to my carrier’s network. Issue replicates on my phone, i-pad and wife’s computer.

One thought to that in general: I think “Use another two-step login method” is always offered to everyone, because it allows also to at least use the 2FA recovery code… so I guess, unfortunately, that is not a hint to other 2FA methods activated…

@DLH2024 Did you get one step further with Bitwarden support?

Well, I don’t mean to be offensive, but it is clearly stated in the Bitwarden’s terms of service (Account terms), that every user is responsible for his/her account (security)…

For the future, please always store the 2FA recovery code and/or set up more than one form of 2FA (these days, FIDO2 WebAuthn is a really good option and now available for most people). And for “disaster recovery”, always make regular exports of your vault and create an emergency sheet, with at least the email address, server region (US/EU), master password, 2FA recovery code, vault export password, … on it… I don’t want to scare anybody :sweat_smile: but we should all prepare for losing our vault. :crazy_face:

And though still in Beta, a Bitwarden-login-passkey (with encryption) could also be some (additional) kind of “emergency access” as it doesn’t require both the master password and the set-up-2FA…

PS: Ah, Sorry - now I see @DenBesten wrote most of that already… :rofl:

Well worth repeating. Every week we see somebody on either the community or reddit that would have been saved by an emergency kit or a backup/export.

1 Like