Prevent Account Lockouts from invalid Duo Key


#1

I’m locked out of my account because the DUO secret_key was invalid and when I logged out to test DUO, I couldn’t log back in because Bitwarden couldn’t authenticate against DUO!

This is a major security issue as anyone could update their DUO secret key and become permanently locked out of their account. BitWarden should first validate against DUO to ensure the credentials are correct before allowing them to be used.

In addition, there is no way to delete the account and start over with a new account because it is the sole owner of an enterprise organization. “You must leave or delete any organizations that you are the only owner of first.”

Without being able to log into the account, there is no way to delete the organization, and without being able to delete the organization, there is no way to delete the account and start over.

:frowning:


#2

Contact support and we can help you delete the organization or fix the invalid key.


#3

Also, we added the missing validation check to Duo config for organizations for next version. It was only on the personal 2FA setup.