Lost MFA device

I understand that if I lose my master password then I will never be able to access my vault again. This is because the Master Password is used to create a key to encrypt the vault.

But what if I still have my master password but I lose my MFA device? (e.g. Google Authenticator)
It seems to me that as the MFA is not used in the encryption then it should be possible to circumvent it.

Great question! Best practice is to store your recovery code safety as well as backup the codes in your authenticator, I personally use Raivo OTP which allows for exporting a zip archive.

1 Like

Yes but I am investigating if it is possible to access a vault with MFA using only the username and password? given that we have the source code and can remove the MFA sections.

The MFA is used to authenticate logins, so unless you already had a local copy of the vault, you aren’t going to download anything from the Bitwarden servers without MFA.

I second Raivo OTP for Apple users. Great open source 2FA authenticator solution.

And, to the OP, if you have your master password but lack your 2FA, you will have to use your recovery code that was shown to you upon activating 2FA. This will enable you to bypass and deactivate 2FA and access your vault.

In summary:

  • no master password = no access
  • master password + no 2FA + 2FA recovery code = access
  • master password + no 2fa + no 2FA recovery code = no access

It is wise to backup your 2FA codes, either thru manual export, cloud sync (encrypted of course), and/or to copy them to other devices you can access. It is also essential to save your BW 2FA recovery code somewhere very safe and accessible, so you can still gain access to your vault, should you ever lose the ability to authenticate with your 2FA.

As mentioned, Raivo OTP is probably the best open-source 2FA authenticator app for Apple users. Aegis authenticator (also open-source) is good for Android users.

1 Like

I don’t know the details, but I would think that possibly what OP wants to do could be done for a self-hosted instance, if one can get a copy of the encrypted vault by directly accessing the server.