Helped needed, earlier I increased the iterations to 600,000, then I guess I got logged out of all devices, thing is I can’t get back in as I need to input the two step authentication 6 digit number, but i set all this up within Bitwarden so I can’t enter this 6 digit code, also same as the recovery code I put this in Bitwarden.
I did not think I would ever get logged out of all devices so would always use of them to get the temporary codes.
@Corky welcome to the community,
I wish it could be under better circumstances.
Unfortunately you are falling into a hole some users here have experienced before which is the concept of having “circular backups”.
You will want to have some form of out of band method to gain access back in the event of recovery planing. (Of course this doesn’t help you now, but for future planning at least)
I will ask, did you happen to make any recent backups of your vault? This is also advisable before making any major account changes, such as KDF interations.
Without the 2FA method available or recovery codes, I am not sure if Bitwarden support will be able to assist much, but it may be worth a shot to see if anything can be done.
Otherwise, do you happen to have any other 2FA method setup on your account? I.e. email, or other?
Another thought may be if you have emergency access set-up on your account with another trusted contact, while this would likely take longer it may be a viable method to gain access back to your data.
Thanks for your reply, yes I dug myself into a right hole here, I read online you could set up 2FA within the app so got rid of my google authenticator app and put it all in Bitwarden. Then made the stupid mistake of putting the recovery code within Bitwarden as well. I don’t think I did set up email recovery and I definitely did not set up a second contact.
This will take me forever to fix now, also i don’t know how I’m going to get back into anything that requires 2FA either as mentioned theses were in the Bitwarden app.
Should you keep your Bitwarden password and 2FA… in Bitwarden? Maybe. It depends. But definitely keep a copy elsewhere! Raivo, Google/MS Authenticator, even store the 2FA seed physically somewhere. Same goes for your master password.
In some instances, users who get locked out of their vaults can recover by disconnecting a logged-in device from the internet, and getting the 2FA/password prior to logout/resync
Yeh I’m not sure it was a good idea really, everything was contained with Bitwarden.
I have now deleted my account and created it again from new and got premium enabled again. And gone back to google the authenticator app. And I will keep the recovery code elsewhere this time.
Just having a nightmare transferring all my 2FA over to google authenticator.
Sorry to hear you ended up having to go this route
Definitely not an ideal case, though if you are weary with storing and using Google authenticator for your TOTP 2FA codes, other good alternatives recommend in the community here have been Aegis for Android, and Raivo OTP for iOS.
As mentioned too you can store the TOTP secret separately as well at the time of enabling 2FA for an account.
If you still prefer the ease of using the premium Bitwarden authenticator, you can still setup and record your 2FA code into Bitwarden as well as the authenticator of your choice so you have separate copies.
Lastly, namely backups are important.
Very good to make regular backups any time before making large account changes and possibly even after.
As well as even just making regular account backups to ensure you always have a recent copy of your data.
quick question when you say make regular backups do you mean export vault, I just did this as a json file but you can read all the details within the file ?
The information in the official guide is (in my opinion) incomplete and outdated. If you’re not going to use alternative method (@RogerDodger’s second link), then your next best alternative is the new password-protected encrypted JSON export available in the Web Vault and CLI only (not the legacy “account-restricted” encrypted export available in the Desktop app and the browser extension).
If you create an unencrypted export (even if you are subsequently re-encrypting it with a 3rd-party tool like 7zip or VeraCrypt), sensitive data will be left on your drive even after you delete the original unencrypted file, and can be recovered by an attacker who has access to your device (e.g., if your device is ever lost, sold, discarded, stolen, or confiscated). If your device is an SSD drive, then it is practically impossible to expunge all traces of the deleted file (without physically destroying the drive). If you want to export unencrypted data, special precautions must be taken to avoid this security vulnerability.
Ok thanks for this information, I have now backed up to an encrypted json file using the first option which uses a combination of username and password for my account only.
Would this still be the case if downloading the unencrypted export to an encrypted SSD drive like BitLocker or ChromeOS before using PeaZip/7zip? That’s what I’ve been doing. Thanks!
You may have to check your specific set-up, but most browsers (and even the Desktop app) will create a temporary file in your default Downloads folder before moving the data to the specified destination. Thus, the only safe method that I’m aware of for exporting unencrypted data is to modify the setting for the default Downloads directory so that the default location is on an encrypted volume or container (or on non-encrypted removable media that you plan to destroy or store in a strong safe). You can define a dedicated browser profile for this purpose.
Therefore, you should be able to directly download unencrypted files on a Chromebook and then encrypt them. This assumes that the encryption tool itself doesn’t create temporary files somewhere else while encrypting the files.
In some instances, users who get locked out of their vaults can recover by disconnecting a logged-in device from the internet, and getting the 2FA/password prior to logout/resync
The same has happened to me. I do have an android install that was not online when I changed my key iterations and I can still see everything. What is my next step, other than opening each of the 2,000 entries and writing down the password? I have tried to export to a json file, but it gives an error and says I should go to the web vault. I don’t see any way to manage the data or change the 2fa.
Thanks!