No, it doesn’t allow changing the account email address or setting up 2FA. That’s only possible in the web vault.
If you mean, the Android app doesn’t allow screenshots, then go to Settings → Other → Allow screen capture.
Not sure what you mean by “looking” at the headers, and why your statement ends with a questionmark, but you can use message header analyzers to get a clearer picture. I tested a Bitwarden verification email (for setting up email 2FA, not for new device verification) on the site appmaildev.com, and it indicated that SPF and DMARC passed, but that DKIM failed:
Expected-Body-Hash: frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=
DKIM-Result: fail (wrong body hash: TqmCtL9+DWP3XDaq9idPATg5kSIxGbjhopZ5oSZGv/4=)
…I can get into the web vault in the Chrome Extension too… I will have a look.
..sadly you need to be logged in to the app to get there.
@grb Thanks - I’ll run the device verification email through the Appmaildev analyzer. (I just ‘looked’ at the message header source - a lot of it -and saw the error and some retries - but I am no expert = ?)
@Mutineer @Neuron5569 @grb As this whole discussion is about the “new device login protection”, I now moved our posts into the corresponding (and current) thread to this topic.
1 Like
@GRB @Nail1684 I confirm there are errors in the device authentication email that is sent to me:
-
SPF ‘soft fail’
-
PTR No record
Result: Non-Existent Record3. -
Blacklisted:
bogons.cymru.com:LISTED
I’m really not sure now if my account is in the EU or US or if I have two, or if the verification service for the EU account is somehow in the US.
I want to be EU based, with as few US dependencies as possible.
Earlier, you wrote, you have still access on a Chrome browser extension…
… and if you open the extension window and click on your profile symbol in the top right corner, then you can see on which server region your current account is located:
If you have a second account - with the same email address on the other server region - you could probably only test by trying to login to the other region…
The account is in the EU region for the email address suffering the delivery issues.
I’ve had a long thread with support, trying to resolve this, without success. They simply tell me to keep trying. After 100+ attempts, with varying email delivery times, I have had enough. I did manage to regain access to the android app, but the settings changes I need are only available in the web app, and the timeout for that is far to short for the email delay I experience. Something in the relay path to my ISP does not like the trust settings for bitwarden.com.
It’s unrecoverable.
By the way, I am surprised that bitwarden seem to be using a US-based device authentication service for an EU based account (as revealed in the email headers).
Looks as though the only option I have now is to set up a new bitwarden account, with a different ISP / email host and to recover my vault into it. If that works, I’ll try to delete the old account. It does seem strange (but fortunate in this case) that the delete account option in the app is capable of deleting a web account that the user is unable to access.
@Mutineer Did you try to ask customer support to disable the “new device login protection” temporarily for you?
(from: New Device Login Protection | Bitwarden)
There’s now at least one account for being successful with that.
And I would at least try that, before setting up a new account.
1 Like
It is designed precisely for this purpose — users who have lost access to their Bitwarden account for any reason (e.g., lost master password, or account take-over by an attacker) should be able to delete their original account and start over with a new account.
1 Like
The offer was made as a fallback by someone in support who subsequently left the thread. The others continued to ask me to try again as some email changes had been made on their side, without success, apparently. I have reminded them about the 24 hour verification suspension offer.
When reminded, the support team did respond and say they had applied the device auth suspension. However, strangely the device auth dialog came up anyway. Fortunately this time a code came through almost immediately and I got in to apply 2FA and change the account to a gmail.com address. All fixed, perhaps?Even the trust issues on that bitwarden.com domain? But I’m not about to try to re-test with that original email address!
Thanks for your help.
Other comments here and on reddit make me believe that support’s suspension is only for 24 hours.
A few take aways:
- Create/Maintain an occasional export to improve your worst-case-scenario when (not if) this failure mode recurs.
- Enable at least one form of MFA (e.g. TOTP or Yubikey) so that new device protection does not kick in.
- Add your Recovery Code to your emergency sheet so you can repair a broken MFA.
- Permanently turn OFF new device login protection so that when/if you use your recovery code, NDLP does not get in the way.
- Keep your vault locked (as opposed to logged out) so that you rarely need to deal with MFA/NDLP. If possible, unlock with biometrics so that you don’t mind having a short lock-interval.
@bw-admin, allowing one to provide a comma-separated list of notification email addresses would go a long way towards minimizing this failure mode.
2 Likes
Did you check the email headers on the most recent verification code email? Are the results different from before?