My specific case right now is trying to get verification codes from a new Windows machine sent to my Outlook email. I nearly got myself locked out of my main account but luckily, I have a 2-step recovery code where I was able to get out of that problem.
For other answers in this thread it does seem that sometimes I’m getting email to Outlook but I can’t figure out rhyme or reason why it works in some cases but not others. Mostly a 90% miss and none with verification codes.
I really don’t like diagnosing this problem myself but we need to get these guys pointed in the right direction. This is a somewhat serious issue that needs to be worked out. I did create backups so at least I’m covered in catastrophe.
I finally received an email from Bitwarden support. They said they are working on it. I was told they would get back with me. I offered my assistance to them if needed. I’m assuming they would be setting up an internal test scenario to diagnose the issue themselves. As a developer that troubleshoots things that’s what I would do first before engaging the customer. Let’s see where this goes. Sounds like I’m not the only one with this problem so they should easily be able to replicate it.
Just the same, for the benefit of us community members (who have no insight into what is or isn’t happening in Bitwarden), it would be helpful if you could do the tests that I suggested, and report any errors here.
Setting up a new machine does not necessarily require access to email. My suggestion, set up either TOTP(“authenticator app”) or Yubikey/Webauthn as your two-step login method. Then, you are no longer dependent on email functioning properly.
Over the years, spam has made email delivery somewhat unreliable due to the arms race between those that want spam delivered and those that do not. And unfortunately, both false-positives and false-negatives reign supreme. I have learned to not depend on reliable email delivery for anything important, such an authentication factor. In that respect, New Device Login Protection is a terrible option in that it is wholly dependent on an unreliable infrastructure. IMHO, the only thing worse is depending solely on a single factor.
Personally, I opted out of NDLP knowing that my vault was safely protected with TOTP. If for some reason I need to use my recovery code, my first action will be to repair TOTP. The last thing I want is an mail complication cropping up when I am in the such a crisis. That said, I did write my TOTP secret on my Emergency Sheet to decrease the odds of needing my Recovery Code in the first place, and I do keep a reasonably-current offline export as a true contingency plan.
Apparently, there is no way to do this through the Bitwarden app or the Bitwarden browser extension. Both of which I have access to. As soon as I try to update the security it sends me to a web page that wants to send me a verification code to my email. I’m not receiving such email. This is on my existing machine where probably my browser cache was cleared at one point, so I need to reauthenticate.
If you know of another way to change the security method without having to log into the web page, I’ll give that a shot.
Unfortunately, systemic changes to the vault database itself do need to be done through the web vault. You might try using a different web browser perhaps on a different operating system. Another recent case seems to imply that the browser brand makes a difference when logging in with new device login protection.
One possibility is to contact support and ask that NDLP be disabled on your account. They will do so for 24 hours, which is long enough to get TOTP set up.
Another (less than pleasant) approach is to set up a new account, get TOTP working and then export/import your vault from old to new. The primary complications (other than being annoying) are that attachments (if any) need to manually migrated (zip format will export them, but there currently is no automated import - go vote for it) and that if you have premium, you will need support to move the subscription to the new account.
One thing to be aware of with this approach is that the Terms-of-service state “One person or legal entity may maintain no more than one free account”, so you do need to remember to delete the old account once you are confident the new account is complete and working properly.
If you have not already done so, contact support and request a 24-hour waiver of the NDLP requirement. Then log in to the Web Vault during this 24-hour window and set up 2FA using a non-email based method.
I have sent in a request but did so via my Gmail account because they can’t properly communicate to me via my Outlook account. So, I hope they will do this without needing a support email from my Outlook account.