Graceful license expiration

Recently our license expired due to an expired credit card. Unfortunately, on the date the licenses expired, all our users instantly lost access to shared items. This was a very, very inconvenient situation, since there was no warning the users (the only notice was an email to the billing email address and it took help from the Bitwarden support team to fix the credit card issue).

Here’s things we would have expected:

  • A visible warning in all applications to all users, so that the user might take some action to prepare for the looming loss of access.
  • Read-only access to shared passwords for at least a grace period of a few days

This would alarm key users and allow them to take or delegate action (export data, fix any payment issue, notify users).

Losing access in a productive environment because of a clerical error is unacceptable.

Related topics + references

Surprised this isn’t getting more traction. My friend just told me about how his vault was suspended for a payment he thought went through got an email saying so but didn’t because his credit card was expired. This is alarming and shouldn’t lock out anyone, a email notification should be sent and then have a small grace window period to fix the payment or export the data.

I had this happen to me this morning. What was most frustrating was that I had fixed my credit card info a few days ago, the payment went through for the organization and then the organization still was disabled after the invoice was paid. I didn’t even get a warning that the organization was disabled.

This could be “solved” by either allowing people to add credits to their accounts or paying ahead of time.

Netflix lapsing is not the end of the world, but self-destructing password managers are. Imagine if land lords could evict their tenants if they didn’t pay on time, but only allowed to pay on the exact day the bill was due.

Just a couple of clarifications.

Self-host environments have a 3 months grace period between the expiration of the license and the organization getting disabled. For cloud environments it’s 1 week.

A month prior to the renovation date an email gets sent to the billing address setup for that purpose if the payment method it’s outdated or missing, and with each failed attempt a new email gets sent informing of the issue. A new payment attempt it’s perform 3 hours later-1 day later-2 days later and so on.

Payment method can be updated at any time by the owner of the organization going to the Web Vault (https://vault.bitwarden.com) and go to Settings > Organizations > {YOUR ORG NAME} > Settings sub-tab (Gears Icon) > Billing.

If the payment gets resolved on that timeframe the organization doesn’t get disabled and everything continues normally.

If the payment fails continuously after 1 week, cloud accounts get disabled and need to get manually verified because the payment collection stops there, and the CS team needs to verify if there is more than 1 month due, usually for self-host environment they just notice 3 months later, and we need to collect 3/4 months due and then re-enable the organization.

Even with all these, if an account that belongs to a disabled organization write us (https://bitwarden.com/contact/) the ticket gets automatically tagged as DISABLED ORGANIZATION and received maximum priority.

No information gets deleted after an organization gets disabled.

Regardless, I agree that an optional message, prompt or something similar would be a nice idea.

Self-host environments have a 3 months grace period between the expiration of the license and the organization getting disabled.

Sorry, this is incorrect. Our self-hosted environment disabled itself after one week (and no warning).

What is perplexing is why this is even an issue. Our auto-payment went through, but the license update slipped through the cracks. It’s pretty straightforward for the server to poll for an updated license.

The same happened to our organisation vault because of an expired credit card.
I absolutly feel the pain and also hope that there will be a information inside of bitwardens clients or webapp when accessing the vault when a payment is failing. We found out that there was a mail sent by bitwarden regarding the payment issue but it stuck in our spamfilter.

It should also be possible to reactivate the vault/organisation when the payment is done without opening a ticket at the bitwarden support.

1 Like

Same here. No emails received from Stripe, or Bitwarden (nothing in spam) about the failed card payment attempts, and no warnings shown on the Bitwarden account. Just the red “Organizaton is disabled” tag appeared one day with little explanation of why, or what to do about it!
I’ve now changed the payment method to PayPal and put a reminder to check in my diary for next year.
Surely this experience can be improved with little effort.

What happens to TOTP codes, does Bitwarden still generate them when the subscription expires?

The generation key/seed is saved and will start working again once the subscription is renewed.

What happens to advanced 2FA such as Yubikey?

Here is the official answer:
https://bitwarden.com/help/article/premium-renewal/

Therefore: Make sure to also have TOTP for your Bitwarden-account via a program like Authy.

Just want to chime in. This has cost me weeks of confusion and frustration.

I’ve been trying to setup 2FA via bitwarden, since that’s the manager my team uses. I’ve used it before, and never had an issue.

Nothing worked. No indication of any error. No indication that our payment method was out of date. It just didn’t work. No explanation, no steps to fix, nothing.

And now I’ve finally pieced together, only through reading these forums and other posts by confused users, that our card was expired. And now I’ve updated it - and am still waiting. Why not pay the overdue balance immediately? Am I just stuck here, waiting, for some unspecified amount of time, until you all try and bill me again?

As mentioned above: