No Organisation or Collections when 2FA enforced via policy

I am having an issue that only happens when I enable the policy to enforce 2fa on a organisation.
When this is enabled and I add a new user. The user receives the invitation mail. They can create a password and sign in. They get a notification to enable 2fa. The user enables 2fa but no mail is sent to to notify that the invitation has been accepted.
Subsequently from the administrator perspective there is also not a notification in the web interface to show that a user has accepted the invitation. Ultimately this leaves the new user in a state where he has no access to the Organisation or the Collections in that Org.
When I disable the policy to enforce 2fa and follow the same steps everything works fine.
Has anybody come across this? Am I missing something or is this possibly a but?
Worth noting I am running the latest version but this also happens on version 1.26.0

Once they meet the requirements your users will have to open the (same) Join link again and login to accept the invitation with a valid token. Then you can confirm them.

If the invitation token has expired you can resend the invitation.

This works yes but a bit confusing if you do not know about this. Can be a nightmare with users that are “technology challenged” Is there any way of sending another notification / invite automatically once the user has enabled 2fa?

No, I don’t think so (I think it would be nice if setting up 2FA could become part of the initial signup process somehow). Improving this flow is a bit outside of Vaultwardens control. However, once you have familiarized yourself with how it works I believe that it will not be that confusing anymore.

Also on a side note: the process has already been made a lot easier with automatic verification (in case it was required by SIGNUPS_VERIFY=true) and with users being able to register without an invition link (if you have allowed signups).

I have not allowed signups however this will be available only inside a LAN so I will re-enable that and just run though that flow also to see how it works.
Worse case I guess I can send out a howto to all the users screenshots for the challenged ones.
Thanks for the advise

You could probably also allow a domain whitelist to only allow registration with a specific email domain.

1 Like