Scoutinternal

Two-Factor Authentication (2FA) Reset for BitGo Accounts

Two-Factor Authentication (2FA) Reset for BitGo Accounts

Problem

Customers contact support because they cannot log in to their BitGo account due to lost, inaccessible, or malfunctioning two-factor authentication (2FA). Common causes include a changed or reset phone, an uninstalled authenticator app, a discontinued SMS-based 2FA method, or simply not remembering which authenticator app was configured. The customer is prompted for a 2FA code at login but cannot produce one, blocking all account access and subsequent operations such as withdrawals.

Diagnostics

  • Identify the 2FA device type on the account. Using the BitGo admin tool (bga), look up the user and inspect the otpDevices array. Note the type (e.g., totp), label (e.g., "Google Authenticator"), and verified status. This tells you which app the customer originally configured.
  • Determine account tier. Check whether the user is associated with an enterprise/business account (premium/institutional client) or is a personal/retail user. Premium clients follow a different verification flow (video call via Calendly) compared to personal wallet users (manual verification via email).
  • Check wallet counts and balances. Inspect walletCounts (personalWallets, enterpriseWallets) and balances. Users with balances above a threshold or enterprise accounts may require stricter identity verification. Users with zero balance and no transactions may be verified with minimal information.
  • Check KYC/identity status. Inspect the user's identity.kyc.overallState. If "rejected" or "unverified", the user may encounter additional issues after 2FA reset (e.g., "We will contact you soon" message) requiring Compliance team involvement.
  • Confirm the support request originates from the registered email. The 2FA reset request must come from the email address associated with the BitGo account. If it comes from a different address, ask the customer to re-send from the correct one before proceeding. This applies to both personal and enterprise accounts.
  • Check disableReset2FA flag. If this is set to true, the self-service reset flow is blocked and the user must go through support.
  • Determine if customer attempted self-service reset. Ask whether they clicked "Reset 2FA" on the login screen. Some customers receive errors during the self-service flow or see "Contact Support — To continue resetting your 2FA, contact support@bitgo.com." which requires manual intervention.

Resolution

Scenario: authentication-factor-two-twofactor#personal-user-manual-2fa-reset

Trigger: A personal/retail BitGo user has lost access to their 2FA device (changed phone, uninstalled authenticator, lost Yubikey) and cannot use the self-service reset, or is unable to complete it due to errors.

Signals: lost authenticator, changed phone, 2FA code not working, reset 2FA error, personal wallet, Google Authenticator, Authy, cannot login, two-factor authentication

Steps:

  1. Confirm the request is sent from the email address registered on the BitGo account. If not, instruct the customer to email from the correct address.
  2. Request the following verification information from the customer:
    • Date of BitGo email verification (tell the customer to search for "Your BitGo Email Verification" in their inbox).
    • 3 transaction hashes (TXIDs) either to or from their wallet. If they do not have TXIDs, instruct them to contact the exchange where they first received crypto and request the TXIDs. If they have not made any transactions, ask them to confirm this.
    • Wallet balance in cryptocurrency (including the name of the wallet). If they haven't created wallets, ask them to confirm this.
    • Alternatively, if the customer cannot provide the above, accept the first 8 characters and the last 8 characters of the BitGo Public Key from their wallet keycard (Box C on the keycard PDF). Ask the customer to also provide the name of the wallet the keycard applies to.
  3. Verify the submitted information against internal records using the admin tool. Cross-reference the email verification date, transaction hashes, wallet balance, or keycard public key characters.
  4. If the information matches, perform the 2FA reset using the admin tool (e.g., bga user resetotp).
  5. Notify the customer that their 2FA has been reset and instruct them to log back in and set up a new 2FA method. Provide setup guidance:
    • Download Google Authenticator (or Microsoft Authenticator / Yubico Authenticator) on their mobile device.
    • Upon login, select Add 2-Factor Authentication (2FA), then select Authenticator.
    • Scan the QR code displayed on the screen using the authenticator app and enter the generated 6-digit code.
  6. If information does not match, inform the customer the provided details are incorrect and ask them to provide correct information. Do not reset 2FA until verification succeeds.
  7. If the customer is completely unable to provide any of the required verification data, inform them that the 2FA cannot be reset without ownership verification.

Notes: - BitGo no longer supports SMS-based 2FA. Customers who previously used SMS/phone-based codes will need a full 2FA reset to switch to an authenticator app.

  • Advise customers never to share the full public key — only the first 8 and last 8 characters.
  • Some FTX creditor customers may have no prior transactions and no wallets created. In such cases, the email verification date and approximate balance (from FTX settlement deposit) may suffice for verification.
  • After 2FA reset, customers may encounter a separate "unable to decrypt keychain with the given wallet passphrase" error when attempting withdrawals. This is a wallet password issue, not a 2FA issue. The wallet password may differ from the login password. Direct them to: Wallet > Settings > "Forgot Wallet Password?" to reset it using their keycard.

"Please also note that your login password can be different from your wallet password and if you had changed your login password, your wallet passwords will not change. Also, Please note the creator of the wallet will need to use the wallet passphrase they set for the wallet. Any other user will use their BitGo platform password. You can reset your wallet password from Wallet > Settings > Forgot Wallet Password?" (ticket #29815)

"The code sent to your phone is the 2FA one time passcode (OTP). We no longer support SMS 2FA method which is why you did not receive the code. The only way to resolve this is to reset your 2FA so you can set it up again upon log in." (ticket #189468)

"Please provide us the first 8 and the last 8 characters of your BitGo Public Key found on your wallet keycard (Box C)." (ticket #234310)

Scenario: authentication-factor-two-twofactor#premium-client-video-verification

Trigger: An enterprise/premium/institutional client requests a 2FA reset. These accounts require identity verification via a scheduled video conference rather than email-based verification.

Signals: enterprise account, premium client, video conference, Calendly, business account, institutional, 2FA reset, video ID

Steps:

  1. Confirm the user is associated with an enterprise account in the admin tool.
  2. Verify that the 2FA reset request is being sent from the email address registered on the BitGo account. If the request comes from a different email address, instruct the customer to re-send the request from their registered account email before proceeding. Do not schedule a video call or disclose any account details (including the configured 2FA method) until the request originates from the registered email.
  3. Send the customer the Calendly scheduling link for the video ID verification call: https://calendly.com/bitgo-client-delivery/videoid
  4. Instruct the customer to:
    • Be ready to provide a government-issued photo ID during the meeting.
    • Reference their ticket number when scheduling.
  5. If the customer is not the initially verified (KYC'd) user on the enterprise, they must bring a verified member of their organization on the call to authorize their identity. Identify verified users on the account via the admin tool and communicate which users are eligible.
  6. Conduct the video call, verify the customer's identity, and perform the 2FA reset.
  7. Notify the customer that their 2FA has been reset and instruct them to log in and configure a new 2FA method.

Notes: - If the originally verified person has left the organization, escalate internally. If another authorized person (e.g., the enterprise owner) can join the call, the reset may still proceed — coordinate with the CSM and internal stakeholders.

  • The Calendly link is standard across all premium 2FA reset requests.

"We have received your request to reset your Two-Factor Authentication. For security purposes, we will need to schedule a video conference to verify your Identification. Please use the following link to schedule a time to meet with us and verify the request: https://calendly.com/bitgo-client-delivery/videoid. Please be ready to provide your government issued photo ID during this meeting." (ticket #209546)

"Note: If you are not initially verified by BitGo, please bring the person on the call who has already verified and can authorize your identity." (ticket #219736)

Scenario: authentication-factor-two-twofactor#self-service-reset-guidance

Trigger: The customer has not yet attempted the self-service 2FA reset flow available on the login page, or is unaware it exists.

Signals: how to reset 2FA, reset link, self-service, Request reset, cooldown, 24 hours, new IP

Steps:

  1. Instruct the customer to go to the BitGo login page at https://app.bitgo.com/auth/log-in and enter their email and password.
  2. On the Two-Factor Authentication input screen, click Reset 2FA (shown at the bottom of the page).
  3. Follow the on-screen instructions, which may include email verification and identity verification steps (e.g., Persona ID and liveness verification).
  4. Note: If a new IP address is being used, there will be a cooldown period (up to 24 hours) before the reset can proceed.
  5. If the self-service reset fails with an error or displays "Contact Support — To continue resetting your 2FA, contact support@bitgo.com," proceed with the manual reset flow (Scenario: personal-user-manual-2fa-reset or premium-client-video-verification depending on account type).

Notes: - Self-service reset is typically available for users with lower balances. Users with higher balances may be directed to contact support automatically.

  • Some users report that the self-service reset page returns errors or does not complete. In these cases, a manual reset by support is required.

"When I click on reset 2FA I get the below screen. Contact Support — To continue resetting your 2FA, contact support@bitgo.com." (ticket #240542)

"If you need to reset your 2FA, please click on the Reset 2FA link in the 2FA input screen and follow the instructions to do so." (ticket #228655)

Scenario: authentication-factor-two-twofactor#post-reset-wallet-password-error

Trigger: After a successful 2FA reset and re-login, the customer encounters an "unable to decrypt keychain with the given wallet passphrase" error when attempting a withdrawal or transaction.

Signals: unable to decrypt keychain, wallet passphrase, wallet password, withdrawal error, keychain error, wrong password

Steps:

  1. Clarify to the customer that this is a wallet password issue, not a 2FA issue. The wallet password can be different from the BitGo login password.
  2. Explain that if the customer changed their login password, the wallet password does not change automatically.
  3. Explain that the wallet creator uses the passphrase they originally set; any other user on the wallet uses their BitGo platform (login) password.
  4. Instruct the customer to reset their wallet password by navigating to: Wallet > Settings > "Forgot Wallet Password?"
  5. The customer will need their wallet keycard information to complete the wallet password reset.
  6. Once the wallet password is reset, the withdrawal should succeed.

Notes: - This scenario frequently follows a 2FA reset for long-inactive accounts where the customer no longer remembers which password was used for the wallet.

  • Ensure the customer is manually typing the new password. Password managers may not save it correctly or may incorrectly associate it with a different account.

"This error indicate that an incorrect wallet password was input. Please kindly check the password and try again. Please also note that your login password can be different from your wallet password and if you had changed your login password, your wallet passwords will not change." (ticket #29815)

"Incase you don't remember the password, you can reset your wallet password from Wallet > Settings > Forgot Wallet Password? You will need the wallet Keycard information to proceed." (ticket #183922)

Scenario: authentication-factor-two-twofactor#kyc-rejected-post-reset

Trigger: After a successful 2FA reset, the customer logs in but is presented with a message such as "We will contact you soon — Your application has been completed. Our team will contact you soon with next steps" instead of reaching the dashboard.

Signals: KYC rejected, application completed, contact you soon, overallState rejected, Persona, identity verification, compliance

Steps:

  1. Check the user's KYC status in the admin tool. Look at identity.kyc.overallState.
  2. If overallState is "rejected" or otherwise not "approved", escalate to the Compliance team via the internal Slack channel (e.g., #compliance).
  3. Compliance may need to manually update the user's Persona inquiry status to "approved" to grant platform access for the purpose of withdrawing assets.
  4. Once Compliance resolves the KYC block, inform the customer to log in again.

Notes: - This scenario is separate from the 2FA issue itself but often surfaces immediately after a 2FA reset for accounts that have been inactive or were created before current KYC requirements.

"after entering my login and password on the bitgo website I get the following message: We will contact you soon — You application has been completed. Our team will contact you soon with next steps." (ticket #210221)

Related

  • wallet-password-reset — Customers who successfully reset 2FA often immediately encounter wallet password issues; this article covers the "Forgot Wallet Password?" flow in detail.
  • two-step-verification-setup — Covers the initial 2FA setup process including recovery codes, relevant for customers reconfiguring after a reset.
  • ftx-creditor-account-access — Many 2FA reset requests come from FTX creditors who created BitGo accounts for settlement distributions and have limited familiarity with the platform.