A few weeks ago all the codes began to fail in accounts configured with 2FA.
All devices on my network have the time set correctly with an internal time server that in turn synchronizes on the internet with ntp.org.
When I reconfigure the accounts with Google Authenticator they work without problems.
Little by little they have all been failing. Does anyone know if there is a solution to this?
The most likely explanation is that there is a delay (or other mismatch) introduced by this two-step time synchronization.
Can you (at least temporarily, as a troubleshooting approach) sync one or more of your devices directly to an external time server?
No is possible. In my network is explicitly denied ntp and dns traffic to external services.
My 2FA Bitwarden vault is configured with third party application and function correctly. I have migrated the accounts with problems to Google Authenticator and they also work without problems, with the phone connected to the Wi-Fi.
Do you have Bitwarden and Google Authenticator installed on the same device, both using an identical TOTP seed? And they generate codes that differ from each other?
Good morning, thanks for responding.
The accounts that I have migrated, I have reconfigured by disabling double verification and reconfiguring them in another application.
The problem, and a big one, is in the accounts where I have no additional recovery methods (codes, SMS, email), I am running out of access, and with no way to recover them, just wait for the codes to work again at some point. .
As I already mentioned, I use three more applications apart from Bitwarden, FortiToken Mobile, Microsoft Authenticator and Google Authenticator, and all 3 work without problems.
I’m in Europe. Could it be a problem related to the recent creation of the zone? My vault is in the .com zone, and it won’t let me open the session in the European zone.
Thank you so much.
I understand that the area issue is a limitation because it has not yet been replicated or due to some GDPR issue.
Does anyone know if the change or migration can be requested?
Thx
With “the accounts that I have migrated” you mean the transfer of your TOTP seed codes from authenticator app to authenticator app (or Bitwardens in-build authenticator)?
What do you mean by “I have reconfigured by disabling double verification”? And you mean in the authenticator app(s) then? What do you mean by “double verification”?
And what exactly did you also reconfigure (“and reconfigure them in another application”)?
PS: Maybe a screenshot or screenshots would help - but please blur a TOTP seed, if it might be in there…
I have logged into the affected accounts with alternative verification (sms, recovery codes, email), disabled double verification, and recreated it by adding the “news” seeds to another application (three different ones to be specific).
All the accounts in which I have been able to perform this procedure are working without problems, with the three applications that I have already mentioned above.
@Zoltar Okay, thanks for the clarification. As I understand you now, the new “seeds” work with your three apps (FortiToken Mobile, Microsoft Authenticator and Google Authenticator). And when you add them in Bitwarden again, do they produce the same 6-digit codes (Bitwarden and the other three apps)?
BTW, that’s more or less the same kind of question as @grb stated:
It would be really strange, if a) your codes once worked with Bitwarden, b) then not and c) even the new codes that work with the other three apps wouldn’t work with Bitwarden then. 
@Zoltar I have read all three of your responses, and none of them answer the questions that I have posed:
On the accounts where you have reset the TOTP, those accounts are now using a new TOTP seed (secret key), so they can unfortunately no longer be used to determine what is happening with your Bitwarden authenticator.
Please do the following:
-
Please answer the question whether your third-party authenticator apps (FortiToken Mobile, Microsoft Authenticator and Google Authenticator) are installed on the same device as your Bitwarden app, or on a different device.
-
Log in to the Bitwarden Web Vault (https://vault.bitwarden.com/). For one of the accounts where you have not yet reset the TOTP seed, view the account details in the Web Vault, and make a note of the long character string shown in the Authenticator Key (TOTP) field (should consist of at least 16 uppercase letters and numbers).
-
If the Google Authenticator app and the Bitwarden app are not installed on the same device, then install the other app so that both are installed on the same device. All further testing steps will be done on this device. Please let us know which app (Google Authenticator or Bitwarden) that you added to the testing device in this step.
-
In the Google Authenticator app on the testing device, manually create a TOTP item in Google Authenticator, by tapping the + icon and then tapping Manual Entry. Enter
TEST ACCOUNTin the “Account” field, and accurately enter (or copy-and-paste, if possible) the long alphanumeric string (Authenticator Key) from Step #2 into the “Key” field, then tap the
icon. -
You should now see a 6-digit code for
TEST ACCOUNTin the Google Authenticator app. The code will change every 30 seconds. -
Open the Bitwarden app on the same testing device as the Google Authenticator app, and open the same account from which you had copied the Authenticator Key in Step #2.
-
Under “Verification Code (TOTP)” in the Bitwarden app, you should see a 6-digit TOTP code that changes every 30 seconds.
-
On the same device, compare the 6-digit TOTP codes from Step #5 and Step #7. Wait until just after they have both changed to a new value (i.e., within a few seconds). Are the TOTP codes the same or different?
1 Like