[GH-ISSUE #6203] 2FA Recovery Code no longer working #2370

New issue

Closed

opened 2026-03-03 02:17:41 +03:00 by kerem · 4 comments

kerem commented 2026-03-03 02:17:41 +03:00

Owner

Copy link

Originally created by @shadow1runner on GitHub (Aug 20, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6203

Originally assigned to: @BlackDex on GitHub.

I've enabled two 2FA mechanisms: mail and authenticator app.
Following the upstream docs, I'm trying to recover using the recovery code which I've just copied from https://mydomain.example.localhost/#/settings/security/two-factor (alongside the user name and master password, of course).

I do not get an error in the web UI, but I'm just redirected to the main login view; the network pane reads as follows:

The log shows a single line:

vaultwarden-5d964b5d76-zqmsr [2025-08-19 22:49:21.283][vaultwarden::api::identity][ERROR] Invalid two factor provider

As per the discussion here, we could identify that upstream has refactored their recovery code handling and added a new type.

Originally posted by @shadow1runner in https://github.com/dani-garcia/vaultwarden/discussions/6200

Originally created by @shadow1runner on GitHub (Aug 20, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6203 Originally assigned to: @BlackDex on GitHub. I've enabled two 2FA mechanisms: mail and authenticator app. Following the [upstream docs](https://bitwarden.com/help/two-step-recovery-code/#use-your-recovery-code), I'm trying to recover using the recovery code which I've just copied from <https://mydomain.example.localhost/#/settings/security/two-factor> (alongside the user name and master password, of course). I do not get an error in the web UI, but I'm just redirected to the main login view; the network pane reads as follows: <img width="631" height="126" alt="image" src="https://github.com/user-attachments/assets/d27383f4-5bff-4659-a203-f449990f4333" /> The log shows a single line: > vaultwarden-5d964b5d76-zqmsr [2025-08-19 22:49:21.283][vaultwarden::api::identity][ERROR] Invalid two factor provider As per the discussion [here](https://github.com/dani-garcia/vaultwarden/discussions/6200#discussioncomment-14161185), we could identify that upstream has refactored their recovery code handling and added a new type. _Originally posted by @shadow1runner in https://github.com/dani-garcia/vaultwarden/discussions/6200_

kerem 2026-03-03 02:17:41 +03:00

• closed this issue
• added the
  good first issue
  bug
  labels

kerem commented 2026-03-03 02:17:42 +03:00

Author

Owner

Copy link

@AdityAV42 commented on GitHub (Aug 30, 2025):

Hey I am also facing the same issue. THe Recovery Code is not working. It fails to reset Two-Step Login (MFA). The provided recovery code from the Web Vault does not allow me to bypass Two-Step Login (MFA). When I enter the code, the app still prompts me for my master password.

Steps to Reproduce:

1. Log out of the mobile app/ website completely.
2. Attempt to log in with my master password.
3. When prompted for the Two-Step Login code, select the option to use the recovery code.
4. Paste the recovery code into the provided field.

• Expected Behavior
  The recovery code should reset or disable my MFA, and allow me to log in without needing a Two-Step Login code.

• Actual Behavior:
  After entering the recovery code, I am still prompted to enter my master password. Then again the MFA is asked.

Also how to change your recovery code manually?

<!-- gh-comment-id:3238940910 --> @AdityAV42 commented on GitHub (Aug 30, 2025): _Hey I am also facing the same issue. THe Recovery Code is not working. It fails to reset Two-Step Login (MFA). The provided recovery code from the Web Vault does not allow me to bypass Two-Step Login (MFA). When I enter the code, the app still prompts me for my master password._ Steps to Reproduce: 1. Log out of the mobile app/ website completely. 2. Attempt to log in with my master password. 3. When prompted for the Two-Step Login code, select the option to use the recovery code. 4. Paste the recovery code into the provided field. - Expected Behavior The recovery code should reset or disable my MFA, and allow me to log in without needing a Two-Step Login code. - Actual Behavior: After entering the recovery code, I am still prompted to enter my master password. Then again the MFA is asked. _Also how to change your recovery code manually?_

kerem commented 2026-03-03 02:17:42 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Aug 30, 2025):

This issue is already resolved in the current testing tagged image.
Only way to disable/remove mfa is via the admin backend /admin.
There you can remove all mfa items per user.

<!-- gh-comment-id:3238975928 --> @BlackDex commented on GitHub (Aug 30, 2025): This issue is already resolved in the current `testing` tagged image. Only way to disable/remove mfa is via the admin backend `/admin`. There you can remove all mfa items per user.

kerem commented 2026-03-03 02:17:42 +03:00

Author

Owner

Copy link

@AlexKalopsia commented on GitHub (Oct 7, 2025):

Also facing this issue, with the difference that this is happening to my admin account, which makes things quite a bit worse. Luckily I do have an open session and I managed to export everything, but yeah not great. Has the fix been merged in the latest image, or is it still in testing ?

<!-- gh-comment-id:3378639894 --> @AlexKalopsia commented on GitHub (Oct 7, 2025): Also facing this issue, with the difference that this is happening to my admin account, which makes things quite a bit worse. Luckily I do have an open session and I managed to export everything, but yeah not great. Has the fix been merged in the latest image, or is it still in `testing` ?

kerem commented 2026-03-03 02:17:42 +03:00

Author

Owner

Copy link

@codedge commented on GitHub (Oct 19, 2025):

I used the testing image and can confirm the recovery code works now. In the latest image it still is broken (redirect to login page).

<!-- gh-comment-id:3419572912 --> @codedge commented on GitHub (Oct 19, 2025): I used the `testing` image and can confirm the recovery code works now. In the `latest` image it still is broken (redirect to login page).

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#2370

No description provided.