How to remove trusted iOS device from 2fa auto login?

Hi Bitwarden Community,

I have enabled 2fa and after login on iOS with 2fa said “auto login” so it is not asking for 2fa again.
Now i got some YubiKeys and I want Bitwarden ask for 2fa every login, again.

How can I delete the current trusted device from a list, so it is asking for 2fa again?

What i tried, but still no 2fa request at login:

  • Touch logout, login again. On Windows/Android its asking me again for 2fa, but not on iOS
  • Reinstalled app - still no question for 2fa after login with password.

Is there somehwere a list do delete trusted devices?

I ran into this recently. I believe you will need to log into the web vault, whether cloud or self hosted, and ‘deauthorize all sessions’.

Cool! That worked. Such a button I was searching for, now it is asking again for my YubiKey OTP.
Then it seems to be a minor bug, but ok for the moment.

2FA is only used when logging in, not when the vault is locked.
The first time you open the iOS app or the extension, you’re prompted to log in.

The following times, you don’t have to log in, you only have to unlock your vault.

I notice that the last post here is over two years old, but the problem it describes apparently remains. Replying to it since it seems to be an old bug that I believe I’m running across.

I’m new to Bitwarden and ran into this behavior. I disabled 2FA for the account from the web Bitwarden site, and then re-enabled it creating a new TOTP account. On my laptop, desktop, and iPhone I was required to login and verify with the new TOTP code. On my iPad, however, I was not. It continues to log-in without requiring 2FA. I logged out of the app, killed it, and then relaunched but the behavior remains.

While the suggestion in this thread of deauthorizing all sessions may be a solution, I’m concerned that this issue exists at all, especially since it was highlighted several years ago. I would hope that all app instances and browser extensions would check the server for new auth rules and credentials every time a login is made. Since these can be changed at any time (as would be the case if there was a security breach of some type) I would expect that the updated info would propagate reliably to every device. Otherwise, an errant device that doesn’t see the changes becomes a big security hole.

Anyway, I’m happy to provide more info to help resolve this, but I remain a tad concerned about security because of this behavior.