No, it doesn’t allow changing the account email address or setting up 2FA. That’s only possible in the web vault.
If you mean, the Android app doesn’t allow screenshots, then go to Settings → Other → Allow screen capture.
Not sure what you mean by “looking” at the headers, and why your statement ends with a questionmark, but you can use message header analyzers to get a clearer picture. I tested a Bitwarden verification email (for setting up email 2FA, not for new device verification) on the site appmaildev.com, and it indicated that SPF and DMARC passed, but that DKIM failed:
Expected-Body-Hash: frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=
DKIM-Result: fail (wrong body hash: TqmCtL9+DWP3XDaq9idPATg5kSIxGbjhopZ5oSZGv/4=)
…I can get into the web vault in the Chrome Extension too… I will have a look.
..sadly you need to be logged in to the app to get there.
@grb Thanks - I’ll run the device verification email through the Appmaildev analyzer. (I just ‘looked’ at the message header source - a lot of it -and saw the error and some retries - but I am no expert = ?)
@Mutineer @Neuron5569 @grb As this whole discussion is about the “new device login protection”, I now moved our posts into the corresponding (and current) thread to this topic.
1 Like
@GRB @Nail1684 I confirm there are errors in the device authentication email that is sent to me:
-
SPF ‘soft fail’
-
PTR No record
Result: Non-Existent Record3. -
Blacklisted:
bogons.cymru.com:LISTED
I’m really not sure now if my account is in the EU or US or if I have two, or if the verification service for the EU account is somehow in the US.
I want to be EU based, with as few US dependencies as possible.
Earlier, you wrote, you have still access on a Chrome browser extension…
… and if you open the extension window and click on your profile symbol in the top right corner, then you can see on which server region your current account is located:
If you have a second account - with the same email address on the other server region - you could probably only test by trying to login to the other region…
The account is in the EU region for the email address suffering the delivery issues.
I’ve had a long thread with support, trying to resolve this, without success. They simply tell me to keep trying. After 100+ attempts, with varying email delivery times, I have had enough. I did manage to regain access to the android app, but the settings changes I need are only available in the web app, and the timeout for that is far to short for the email delay I experience. Something in the relay path to my ISP does not like the trust settings for bitwarden.com.
It’s unrecoverable.
By the way, I am surprised that bitwarden seem to be using a US-based device authentication service for an EU based account (as revealed in the email headers).
Looks as though the only option I have now is to set up a new bitwarden account, with a different ISP / email host and to recover my vault into it. If that works, I’ll try to delete the old account. It does seem strange (but fortunate in this case) that the delete account option in the app is capable of deleting a web account that the user is unable to access.
@Mutineer Did you try to ask customer support to disable the “new device login protection” temporarily for you?
(from: New Device Login Protection | Bitwarden)
There’s now at least one account for being successful with that.
And I would at least try that, before setting up a new account.
1 Like
It is designed precisely for this purpose — users who have lost access to their Bitwarden account for any reason (e.g., lost master password, or account take-over by an attacker) should be able to delete their original account and start over with a new account.
1 Like
The offer was made as a fallback by someone in support who subsequently left the thread. The others continued to ask me to try again as some email changes had been made on their side, without success, apparently. I have reminded them about the 24 hour verification suspension offer.
When reminded, the support team did respond and say they had applied the device auth suspension. However, strangely the device auth dialog came up anyway. Fortunately this time a code came through almost immediately and I got in to apply 2FA and change the account to a gmail.com address. All fixed, perhaps?Even the trust issues on that bitwarden.com domain? But I’m not about to try to re-test with that original email address!
Thanks for your help.
Other comments here and on reddit make me believe that support’s suspension is only for 24 hours.
A few take aways:
- Create/Maintain an occasional export to improve your worst-case-scenario when (not if) this failure mode recurs.
- Enable at least one form of MFA (e.g. TOTP or Yubikey) so that new device protection does not kick in.
- Add your Recovery Code to your emergency sheet so you can repair a broken MFA.
- Permanently turn OFF new device login protection so that when/if you use your recovery code, NDLP does not get in the way.
- Keep your vault locked (as opposed to logged out) so that you rarely need to deal with MFA/NDLP. If possible, unlock with biometrics so that you don’t mind having a short lock-interval.
@bw-admin, allowing one to provide a comma-separated list of notification email addresses would go a long way towards minimizing this failure mode.
2 Likes
Did you check the email headers on the most recent verification code email? Are the results different from before?
17 posts were split to a new topic: 2FA for Bitwarden and traveling etc
Okay, I have since invested in some hardware. For context, where I work we are allowed to login into personal email etc, but we are not allowed to bring cellphones into the building and all the USB ports on the computers are locked down, so a Hardware key or a TOTP mobile app is out of the question. The problem is that I am not always working on the same computer or device throughout the build and so would trigger the “New Device” check, all the time which would send an email to my personal email address… which I am using BitWarden to log into; you can see the issue.
Anyways, I bought a Token 2 OTP Card and setup that for MFA access to my BitWarden Account when I am at work, I slipped it behind my badge ID I already use to get into and out of the building. I also bought a Token2 Pin+ Bio3 to use as a daily driver that I setup for Passkey Login to BitWarden AND MFA. Now that I have multiple methods of MFA setup, if I turn New Device Verification on, it will only send an email if I don’t have access to either of those two options, right ?
For example, if I try to login at work, I will have the option of logining in with either Passkey(which I can’t use because of USB lockout but that’s fine) the TOTP code on the card, or Email verification, right ? It won’t just default to sending an email, will it ?
Hello,
When you have 2FA enabled, you are excluded from new device login emails. You will need to use one of the 2FA methods or a recovery code to log in until you turn off 2FA. So, if you need your email to be a 2FA method as well, you have to configure that explicitly.
You can try this by logging into your web vault in incognito mode.
1 Like
Thanks for the quick reply, I have enough MFA methods I don’t think I will need email, I appreciate the clarification.
1 Like