[GH-ISSUE #431] What happens if I lose my Yubikey? #254

New issue

Closed

opened 2026-03-03 01:27:16 +03:00 by kerem · 2 comments

kerem commented

2026-03-03 01:27:16 +03:00

Owner

Originally created by @vitobotta on GitHub (Mar 12, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/431

Hi. I just purchased a Yubikey which I am going to use for BW kinda exclusively (I'm using BW itself for 2FA codes for other apps/sites). Once I set it up and get it working what happens if I ever lose it or it gets stolen or something? I have seen that in the admin panel there is an "Enabled" flag for Yubikey which seems to suggest I can turn it off whenever I need. Is this correct? If something like that happens would it be enough to disable Yubikey in the admin panel in order to be able to log in with just my password?

Thanks!

Originally created by @vitobotta on GitHub (Mar 12, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/431 Hi. I just purchased a Yubikey which I am going to use for BW kinda exclusively (I'm using BW itself for 2FA codes for other apps/sites). Once I set it up and get it working what happens if I ever lose it or it gets stolen or something? I have seen that in the admin panel there is an "Enabled" flag for Yubikey which seems to suggest I can turn it off whenever I need. Is this correct? If something like that happens would it be enough to disable Yubikey in the admin panel in order to be able to log in with just my password? Thanks!

kerem

2026-03-03 01:27:16 +03:00

closed this issue
added the
question
label

kerem commented

2026-03-03 01:27:17 +03:00

Author

Owner

@dani-garcia commented on GitHub (Mar 12, 2019):

At the moment there is no option to turn two factor authentication off from the admin panel, so you have a couple of alternatives as a user:

If you are logged in, you can go to the two factor settings page, open the yubikey menu and disable from there.
If you aren't logged in, you have two options:
- You can use another two factor method, like TOTP or another registered yubikey to login and then continue with the first step.
- If the only two factor method is the yubikey, you'll need the recovery code, that you should have stored in a safe place when setting up the second factor auth. This code is used in the login screen, when asked to use two factor, there is a link at the bottom for other two factor types that has a recovery option. Using this should delete all second factors from the account.

If neither of those options work, you could edit the database manually. A query like this should do the trick and should be safe:

REMOVE FROM twofactor
WHERE user_uuid = <the user uuid>;

Edit: But adding an option to the admin panel is probably a good idea anyway, I'll have to think of a safe way to do it without cluttering the interface too much.

@dani-garcia commented on GitHub (Mar 12, 2019): At the moment there is no option to turn two factor authentication off from the admin panel, so you have a couple of alternatives as a user: - If you are logged in, you can go to the two factor settings page, open the yubikey menu and disable from there. - If you aren't logged in, you have two options: - You can use another two factor method, like TOTP or another registered yubikey to login and then continue with the first step. - If the only two factor method is the yubikey, you'll need the recovery code, that you should have stored in a safe place when setting up the second factor auth. This code is used in the login screen, when asked to use two factor, there is a link at the bottom for other two factor types that has a recovery option. Using this should delete all second factors from the account. If neither of those options work, you could edit the database manually. A query like this should do the trick and should be safe: ```sql REMOVE FROM twofactor WHERE user_uuid = <the user uuid>; ``` Edit: But adding an option to the admin panel is probably a good idea anyway, I'll have to think of a safe way to do it without cluttering the interface too much.

kerem commented

2026-03-03 01:27:18 +03:00

Author

Owner

@dani-garcia commented on GitHub (Mar 13, 2019):

This question is anwered already and I added the idea to the feature requests list, so I'm going to close it.

@dani-garcia commented on GitHub (Mar 13, 2019): This question is anwered already and I added the idea to the feature requests list, so I'm going to close it.

kerem referenced this issue

2026-03-03 08:36:30 +03:00

[PR #254] [MERGED] Adds Yubikey OTP Support #2685

kerem referenced this issue

2026-03-03 08:36:31 +03:00

[PR #257] [MERGED] Fixes NFC Response for Mobile Yubikey OTP Login #2689