Two factor reset code security

If an account is compromised, right now it isn’t possible to secure it properly because the attacker now has the recovery code. There are two things you could do to improve the situation

  1. Show the recovery code only once to avoid future attackers from seeing it.
  2. If I can prove I have access to my 2FA device, give me an option to change the code. Every other service that offers backup codes for 2FA allows this. A password manager definitely should.

I tried contacting support about changing my code and they didn’t even understand my request. They gave me instructions to change my 2FA device instead.

And what about deactivate and reactivate the 2FA ? It will reset the recovery code no ? Not the easiest way but at least a temporary solution…

Yes. Why would you try to ‘secure’ your account and thus your vault after it being compromised? All your credentials in the vault must be assumed to be in the open. What is the use for continuing to use your vault? Delete it and recreate it, i would assume.

According to this, using the account recovery code will disable your 2FA and reset the code. If you want to keep your current info and not reset the account, change your password and use the current recovery code to disable 2FA, which will change the recovery code.

At this point you could add 2FA and could assume your entries are not tampered with and go through and change them all.

An alternative approach is to nuke the account and import from backup. The main take away is one the account is compromised, even if you regain control, you must assume the attacker now has all of your current information, possibly maliciously adjusted your entries(eg now point to a phishing site), and you need to as quickly as possible go through every site and create new passwords and make sure they haven’t been tampered with. Also generate new recovery code for those sites where applicable. Don’t forget to contact for any credit cards you have stored and have new ones sent.

The good news is assuming the attacker doesn’t have access to any of your 2FA info/devices, they shouldn’t be able to log into any of your other services. The bad news is since the only way to compromise your bitwarden account is to have access to a logged in device, there’s a good chance that device is already logged into your other services. Most services do not require 2FA to adjust settings.

If you have 2FA, the only practical way someone could compromise your account is if they have gained local access to a device that you’re already logged in with, and that device hasn’t locked itself yet, assuming you didn’t set the lock to “never”.

But really, this whole use case assume the attacker knows your password and has access to a device that is already logged in or has one of your 2FAs.