Duo push for Bitwarden not going to new phone

I have a personal duo account for myself that use use solely for Bitwarden.
There is only 1 user account in my duo admin panel.
Duo app on my old phone shows 2 accounts
1 - Personal Admin, that shows code for Duo Admin login
2 - Personal, shows code for Bitwarden login

I got a new phone, and have 2FA for my Duo admin login working from the new phone.
When I login to Duo, the push goes to the new phone.
The push notifications for BitWarden still go to my OLD phone.
The duo app on my new phone shows 2 accounts just like the old phone, but the account named “personal” says “disabled” on the new phone. It does NOT say this on the old phone.

Did a re-activate once. I don’t see any other place to re-active that is specific to the BW auth instance in Duo.
Confused by using “reactivate” is not done for all 2FA instances on the account.
If I re-activate again from 2nd BW instance, will that activate and also leave the Duo Admin instance active?

Thanks

You need to send an activation for your personal account on your new phone. Activating the admin account on the new phone is separate from activating the end-user account.

See the instructions for sending an activation for the end-user (personal) account from the Admin Panel here.

Consider setting up Duo Restore on your new phone to make future migration to another phone a bit easier.

1 Like

The personal admin web page shows a single account, the Duo admin account, which I have re-activated, and goes to the new phone.
How do I re-activate an account that is not shown on the duo admin page, but is shown on the old phone?

Every time you go to the reactivate page, you get this warning:

2fa devices / phones / Activate Duo Mobile
Note: Generating an activation code will invalidate any existing Duo Mobile credentials for this device until it is activated with the new activation code.

So after you re-active the phone for the Dou Admin, how do keep THAT account active and activate the 2nd instance for BitWarden?

You can only activate Duo Push for an account on one phone. That applies to both Duo administrator accounts and Duo end-user accounts.

You said you have already activated your Duo Admin account (the one where you send the push when you log into the Duo Admin Panel) on your new phone.

Now you also need to activate your Duo user account (the one that you use to log into Bitwarden) on your new phone.

You would follow the instructions for sending an activation for the end-user (personal) account from the Admin Panel here.

It’s correct that it will invalidate existing Duo Mobile activation - it is referring to the previous activation for that account on your old phone. When you are done Duo Push notifications will go to the admin account activated on your new phone for Duo Admin Panel logins and to the end-user account activated on your new phone for your Bitwarden logins.

This what I don’t get.
The steps you suggest are for activating a phone, which I have already done.
Why did the previous activation of the new phone only activate the admin account?
Implementation of the product for personal use case is confusing and seems flawed.

FWIW - the new phone has the same number as the old phone, but that’s almost always the case people are in. Within 2FA devices the number is there, but the model still shows the old phone model. This is even after the Duo app has been activated for the admin account on the new phone.

If activation is done on a per user basis why does the warning on the activate page say “ANY existing credential”? That would mean activating the BW User on the device with Deactivate the Dou Admin on the same device.

I need to keep admin cred on new phone but also bring the BW User cred to new phone.
If it’s activating the NEW phone and invalidating the OLD phone, why does it say “invalidate ANY credential for THIS device”?

It makes no sense to me how a re-activation of the phone only re-activated 1 of 2 accounts.
Frustrated and considering using a different 2FA solution for BW.

You have two Duo accounts:

  1. The Duo Admin account that you use to log into the Duo Admin Panel at https://admin.duosecurity.com.

  2. The Duo end-user account that you use to sign into the applications you protect with Duo as a user of that application (in your case Bitwarden).

You have to reactivate Duo Mobile for your Duo Admin account and also you have to reactivate Duo Mobile for your end-user account.

From your repeated questions it sounds like you only reactivated the Duo admin account and not the end-user account.

It makes no sense to me how a re-activation of the phone only re-activated 1 of 2 accounts.

This is because, as mentioned, you have to reactivate Duo Mobile for your Duo Admin account and also you have to reactivate Duo Mobile for your end-user account.

If activation is done on a per user basis why does the warning on the activate page say “ANY existing credential”?

This is referring to your previously activated end-user Duo account on your old phone.

That would mean activating the BW User on the device with Deactivate the Dou Admin on the same device.

No, it does not mean this. End-user accounts are distinct from administrator accounts in Duo. The user accounts are distinct and the phone objects are distinct in our system, even if they represent the same physical device.

I hope this helps you understand the distinction between a Duo admin account and a Duo end-user account and why you need to repeat the Duo Mobile activation on your new phone for your end-user in order to have the push from Bitwarden go to your new phone when you sign into Bitwarden as that end user.

1 Like