Scoutinternal

Two-Factor Authentication (2FA) Issues: Setup, Reset, and Account Access

Two-Factor Authentication (2FA) Issues: Setup, Reset, and Account Access

Problem

Customers contact support because they cannot complete 2FA setup, have lost access to their 2FA device (e.g., Google Authenticator), encounter errors during the 2FA registration flow (including "Unauthorized" or error IDs like bg-ui-1ba7accd79287331839b10c43451e10f and bg-ui-d0ed5045a9dce08d8123b7a1f1d579ac), or are confused by the 2FA Label prompt. Some customers are locked out of their accounts entirely because they cannot pass the 2FA step. A subset of contacts come from users of fraudulent/impersonating sites (e.g., "BitGo Global," bitgogogogo.com) that are not affiliated with BitGo.

Diagnostics

  • Verify the customer has an account on BitGo: Search for the customer's email in the admin tool. If no account is found, ask the customer to confirm the email registered with BitGo and the URL they use to log in. Fraudulent sites (e.g., bitgogogogo.com, "BitGo Global") are not affiliated with BitGo.
  • Determine which 2FA operation is failing: Is the customer trying to set up 2FA for the first time (registering a new device), or trying to log in with an existing 2FA, or trying to reset 2FA because they lost their device?
  • Check for error IDs: Ask the customer for any error ID shown in the UI (e.g., bg-ui-* codes). Look up the error in platform logs to identify the specific API failure (e.g., user.addotp 400 error: Verification Failed).
  • Check the 2FA registration type: Review the log entry for the "type" field in the request body (e.g., "type": "webauthn") to determine which 2FA method the customer is attempting.
  • Check IP address / cool-off status: If the customer is attempting a self-service 2FA reset from a new IP address, the platform enforces a 24-hour cool-off period. The customer will see a message like: "You're attempting to reset your 2FA from a new IP address. BitGo requires a 24-hour cool-off period before you can continue."
  • Check account frozen status: In the admin tool, verify whether the account is frozen. A frozen account may have been self-frozen by the customer.
  • Check if the customer is an FTX Retail / SoFi user: Some tickets in this cluster relate to FTX claim accounts or SoFi-linked accounts that have separate verification and enterprise setup flows.
  • Check browser/device: Confirm the customer is using the latest version of Chrome on a desktop/laptop, as the platform is optimized for this environment.

Resolution

Scenario: my-me-cant-2fa#2fa-label-confusion

Trigger: Customer is prompted for a "2FA Label" during 2FA setup and does not understand what to enter, or receives an "Unauthorized" error or an error ID such as bg-ui-1ba7accd79287331839b10c43451e10f when attempting to complete 2FA registration.

Signals: 2FA Label, Unauthorized, bg-ui-1ba7accd79287331839b10c43451e10f, what is 2FA Label, cant pass 2fa, two codes

Steps:

  1. Advise the customer to use the latest version of Chrome on a desktop/laptop for optimal platform performance.
  2. Explain that the "2FA Label" field can be anything the customer wishes to name their 2FA device. It is a user-chosen label, not a code.
  3. Provide examples of acceptable 2FA labels:
    • Touch ID — for fingerprint-based authentication
    • Yubikey — for a physical security key
    • Verification Code — for email-based 2FA
    • Fast OTP — for Yubikey-generated OTP
  4. If the error persists after entering a label and a valid authenticator code, ask the customer to provide screenshots and the full error ID for further investigation.
  5. If the issue is specifically a Verification Failed error on the user.addotp endpoint (visible in platform logs), investigate whether the OTP code or WebAuthn challenge is being transmitted correctly. Escalate to engineering if needed.

Notes: Some customers are confused because the flow appears to require "2 codes." Clarify that one field is the authenticator OTP code and the other is the user-defined label — the label is not a second code.

"2FA Label can be anything you wish to name. Examples of 2FA (Two-Factor Authentication) labels include: Touch ID... Yubikey... Verification Code... Fast OTP" (ticket #125036)

"The error message ErrorID: bg-ui-1ba7accd79287331839b10c43451e10f appears again. What should I do, how to pass, why is there a problem with 2FA Label?" (ticket #144089)

Scenario: my-me-cant-2fa#self-service-2fa-reset-lost-device

Trigger: Customer has lost access to their 2FA device (e.g., phone with Google Authenticator) and needs to reset 2FA to regain account access.

Signals: reset 2fa, lost phone, lost authenticator, cant login, 2fa code, need reset, cool off, cool-off period, new IP address

Steps:

  1. Inform the customer they can attempt a self-service 2FA reset from the login page by clicking "Reset 2FA."
  2. If the customer is resetting from a new IP address, the platform enforces a 24-hour cool-off period. They will see: "You're attempting to reset your 2FA from a new IP address. BitGo requires a 24-hour cool-off period before you can continue. You can try again in [time remaining]." They must wait and retry.
  3. Depending on wallet balance, the self-service reset may require Persona ID and liveness verification, or a video ID verification with support.
  4. If the customer has 2FA recovery codes (generated during account setup), they can use those to recover access.
  5. If self-service reset is not possible, proceed to a manual 2FA reset by verifying account ownership. Request all of the following from the customer:
    • Date of BitGo email verification (search for "Your BitGo Email Verification" in inbox)
    • 3 transaction hashes either to or from their wallet (if they do not have TXIDs, they should contact the exchange they originally received crypto from)
    • Wallet balance (in cryptocurrency, with wallet name)
  6. If the customer does not have the above information, accept the first 8 characters and the last 8 characters of the BitGo Public Key from their wallet keycard. Ask them to provide the name of the wallet the keycard applies to.
  7. Once the information is verified against internal records, perform the manual 2FA reset using the admin tool.

Notes: BitGo does not store or have access to wallet passcodes. If the customer also cannot remember their wallet password after 2FA is reset, they must use their wallet keycard to recover access via "Forgot wallet password" in Wallet settings. BitGo cannot reset wallet passwords.

"Before we can initiate the manual reset, we need to verify your ownership of the wallet. Therefore, we require all of the following information: Date of BitGo email verification (search for 'Your BitGo Email Verification' in inbox)... 3 transaction hashes either to or from your wallet... Wallet balance in crypto currency (please provide the name of the wallet)... If you do not have the above information, we can also accept the First 8 characters and the Last 8 Characters of the Bitgo Public Key from your keycard." (ticket #184023)

"To do this, go to your Wallet settings and click on 'Forgot wallet password to start your recovery'." (ticket #195620)

Scenario: my-me-cant-2fa#premium-client-2fa-reset-video-verification

Trigger: Customer is a premium/enterprise client or SoFi user who cannot set up or reset 2FA and requires video identity verification.

Signals: video verification, Calendly, videoid, premium client, enterprise, cant set up 2fa, nothing to bypass or reset

Steps:

  1. Acknowledge the customer's request to reset or set up 2FA.
  2. Provide the Calendly scheduling link for a video ID verification call: https://calendly.com/bitgo-client-delivery/videoid
  3. Instruct the customer to have their government-issued photo ID ready during the meeting.
  4. Ask the customer to reference their ticket number (e.g., #00328456) when scheduling.
  5. Note: If the customer is not initially verified by BitGo, advise them to bring someone already verified who can authorize their identity on the call.

Notes: This flow applies to premium/enterprise clients and some SoFi-linked accounts. Standard self-service users should use the self-service reset flow first.

"Please use the following link to schedule a time to meet with us and verify the request: https://calendly.com/bitgo-client-delivery/videoid. Please be ready to provide your government issued photo ID during this meeting. Please reference ticket #00328456 when scheduling. Note: If you are not initially verified by BitGo, please bring the person on the call who has already verified and can authorize your identity." (ticket #210128)

Scenario: my-me-cant-2fa#new-account-2fa-setup-failure

Trigger: Customer just created an account and is immediately prompted for a 2FA code they never set up, or the 2FA setup flow crashes/fails with a Verification Failed error.

Signals: just created account, new account, 2fa code immediately, Verification Failed, user.addotp, bg-ui-d0ed5045a9dce08d8123b7a1f1d579ac, webauthn, application crashing

Steps:

  1. Ask the customer to use the latest version of Chrome on a desktop/laptop (not a mobile device).
  2. Ask the customer to provide screenshots of the error and the full error ID shown in the UI.
  3. Check platform logs for the error ID. Look for user.addotp 400 error: Verification Failed entries. Check the "type" field — if it shows "type": "webauthn", the WebAuthn registration may be failing due to device/browser incompatibility.
  4. If the customer is on a mobile device (e.g., Android Chrome), advise switching to a desktop/laptop as the platform is optimized for desktop Chrome.
  5. Advise the customer to navigate to account settings, look for the option to add 2-Factor Authentication, select "add a new 2FA device," and scan the QR code displayed with their authenticator app (e.g., Google Authenticator).
  6. If the issue persists, escalate to engineering with the error ID and full log context.

Notes: Some new users on FTX claim flows encounter this issue because the FTX enterprise account creation may have a separate 2FA state. These FTX-related tickets have been bulk-resolved; if a customer on an FTX claim flow re-opens, verify whether the FTX enterprise account is correctly set up.

"user.addotp 400 error: Verification Failed... "type":"webauthn"... agent: Chrome Mobile, version 132.0.0, os Android" (ticket #200408)

"Please login to your BitGo account and go to the account settings page and look for the option add 2-Factor Authentication and select add a new 2FA device which will popup a QR code which you then need to scan with the authentication app from your phone." (ticket #188256)

Scenario: my-me-cant-2fa#not-bitgo-platform-scam-site

Trigger: Customer provides screenshots or URLs that do not belong to the BitGo platform (e.g., "BitGo Global," bitgogogogo.com, or other unrecognized domains).

Signals: BitGo Global, bitgogogogo.com, not our platform, not affiliated, scam, fraudulent site, withdrawal not working, cant find account

Steps:

  1. Ask the customer for the URL they use to log in.
  2. If the URL or screenshot does not match BitGo's official platform, inform the customer: "This is not a site we own or operate. This site is also not affiliated with Bitgo.com. We are unable to assist you with any request from this site."
  3. Provide the official BitGo URLs:
    • Official site: https://www.bitgo.com/
    • Official platform login: https://app.bitgo.com/login
    • Mobile apps: available only on the official Apple Store and Google Play Store.
  4. If no account is found for the customer's email on the BitGo platform, inform them accordingly.
  5. Close the ticket. BitGo cannot assist with issues on third-party or fraudulent platforms.

Notes: Do not provide any account information, password resets, or 2FA resets for accounts that do not exist on the BitGo platform. A significant number of contacts in this cluster originate from users of impersonating sites.

"The screenshot you provided is not for our company. We are Bitgo.com. Bitgo Global is not owned, operated, or associated with us." (ticket #48211)

"This is not a site we own or operate. This site is also not affiliated with Bitgo.com. We are unable to assist you with any request from this site." (ticket #112717)

Scenario: my-me-cant-2fa#account-frozen-self-or-requested

Trigger: Customer reports their account is frozen and cannot access it or reset 2FA.

Signals: account frozen, freeze, unfreeze, froze my own account

Steps:

  1. Check the audit logs in the admin tool to determine whether the account was frozen by the customer themselves or by BitGo.
  2. If the customer froze their own account, inform them: "We checked the audit logs and it seems you froze your own account."
  3. Ask whether they want the account unfrozen.
  4. If the customer confirms, unfreeze the account via the admin tool.
  5. If the customer requests the account remain frozen (e.g., due to suspected fraud), confirm the freeze status and advise them to contact support via a new email when they wish to unfreeze.
  6. Note that while the account is frozen, the customer can still reset 2FA directly from their account.

Notes: Some frozen account tickets relate to FTX Retail users. These have been bulk-resolved. If a customer re-opens, verify the account status and whether it's an FTX claim account.

"We checked the audit logs and it seems you froze your own account. Do you want us to unfreeze your account?" (ticket #189817)

"As we can see, your account is currently in a frozen status. You can reset the 2FA directly from your account." (ticket #209789)

Related