Scoutinternal

Google Authenticator 2FA Issues: Lost Access, Setup Errors, and Manual Reset

Google Authenticator 2FA Issues: Lost Access, Setup Errors, and Manual Reset

Problem

Customers contact support because they have lost access to their Google Authenticator codes — typically after switching phones, losing a device, or accidentally removing the authenticator entry — and can no longer log in to their BitGo account. A smaller subset of tickets involve errors during initial 2FA setup (e.g., QR code scanning failures or timeout errors) or confusion about which 2FA method is actually configured on the account. In all cases the customer is locked out of the BitGo web application at https://app.bitgo.com.

Diagnostics

  • Confirm the user's registered 2FA method. Use the BitGo admin tool (bga) to look up the user account and check the otpDevices array. If otpDevices is empty ("otpDevices": []), 2FA has already been removed or was never fully set up. If the method listed is webauthn rather than totp/Google Authenticator, the customer may be attempting the wrong 2FA flow.
  • Check whether the account is a direct BitGo account or belongs to a third-party platform. Search the user record for enterprise associations and wallet counts (walletCounts.personalWallets, walletCounts.enterpriseWallets). If the user has no wallets and appears to be an end-user of a third party (e.g., Kingdom Trust, Bitcoin IRA, Republic, FTX/Cred), they may need to be redirected to that platform's support.
  • Check wallet existence and balance. Run bga user get to see if the user has wallets. This determines which verification path to use (transaction hashes vs. keycard info).
  • Check disableReset2FA flag. If this flag is true, the standard manual reset flow may be blocked and requires further investigation.
  • Note the user's signup date. Look at createTime in the user record to compare against verification information the customer provides.

Resolution

Scenario: google-authenticator-bitkub-finder#lost-authenticator-manual-reset

Trigger: Customer reports they lost their phone, switched devices, or deleted the Google Authenticator entry and can no longer produce a valid 2FA code to log in.

Signals: lost google authenticator, lost phone, changed phone, authenticator key lost, no access to google authenticator, 2FA reset, reset OTP, manual reset

Steps:

  1. Confirm the customer cannot use the self-service "Reset 2FA" flow available on the login page. If they can, direct them there first.
  2. If the self-service flow is unavailable or fails, initiate the manual 2FA reset verification. Request all of the following from the customer:
    • Date of BitGo email verification (instruct them to search their inbox for "Your BitGo Email Verification").
    • 3 transaction hashes (TXIDs) either to or from their BitGo wallet. If they do not have TXIDs, they should contact the exchange they originally sent or received bitcoin from and request the TXIDs.
    • Wallet balance (in cryptocurrency, including the wallet name).
  3. If the customer cannot provide the above, offer the alternative verification: ask for the first 8 characters and the last 8 characters of the BitGo Public Key (Box C) from their wallet keycard, along with the name of the wallet the keycard applies to.
  4. Validate the information provided against the user's account records in the admin tool. Confirm that dates, TXIDs, balances, or keycard characters match.
  5. If verification passes, execute the 2FA reset using bga user resetotp for the user's email address. Confirm the action when prompted.
  6. Notify the customer: "We have completed the process of resetting your Two-Factor Authentication. Please log back into your account, and follow the instructions to set up your Two-Factor Authentication again."
  7. If the customer's transactions do not match BitGo platform records (e.g., they provide on-chain TXIDs that never touched a BitGo wallet), inform them that the transactions provided did not involve the BitGo platform and ask them to provide correct information or keycard details.

Notes: - 2FA is mandatory on BitGo and cannot be permanently removed — it can only be reset so the customer can re-enroll a new device.

  • If the customer's account belongs to a third-party platform (Kingdom Trust, Bitcoin IRA, FTX retail, Republic, Cred, etc.), advise them to contact that platform directly. BitGo can only assist with wallets created directly on the BitGo platform.
  • Some customers may have had previous 2FA resets; the same verification process applies each time.

"If you do not have the above information, we can also accept the First 8 characters and the Last 8 Characters of the Bitgo Public Key from your keycard." "If you do not have the above information, we can also accept the First 8 characters and the Last 8 Characters of the Bitgo Public Key(BOX C) from your keycard. Please provide the name of the wallet the keycard info applies to." "If you can't provide the above information please kindly share the first 8 and last 8 characters of Public and Private key form your wallet keycard."

Scenario: google-authenticator-bitkub-finder#removed-authenticator-then-locked-out

Trigger: Customer intentionally removed or deleted their Google Authenticator entry (e.g., to "reset" it) and then discovered they cannot log back in because 2FA is still required on the account.

Signals: removed google authenticator, reset it, deleted authenticator, ErrorID, cmia6c1983bxn0fzqhdpv61x1

Steps:

  1. Ask the customer for a full-window screenshot of the error they see upon login attempt.
  2. Follow the same manual 2FA reset verification process described in the "lost-authenticator-manual-reset" scenario above (email verification date, 3 TXIDs, wallet balance, or first 8 / last 8 characters of the BitGo Public Key from Box C on the keycard).
  3. Once verified, reset the 2FA via bga user resetotp.
  4. Inform the customer to log in and set up a new 2FA device immediately.

Notes: Advise the customer that they should never remove their authenticator entry before confirming they have a backup or recovery code. Going forward, recommend they download and securely store their 2FA recovery codes from the BitGo Settings page.

"I wanted to reset my Google Authenticator so removed it and logged off. When I tried to login I got error below ErrorID: cmia6c1983bxn0fzqhdpv61x1."

Scenario: google-authenticator-bitkub-finder#initial-2fa-setup-failure

Trigger: Customer is setting up a BitGo account for the first time and encounters errors or timeouts while trying to scan the Google Authenticator QR code or enter the 6-digit code.

Signals: timed out, setup 2FA, QR code error, scan error, new account, first time, authentication issues, bg-ui error

Steps:

  1. Confirm the customer is using the latest version of Google Chrome on a computer or laptop (not a mobile browser). Recommend clearing browser cache and retrying.
  2. Instruct the customer to log in at https://app.bitgo.com. On first login, they will be prompted to register a 2FA device.
  3. If they choose Google Authenticator, they should click Continue, then:
    • Download Google Authenticator from Google Play (Android) or Apple App Store (iOS).
    • Open the app, tap the + sign to add an entry, choose Scan a QR Code.
    • Use the phone camera to scan the QR code displayed on the BitGo page (labeled "Add Google Authenticator").
    • Enter the resulting 6-digit code into the 2FA code field on the BitGo page.
  4. If scanning fails on a mobile device being used to access the site, advise: "Please use a laptop or desktop for this process, as scanning the code on other devices may cause difficulties and result in errors." The customer can screenshot the QR code, email it to themselves, open it on a different screen, and scan from the phone.
  5. The Label field during setup is optional — the customer can input any name that helps them identify the 2FA entry (e.g., "BitGo").
  6. If the account shows otpDevices as empty, 2FA setup has not yet completed. Advise the customer to retry. If issues persist, try a different device or network.

Notes: If the customer's 2FA method is actually set to Webauthn (not Google Authenticator), inform them that they need to use their configured Webauthn device/PIN instead.

"On your mobile device you need to download Google Authenticator from Google Play... Once you completed the scan process from your mobile phone Google Authenticator App it will show 6 random number, input that number into the 2FA code section here." "Please use a laptop or desktop for this process, as scanning the code on other devices may cause difficulties and result in errors. Kindly use the devices mentioned above to set up the 2FA." "The label is just a name for the 2FA entry and you can input anything that helps identify the device you used for the 2FA."

Scenario: google-authenticator-bitkub-finder#wrong-2fa-method-configured

Trigger: Customer reports Google Authenticator codes are not working, but the account's 2FA method is actually Webauthn (or another method), not Google Authenticator/TOTP.

Signals: wrong method, webauthn, 2FA code not working, invalid code, error authenticating

Steps:

  1. Look up the user's account in the admin tool and check the otpDevices array for the actual configured 2FA method.
  2. If the method is Webauthn, inform the customer: "We show your 2FA method being used is Webauthn. Are you inputting the pin you configured?"
  3. If the customer no longer has access to their Webauthn device, follow the manual 2FA reset verification process (same as the "lost-authenticator-manual-reset" scenario).
  4. Once reset, the customer can re-enroll with their preferred 2FA method from the login flow.

Notes: Customers may have multiple 2FA methods configured. They can manage these in the Settings page after logging in. At least one 2FA method must remain active at all times.

"We show your 2FA method being used is Webauthn. Are you inputting the pin you configured?"

Scenario: google-authenticator-bitkub-finder#third-party-platform-redirect

Trigger: Customer is trying to access funds through BitGo but their account/wallet is actually managed by a third-party platform such as Kingdom Trust, Bitcoin IRA, Republic, FTX, GroundFloor, or Cred.

Signals: Bitcoin IRA, Kingdom Trust, Republic, GroundFloor, FTX, Cred, no wallets, third party, not BitGo platform

Steps:

  1. Check the user account for wallet associations. If there are no BitGo wallets or the user mentions a third-party platform, inform them that BitGo can only assist with wallets created directly on the BitGo platform.
  2. Redirect the customer to the appropriate platform's support team. For example:
    • For FTX-related inquiries, point them to https://www.bitgo.com/ftx-faq.
    • For Republic-related inquiries, advise: "Contact Republic. We have no information about this."
    • For other platforms (Kingdom Trust, Bitcoin IRA, etc.), advise them to contact that platform directly.
  3. Close the ticket after confirming the redirect.

Notes: Many of these tickets come from users who originally accessed crypto through a third-party service and assume BitGo manages their account directly. Always verify wallet ownership before proceeding with any 2FA reset.

"Contact Republic. We have no information about this." "We are only able to access the wallet of only created in our BitGo platform."

Scenario: google-authenticator-bitkub-finder#enterprise-policy-unlock-whitelist

Trigger: Enterprise customer needs to whitelist a new wallet address, which requires a wallet policy unlock via video identity verification call.

Signals: whitelist, wallet policy, unlock, video call, enterprise, ERC20, Calendly

Steps:

  1. Confirm the enterprise ID and wallet ID from the customer's request.
  2. Send the customer the scheduling link for the video identity verification call: https://calendly.com/bitgo-client-delivery/videoid
  3. Instruct the customer to have government-issued photo ID ready during the meeting and to reference their ticket number when scheduling.
  4. During the video call, verify the customer's identity against their government-issued photo ID.
  5. After successful verification, unlock the wallet policy. Inform the customer the policy unlock is time-limited (typically 48 hours).
  6. Confirm completion: "We have completed the unlock of wallet policy for the next 48 hours."

Notes: This scenario is separate from 2FA reset — it involves enterprise wallet policy unlocks that require video ID verification. The 48-hour window means the customer must complete their whitelist changes promptly.

"Please use the following link to schedule a time to meet with us and verify the request: https://calendly.com/bitgo-client-delivery/videoid. Please be ready to provide your government issued photo ID during this meeting." "We have completed the unlock of wallet policy for the next 48 hours."

Related

  • two-factor-authentication — Covers all supported 2FA methods (Google Authenticator, Yubikey, Fido U2F, Webauthn) and initial setup instructions.
  • two-step-verification-setup — Details the new 2FA system including recovery codes, self-service 2FA reset, and Persona ID verification flow.
  • keycards-and-private-keys — Reference for wallet keycard structure including Box C (BitGo Public Key) used as alternative verification during manual 2FA resets.