Organization Two-step Login #698

New Issue

Closed

opened 2026-02-04 22:15:44 +03:00 by OVERLORD · 6 comments

OVERLORD commented 2026-02-04 22:15:44 +03:00

Owner

Copy Link

Originally created by @bloodypiker on GitHub (May 4, 2020).

Subject of the issue

Orinizational requirement of two factor login on their personal account does not work.

Your environment

• Bitwarden_rs version: 1.14.2-0de52c6c

• Install method: Docker image
• Clients used: Web Vault, Windows app, iOS app
• Reverse proxy and version: Nginx 1.14.0 (Ubuntu)

Steps to reproduce

Created a new test organization and enabled two-step login within the policies of the organization. I created a test new user without two-factor and added them to the organization.

Expected behavior

Users without two-step logins should not be able to access the stored items within the organization.
"Organization members who do not have two-step login enabled for their personal account will be removed from the organization and will receive an email notifying them about the change."

Actual behavior

Users of all access levels (owner, admin, manager, user) can access all items stored within the org. without satisfying the org. two-factor policy.
If the user had two-factor but removed it, email is not sent nor do they lose access to the org.

Relevant logs

Originally created by @bloodypiker on GitHub (May 4, 2020). <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unneccessary for your issue, feel free to remove them. Remember to hide/obfuscate personal and confidential information, such as names, global IP/DNS adresses and especially passwords, if neccessary. --> ### Subject of the issue <!-- Describe your issue here.--> Orinizational requirement of two factor login on their personal account does not work. ### Your environment <!-- The version number, obtained from the logs or the admin page --> * Bitwarden_rs version: 1.14.2-0de52c6c <!-- How the server was installed: Docker image / package / built from source --> * Install method: Docker image * Clients used: <!-- if applicable -->Web Vault, Windows app, iOS app * Reverse proxy and version: <!-- if applicable -->Nginx 1.14.0 (Ubuntu) ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start bitwarden_rs? --> Created a new test organization and enabled two-step login within the policies of the organization. I created a test new user without two-factor and added them to the organization. ### Expected behavior <!-- Tell us what should happen --> Users without two-step logins should not be able to access the stored items within the organization. "Organization members who do not have two-step login enabled for their personal account will be removed from the organization and will receive an email notifying them about the change." ### Actual behavior <!-- Tell us what happens instead --> Users of all access levels (owner, admin, manager, user) can access all items stored within the org. without satisfying the org. two-factor policy. If the user had two-factor but removed it, email is not sent nor do they lose access to the org. ### Relevant logs <!-- Share some logfiles, screenshots or output of relevant programs with us. -->

OVERLORD added the enhancement label 2026-02-04 22:15:44 +03:00

OVERLORD closed this issue 2026-02-04 22:15:46 +03:00

OVERLORD commented 2026-02-04 22:15:49 +03:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (May 7, 2020):

Yes at the moment the policies are only handled client side, but we should handle the 2FA one server side too.

Is the procedure you mention what the official server does? The letting the user remove the second factor, sending them and email and removing their access, I mean.

My initial idea was to simply not let them remove the 2FA if they are part of such an organization, but if upstream does it that way maybe we should follow their steps.

@dani-garcia commented on GitHub (May 7, 2020): Yes at the moment the policies are only handled client side, but we should handle the 2FA one server side too. Is the procedure you mention what the official server does? The letting the user remove the second factor, sending them and email and removing their access, I mean. My initial idea was to simply not let them remove the 2FA if they are part of such an organization, but if upstream does it that way maybe we should follow their steps.

OVERLORD commented 2026-02-04 22:15:55 +03:00

Author

Owner

Copy Link

@bloodypiker commented on GitHub (May 8, 2020):

Unfortunately, I have not interfaced with the official server offer.

From the official help documents:

• The administrator will receive a warning that Organization members, in confirmed status, who don’t have two-step for their account will be removed from the organization and will receive an email notifying them about the change.
• If the administrator proceeds to enable the two-step login policy Confirmed members of the organization who do not have two-step login enabled will lose access to the organization.
• Members who lose access to an organization will receive an email informing them of such.
• Once the user enables two-step login on their account they can then be re-join to the organization through a new invite.
• Newly invited members will not be able to accept their invitation to the organization until they enabled two-step login on their user account.
• If a newly invited member currently has a Bitwarden account using the invited email address, they will be notified and must enable two-step login before accepting their invitation.
• If a newly invited member does not have an account, they will default to using email-based two-step login but will be able to change this configuration at any time.
• If a member of the organization later disables two-step login on their account, they will be removed from the organization.

@bloodypiker commented on GitHub (May 8, 2020): Unfortunately, I have not interfaced with the official server offer. From the official help documents: <ul> <li>The administrator will receive a warning that Organization members, in confirmed status, who don’t have two-step for their account will be removed from the organization and will receive an email notifying them about the change.</li> <li>If the administrator proceeds to enable the two-step login policy Confirmed members of the organization who do not have two-step login enabled will lose access to the organization.</li> <li>Members who lose access to an organization will receive an email informing them of such.</li> <li>Once the user enables two-step login on their account they can then be re-join to the organization through a new invite.</li> <li>Newly invited members will not be able to accept their invitation to the organization until they enabled two-step login on their user account.</li> <li>If a newly invited member currently has a Bitwarden account using the invited email address, they will be notified and must enable two-step login before accepting their invitation.</li> <li>If a newly invited member does not have an account, they will default to using email-based two-step login but will be able to change this configuration at any time.</li> <li>If a member of the organization later disables two-step login on their account, they will be removed from the organization.</li> </ul>

OVERLORD commented 2026-02-04 22:15:57 +03:00

Author

Owner

Copy Link

@fourstepper commented on GitHub (Dec 8, 2020):

If I understand correctly, right now there is no way to enforce the use of in orgs 2FA from the bitwarden_rs server?

@fourstepper commented on GitHub (Dec 8, 2020): If I understand correctly, right now there is no way to enforce the use of in orgs 2FA from the bitwarden_rs server?

OVERLORD commented 2026-02-04 22:16:04 +03:00

Author

Owner

Copy Link

@omueller commented on GitHub (Jan 7, 2021):

Hi @fourstepper, have you found new information about that issue in the mean time ? I have the same problem, and at the moment, when I create a new company user, I need to:

1. invite the user
2. wait until the account is ready
3. make sure 2FA has been activated (under /admin/users/overview)
4. make sure he/she clicks again on the invitation link to be added to the organisation
5. and then I accept the new user in the organisation.
6. (check from time to time, that everybody still has 2FA active)

It would be great if there was a way to skip step 3 (and also 4, but it seems there is no other way around?).

Of course these are small issues, thanks again @dani-garcia for your great work!
Best regards, Olivier

@omueller commented on GitHub (Jan 7, 2021): Hi @fourstepper, have you found new information about that issue in the mean time ? I have the same problem, and at the moment, when I create a new company user, I need to: 1. invite the user 2. wait until the account is ready 3. make sure 2FA has been activated (under /admin/users/overview) 4. make sure he/she clicks again on the invitation link to be added to the organisation 5. and then I accept the new user in the organisation. 6. (check from time to time, that everybody still has 2FA active) It would be great if there was a way to skip step 3 (and also 4, but it seems there is no other way around?). Of course these are small issues, thanks again @dani-garcia for your great work! Best regards, Olivier

OVERLORD commented 2026-02-04 22:16:10 +03:00

Author

Owner

Copy Link

@fourstepper commented on GitHub (Jan 7, 2021):

Hi Olivier,

There was no change for me in this regard - this still seems like it's unavailable.

@fourstepper commented on GitHub (Jan 7, 2021): Hi Olivier, There was no change for me in this regard - this still seems like it's unavailable.

OVERLORD commented 2026-02-04 22:16:11 +03:00

Author

Owner

Copy Link

@olivierIllogika commented on GitHub (Apr 12, 2021):

Hi,
Just created a pull request for this. It's my first time coding rust, but it seems to get the job done.

Please test and give feedback.
Thanks!

@olivierIllogika commented on GitHub (Apr 12, 2021): Hi, Just created a pull request for this. It's my first time coding rust, but it seems to get the job done. Please test and give feedback. Thanks!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#698