2FA is invalid after new docker image pull

Hi I’m running bitwarden in a docker container with Authy 2FA. So when I pull the latest image from dockerhub and spin up the new container (using the same parameters), I can no longer use the existing 2FA I’ve used previously. It says that it is not a valid 6 digit verification code.

So I have to go to the admin panel then remove the 2FA for all users and then redo the whole process of adding a new 2FA.

Is there any better way of upgrading the docker image without having to do the same dance each time?


You should have to do this.
It is kinda strange, since all TOTP Tokens are generated using UTC time, i can only think that somehow the first time generating went wrong, or the Summer-Time change in some countries caused an issue.

But I haven’t had this my self.
It could be that a timezone was not changed, but the time it self, thus your clock is either an hour ahead or behind.

Please check the /admin/diagnostics page and see if the UTC is correct.

I’ve checked the UTC time of the ubuntu where the bitwarden is started with the cmd: timedatectl and the time matches with the time at /admin/diagnostics.

Now that I think of it - I had issue with other docker services that had 2FA. So it’s not just specific to bitwarden.
Maybe setting the timezone via env var when starting the docker container will fix the issue?

I use TOTP MFA and update my container automatically. I did not see any issues specifically with BW but TOTP is sensitive to time shifts.

It is not THAT sensitive (typically 1 time slot, which is 30 seconds or 1 minute) - so you may want to also check the client time to see if it is not drifted there.

Also compare what timedatectl states vs. https://time.gov/ or a similar service (to see how the three actors are in sync)