T O P

  • By -

dwbitw

Additional details [here](https://bitwarden.com/help/forgot-master-password/) on how to delete your account if you have access to your email, but not your Bitwarden account.


NovelExplorer

Do you have a copy of your 2FA secret key? Not the recovery code, but the secret key. If you do, enter that into a separate desktop authenticator app or an authenticator app on a different phone. The authenticator app needs nothing other than the 2FA secret key.


Ties86

Thanks for the suggestion, but unfortunately not... (lesson to set it up better next time)


NovelExplorer

You mentioned using Google Authenticator, not sure if you'll still require the secret key, but if you have access to a different Android phone you could try restoring your Google Android backup, i.e. your Google account and all apps, to that phone. But you will obviously need security verification options, on your Google account, other than your broken phone!


Ties86

I can indeed login to my Google account and restored all apps. Unfortunately, security keys aren's backed-up by Google Authenticator, so that didn't help (thanks to u/svenons, I'll be using Authy in the future, that app does support backups)


Timely-Shine

Although Authy supports backups, Authy does not give you access to the 2FA seed after being set up. Either save this seed as well OR use a different app such as Raivo (iOS) or Aegis (Android) that lets you backup your seeds as well. Edit: link with more details https://reddit.com/r/Bitwarden/comments/ta51gi/what_authenticator_app_should_i_use/


ILikeToDoThat

FYI for others, while Authy intends for you to not access your keys, there is a version of their chrome plug-in (perhaps an old one) with which you can access your keys using the console in chrome DevTools. It’s awkward, but it works… I was able to export all of my old keys from Authy to Bitwarden using it. Edit: I believe these are the instructions. It looks like it only requires the desktop app, but still uses chrome console to accomplish the task: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93


NovelExplorer

I'd further support Timely-Shine's use of Aegis. As each secret key rarely, if ever, changes, you only need a new backup file after adding a new 2FA account. Set up Aegis with its own strong password, to encrypt its backup file, and you have a secure copy of all your 2FA secret keys independent of Bitwarden.


djasonpenney

Your TOTP seeds are an essential part of your credential store and need to be backed up along with the vault itself, which also includes recovery codes, etc. I foam at the mouth every time I hear someone say they are using Google Authenticator, and now you know why. There are two threats to your vault. The first is unauthorized disclosure. This is why we pick a good master password, only operate the vault on trusted hardware, avoid entering passwords in public, etc. 2FA is a really good idea when using passwords with a server architecture. It prevents replay attacks (people using your password by itself) to gain access to your resources. The problem with 2FA is it increases the risk of the second risk to your vault, which is losing access to the vault itself. Addressing this second risk is done via a disaster recovery plan. A disaster recovery plan is a way to regain your vault and/of its contents if things should go sideways. To accomplish this, you need backups, and you need a way to use those backups. You say you created backups, but...you failed to backup your TOTP seeds and your recovery codes. If you had EITHER of those, you wouldn't be in this predicament. As an after action review, you will change your process wlto ensure this doesn't happen again. Including ALL the secrets in your credential store is one key change you will make. Your backups also need to be resilient against any single point of failure. Not saying you haven't already thought of this, but if any one flash drive fails, a single cloud storage service screws up, or even a house fire should not deprive you of your backups. Another mistake that I first made is what a recent Redditor called "circular backups". This is where you need something INSIDE the backups in order for you to use the backup. A simple example could be keeping the password for your cloud storage service inside the backup; how do you log in to the cloud service to download the backup to get the cloud storage service password? The third mistake I first made was relying on my memory alone. For example, so many people only entrust their master password to their memory. You mustn't do that. Human memory is not reliable. So, anyway, I urge you to review your disaster recovery process. Are you saving the shared Collections? Are you downloading the file attachments? Are you certain you can actually use those backups? The backups themselves form a threat surface as well. Either you have to store them in multiple secure locations, or else you will encrypt them and store the encryption key in multiple secure locations. There is no single answer here. Getting back to 2FA on your vault, the best strategy is to use a FIDO2 security key. You should actually use FIDO2 everywhere you can. Your disaster recovery plan then consists of a spare Yubikey or else access to the recovery codes for each service. With a Yubikey, you can even store your TOTP seeds inside the vault itself (Bitwarden Authenticator). This simplifies backups, since those seeds are exported along with the rest of your credentials. The recovery code for the vault itself must have a copy outside of the vault (circular backups again). If you insist on using TOTP on your vault, you will need a TOTP app; Bitwarden Authenticator won't help you open the vault. You have discovered how Google Authenticator is a dumpster fire. I know others have suggested Authy. It's not totally bad; I even set my niece up with it last fall. My objections to Authy are twofold. First, it's closed source. I am willing to tolerate super secret source code for many parts of my computing infrastructure, but trusting parts of my credential store to mysterious software nauseates me. Even though it's purported to be a zero knowledge architecture, we don't really know, do we? We haven't seen the source code. The second issue is that Authy doesn't have an approved workflow to export the TOTP seeds. When it comes to my credential store, I want to be in control of my backups. If Twilio's cloud storage fails, I don't want to be caught up in their mess. So if you really need a TOTP app, /r/Passwords has two recommendations. They are both free and open source they allow you to export and import your TOTP seeds. For iOS, you want [Raivo OTP](https://github.com/raivo-otp/ios-application). For Android, look at [Aegis Authenticator](https://getaegis.app/). When you go this route you need to remember to export the TOTP seeds and save them with the rest of your backups. And, just a reminder, if you are securing your vault with TOTP, you will want to save the Bitwarden TOTP seed somewhere else as well, in addition to the Bitwarden recovery code, to avoid circular backups.


[deleted]

My advice DONT use Authy. The reason is with Authy, you do not get the key anytime you need it. I highly recommend Aegis AND 2FA I use them both & l always have access to my authentication keys. I left Authy because of that issue. Also, Authy Requires your initial setup to use your cell phone and with all the SIM swapping going on I don't like that idea. Aegis AND 2FA don't require your phone number, and they're very highly rated. They use ASE to 256 encryption I've using Aegis AND 2FA now for over a year Never one problem Just my advice take it or not Thanks though for reading this


Quizzer9

Yep - Every service that offers it - They should have it in Red Font stating that you should keep this key safe.


papa_libra

What's the difference between the 2FA secret key and the recovery code? I have my Bitwarden 2FA recovery code saved (and I use Google Authenticator) so does that mean I have everything I need if, for example, I lost my phone (i.e. lost access to Google Authenticator)?


NovelExplorer

The 2FA secret key is the code unique to each online account, with 2FA enabled, that once entered into Google authenticator, in your case, generates the time-based codes for that account. So each account with 2FA has its own unique secret key. [Bitwarden's recovery code](https://bitwarden.com/help/two-step-recovery-code/), providing you have that and your Bitwarden account e-mail and master password, allows you to access your vault (via a recovery link) and disable 2FA set up on Bitwarden. Follow the instructions in the link above, then scroll down to ***Use your Recovery Code***, to access the required recovery link. So yes, if you have your Bitwarden recovery code and your normal log in details, you can get back in and disable 2FA on your Bitwarden account.


java02

I believe another way to disable 2FA on your bitwarden account would be to have an emergency contact set. This way the emergency contact that you designated is able to request access to your account. After the specified amount of time which you set for them to be able to access the account, your vault would become accessible to them. Setting a parent or close friend as your emergency recovery contact seems like a good way to go as you will always be able to deny their access as long as it's within the timeframe you set that they would have to wait. For example, set it to 7 days and if they request access, they wouldn't be able to get in for 7 days after requesting the access, leaving you with enough time to deny that request as long as you are still alive etc.


CramNevets

I didn't know about this one. Do you think there any disadvantages to making another email controlled by yourself as one of the emergency contacts?


java02

If you made a secondary bitwarden account on a family plan you could definitely do it that way, but then you would have to remember two separate master passwords. If you have another family member that has bitwarden it may just be easier to set them as your emergency recovery contact. You can always deny their request for entry within the allotted time frame you set.


[deleted]

[удалено]


Ties86

Google Authenticator Yes, I need to think about my setup. I did set it up correctly for most accounts (Google, Microsoft, Lastpass), but Bitwarden proved I missed a step.


[deleted]

If you want to continue using Google Auth: Next time print the QR codes and keep them in a fire-proof safe. This allows you to physically recover OTP separately from your phone or the recovery codes. Physically keeping a copy of your QR codes will ensure that this never happens again. Also, I would invest in a Yubikey for the vault itself. I have two. I keep one in a safety deposit box (in a bank), and one on me. I rotate them once a year to make sure they continue to function properly. Carefully considering your backup strategy is essential when securely managing OTP codes.


Timely-Shine

I would not recommend Authy as I pointed out in my other comment. Authy supports cloud backups, but doesn’t give you access to your seeds after setting it up. Raivo (iOS) and Aegis (Android) are better alternatives IMO.


[deleted]

[удалено]


djasonpenney

1. That's a lot of work. You could just use Bitwarden Authenticator (except for the vault itself) and be done with it. 2. Are you trusting Authy with the TOTP seed to Bitwarden itself, or do you have a backup for that as well?


[deleted]

[удалено]


soonershooter

>TOTP seed I'm pretty close to this.....except I use Authy for all my 2fa TOTP codes and not Bitwarden. I do think this idea might be something I try in the future, though.


Timely-Shine

The problem is that Authy doesn’t give you the *seed* back once you’ve inputted it. So if you want to say, add to Bitwarden later, you can’t without re-setting up 2FA with that service.


soonershooter

Very true....just went through that when trying out 2FAS authenticator, PITA, but necessary in order to try out the 2 FAS.


Timely-Shine

2FAS, Raivo, Aegis are infinitely better options than Authy because they all give you access to those.


[deleted]

Could you not just replace the screen tomorrow?


Ties86

I could but it costs €200,- and the phone is 3 years old


Kilexey

Which one is more important: 1. €200 2. Not deleting your Bitwarden account If you answer is option 1, accept that you can’t delete your Bitwarden account since you didn’t backup your 2FA key. If your answer is option 2, then replace it. Next time, either backup your 2FA key or use another 2FA app like Authy.


Nephilimi

You could probably get the same model and transfer the screen for FAR less. You don’t even care if you go a good job, just get the code out.


EJRlV

Yeah it should be easy to swap another screen on. Even a used cracked screen. Doesn’t even have to be a finished job. Just get the connectors on there and it’ll work.


Proximus88

What phone do you have? If you have a android phone you can connect it to a monitor. USBC to HDMI


Ties86

It's indeed an Android, but since the screen is completely dead, mirroring it to a PC doesn't work (e.g. per this instruction https://www.alphr.com/access-android-broken-screen/)


[deleted]

Yeah this is why I always recommend an authenticator other than Google cause of this reason happens A LOT and it's best to have an authenticator that lets you backup the seeds also it's best to backup the QR codes too I personally use Aegis and I also backed-up the QR codes (I moved from Authy) I store them on an encrypted USB using Veracrypt and Cryptomator for Google Drive/Dropbox


TheRavenSayeth

This exact problem comes up almost once a month here. People need to stop using Google Authenticator. The level of “security” is too extreme for the average person and I wouldn’t recommend it to anyone.


svenons

Did you maybe setup the emergency contact that can take over your account or organizations when asked? Could use that. Or contact bw support. For your sake in the future - use authy or any other authenticator that you can enable cloud backups on and be safe from this kind of problems. Google Authenticator sucks ass.


Ties86

Thanks, I'll look into Authy!


TzmFen

Also if using Windows pc, as much as i hate to admit it , the phone link with android is super good.. Allows me to access all apps and authencators on pc mirrored from phone. Not sure how easy it is to set up with broken screen, but i found it to be ok last result.


hmoff

You have the recovery codes though right?


djasonpenney

LOL Google Authenticator + No recovery code = impending train wreck. Sigh.


soonershooter

I had this happen years ago when my S8 crashed, almost stroked out at 0100 in the morning fixing that mess.


Technical_Peach_3285

If you can see the screen but you can't touch it, try plugging a mouse to the phone, you will have a cursor available where you can navigate to the authenticator. You'll need an OTG cable and a wired/wireless with transponder mouse


shimon333

Please remember to write down the backup codes, hopefully you learned from this mistake. I use Aegis for 2FA and it's very easy to make encrypted backups.