[FIXED] Inactive 2FA Report - No websites were found

Currently the “Inactive 2FA Report” is reporting “Good News - No websites were found…” but I know that as recently as yesterday there were a handful of accounts listed, as expected (2FA is indeed inactive on them). I’ve made no changes to those accounts since, so it’s odd to see those accounts now missing from the report.

All other reports are currently working as expected, as best I can tell. I’ve also tested on a separate system with a cleared/clean browser cache and have the same result. I do know that occasionally all of the reports come back as clear (no entries), but in my experience that ‘bug’ is transient and usually easily addressed by navigating to another section of the Bitwarden site or at worst logging out and back in.

Noticed the same today. It is definitely broken.

1 Like

The same happens for me… the report lists Good News, No Websites found, despite me not having any 2FA TOTP’s in BitWarden (I only joined yesterday and became premium this morning)

I have ~1200 entries I imported from LastPass, and I know for a fact there are several (>10) that have 2FA support but I don’t have them setup in Bitwarden so should be showing in the report.

Something is definitely not right with this report.

Please file an issue on bit · GitHub warden/web

Raised: Issue 839

1 Like

Someone did some digging on the issue on github and discovered that the domain the api this uses is returning an error… I looked at it after that and it looks to me like it has been purchased by someone else…

It seems like someone from bitwarden needs to check there’s no security implications there ASAP, as the API is no longer under the control of who they think it is. (cant see whey there woudl be if this is as assumed just a request to get a list… but who knows - actually i guess I could check couldnt i… it being open source… forgot about that… couldnt do that on Lastpass)

OK so the stupid forum limit of 3 replies to a topic by a new user is a bit inconvenient as I had to tag this onto this post rather than reply…

Gotta love Bitwarden being open source!

private async load2fa() {
if (this.services.size > 0) {
const response = await fetch(new Request('https://twofactorauth.org/api/v1/data.json'));
if (response.status !== 200) {
    throw new Error();
const responseJson = await response.json();
for (const categoryName in responseJson) {
    if (responseJson.hasOwnProperty(categoryName)) {
        const category = responseJson[categoryName];
        for (const serviceName in category) {
            if (category.hasOwnProperty(serviceName)) {
                const service = category[serviceName];
                if (service.tfa && service.software && service.url != null) {
                    const hostname = Utils.getHostname(service.url);
                    if (hostname != null) {
                        this.services.set(hostname, service.doc);

Seems OK to me… and fairly easy to just pull that list from a locally maintained Bitwarden clone of the original data (which is on github and linked to the ticket I raised above)… seems like that would be a nice solution.

1 Like

Signed up for Premium and noticed the same issue here.
Always says the same even before I activated any 2FA sites.
“No websites were found in your vault with a missing two-factor authentication configuration.”

I followed the issue link posted by sambartle and it looks like the issue will be resolved in a future build.

Looks like this issue has been fixed. The web vault is updated to 2.18.2


Yep! Works for me now.

1 Like

Any news when 2.18.2 will be available for on-prem installations? Currently 2.18.1 is still shown as the latest version.


Update: today 2.19 was released.

Updated to 1.40.0 just now. Still the Inactive 2FA report is green for me, although I’m sure this is not the case. Any ideas?

I have the same issue. Is there a way to fix this from a user point of view?

@maestr0, @Gandalf Is it possible that https://2fa.directory/api/v2/totp.json is somehow blocked from your self-hosted instance?

Thanks to one of our community members @ap123 the the api was updated to v3 and the detection was improved. This is currently under test and will most likely be included in the January release.

I do have a pihole running, but checked that before. Even when I disable pihole, I’m having the issue. I can execute a “wget https://2fa.directory/api/v2/totp.json” from my bitwarden server as well. Not sure where I can look further for analysis.

Was working something else, but found the following just now in config.yml:

# Nginx Header Content-Security-Policy parameter
# WARNING: Reconfiguring this parameter may break features. By changing this parameter
# you become responsible for maintaining this value.
nginx_header_content_security_policy: "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofed
eral.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' wss://{0} https://api.pwnedpasswords.com https://twofactorauth.org; object-src 'self' blob:;"

I have a reference to https://twofactorauth.org in there and I thought, that maybe this is the reason for my issue. I guess I need to change that to https://2fa.directory? I’m hesitant because the WARNING that things might break.

Thanks a lot!

Tested it out. No luck.

All of a sudden it started working. I guess the info is gathered via recurring job and I had to wait until the next one was through. Anyway, apparently the change in config.yml did the trick.