What happens if I lose my Yubikey? #253

New Issue

Closed

opened 2026-02-04 19:01:37 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-04 19:01:37 +03:00

Owner

Copy Link

Originally created by @vitobotta on GitHub (Mar 12, 2019).

Hi. I just purchased a Yubikey which I am going to use for BW kinda exclusively (I'm using BW itself for 2FA codes for other apps/sites). Once I set it up and get it working what happens if I ever lose it or it gets stolen or something? I have seen that in the admin panel there is an "Enabled" flag for Yubikey which seems to suggest I can turn it off whenever I need. Is this correct? If something like that happens would it be enough to disable Yubikey in the admin panel in order to be able to log in with just my password?

Thanks!

Originally created by @vitobotta on GitHub (Mar 12, 2019). Hi. I just purchased a Yubikey which I am going to use for BW kinda exclusively (I'm using BW itself for 2FA codes for other apps/sites). Once I set it up and get it working what happens if I ever lose it or it gets stolen or something? I have seen that in the admin panel there is an "Enabled" flag for Yubikey which seems to suggest I can turn it off whenever I need. Is this correct? If something like that happens would it be enough to disable Yubikey in the admin panel in order to be able to log in with just my password? Thanks!

OVERLORD added the question label 2026-02-04 19:01:37 +03:00

OVERLORD closed this issue 2026-02-04 19:01:40 +03:00

OVERLORD commented 2026-02-04 19:01:43 +03:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (Mar 12, 2019):

At the moment there is no option to turn two factor authentication off from the admin panel, so you have a couple of alternatives as a user:

• If you are logged in, you can go to the two factor settings page, open the yubikey menu and disable from there.
• If you aren't logged in, you have two options:
  • You can use another two factor method, like TOTP or another registered yubikey to login and then continue with the first step.
  • If the only two factor method is the yubikey, you'll need the recovery code, that you should have stored in a safe place when setting up the second factor auth. This code is used in the login screen, when asked to use two factor, there is a link at the bottom for other two factor types that has a recovery option. Using this should delete all second factors from the account.

If neither of those options work, you could edit the database manually. A query like this should do the trick and should be safe:

REMOVE FROM twofactor
WHERE user_uuid = <the user uuid>;

Edit: But adding an option to the admin panel is probably a good idea anyway, I'll have to think of a safe way to do it without cluttering the interface too much.

@dani-garcia commented on GitHub (Mar 12, 2019): At the moment there is no option to turn two factor authentication off from the admin panel, so you have a couple of alternatives as a user: - If you are logged in, you can go to the two factor settings page, open the yubikey menu and disable from there. - If you aren't logged in, you have two options: - You can use another two factor method, like TOTP or another registered yubikey to login and then continue with the first step. - If the only two factor method is the yubikey, you'll need the recovery code, that you should have stored in a safe place when setting up the second factor auth. This code is used in the login screen, when asked to use two factor, there is a link at the bottom for other two factor types that has a recovery option. Using this should delete all second factors from the account. If neither of those options work, you could edit the database manually. A query like this should do the trick and should be safe: ```sql REMOVE FROM twofactor WHERE user_uuid = <the user uuid>; ``` Edit: But adding an option to the admin panel is probably a good idea anyway, I'll have to think of a safe way to do it without cluttering the interface too much.

OVERLORD commented 2026-02-04 19:01:58 +03:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (Mar 14, 2019):

This question is anwered already and I added the idea to the feature requests list, so I'm going to close it.

@dani-garcia commented on GitHub (Mar 14, 2019): This question is anwered already and I added the idea to the feature requests list, so I'm going to close it.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label question

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#253