2FA is invalid after new docker image pull

Hi I’m running bitwarden in a docker container with Authy 2FA. So when I pull the latest image from dockerhub and spin up the new container (using the same parameters), I can no longer use the existing 2FA I’ve used previously. It says that it is not a valid 6 digit verification code.

So I have to go to the admin panel then remove the 2FA for all users and then redo the whole process of adding a new 2FA.

Is there any better way of upgrading the docker image without having to do the same dance each time?

Thanks

You should have to do this.
It is kinda strange, since all TOTP Tokens are generated using UTC time, i can only think that somehow the first time generating went wrong, or the Summer-Time change in some countries caused an issue.

But I haven’t had this my self.
It could be that a timezone was not changed, but the time it self, thus your clock is either an hour ahead or behind.

Please check the /admin/diagnostics page and see if the UTC is correct.

I’ve checked the UTC time of the ubuntu where the bitwarden is started with the cmd: timedatectl and the time matches with the time at /admin/diagnostics.

Now that I think of it - I had issue with other docker services that had 2FA. So it’s not just specific to bitwarden.
Maybe setting the timezone via env var when starting the docker container will fix the issue?

I use TOTP MFA and update my container automatically. I did not see any issues specifically with BW but TOTP is sensitive to time shifts.

It is not THAT sensitive (typically 1 time slot, which is 30 seconds or 1 minute) - so you may want to also check the client time to see if it is not drifted there.

Also compare what timedatectl states vs. https://time.gov/ or a similar service (to see how the three actors are in sync)

Hi, did you find any solution to this? I pulled the latest docker image aswell, and now all my stored TOTP keys are out of sync. Readding them doesn’t fix the issue, and all I can do is add the TOTP key on my phone.

Using timedatectl its seems my “Universal time” matches the one on time.gov

Never mind, I figured it out.

Checking vaultwarden.domain.tld/admin/diagnostics showed that my browser NTP was out of sync. I checked Windows and find out I accidentally disabled automatic tiem sync. So I resynced and everything worked again!

I am having the same issue, TOTP created in british summer time, restored backup to new machine in GMT and TOTP does not work and I need to disable 2FA for the user. I checked diagnostics and time was all in sync.

It doesn’t matter where or how the totp was created, it always uses UTC time to validate.

The only way it can go wrong is if the server thinks it is in UTC, but it actually is not.

The diagnostics only checks the server side and your current browser. It doesn’t check the date/time of the client where the token is generated. If that client is not in sync with the correct time, it will not work.