Two-Step Verification Issues, Half-Signed Admin Transactions, and NPM Package Publication Delays

Problem

Customers contact BitGo support for a variety of recurring operational matters including: inability to complete two-step (2FA) verification during login or account setup, questions about "New Half-signed Admin Transaction" notifications, and delays in the publication of BitGo NPM packages (e.g., @bitgo/utxo-lib, bitgo, @bitgo/account-lib). These issues span account access, wallet administration workflows, and developer tooling. Customers may report being locked out, confused by admin transaction emails, or blocked on development work due to stale package versions.

Diagnostics

• Two-step verification issues:

  • Confirm the customer's account email and whether they have an active BitGo account at https://app.bitgo.com/auth/log-in.
  • Check whether the customer has previously enrolled in 2FA (TOTP via authenticator app or Yubikey).
  • Determine whether the customer lost access to their 2FA device, or is encountering an error during the 2FA prompt.
  • Verify whether the customer is attempting to set up a new account or regain access to an existing one.

• New Half-signed Admin Transaction notifications:

  • Determine whether the customer is an admin/owner on the wallet referenced in the notification email.
  • Check whether there is a pending policy change, user addition/removal, or whitelist update on the wallet that would generate a half-signed admin transaction requiring a second signature.
  • Confirm whether the customer recognizes the action or suspects unauthorized activity.

• NPM package publication delays:

  • Check the package's NPM page (e.g., https://www.npmjs.com/package/@bitgo/utxo-lib, https://www.npmjs.com/package/bitgo) for the latest published version and date.
  • Compare the latest NPM release to the latest commits on the relevant BitGo GitHub repository master branch.
  • Determine whether the customer needs a specific feature or fix that exists in source but not yet in a published release.

Resolution

---

Scenario: every-ignored-months-step#2fa-verification

Trigger: Customer contacts support with subject or description referencing "2 step verification," "two step verification," or "2 step authentication" and cannot complete login or account setup.

Signals: 2 step verification, two step verification, 2FA, authentication, login, locked out, step verification

Steps:

1. Confirm the customer's identity using standard account verification procedures.
2. Determine whether the customer has lost access to their 2FA device or is encountering an error during the 2FA step.
3. If the customer lost their 2FA device, follow the internal 2FA reset process (identity verification, video verification if required by enterprise policy).
4. If the customer is setting up a new account and is stuck on the 2FA enrollment step, walk them through the authenticator app setup process and direct them to https://app.bitgo.com/auth/log-in.
5. If the issue persists or is unclear, escalate to the appropriate internal team for further investigation.

Notes: A large volume of tickets reference "2 step verification" with minimal diagnostic detail recorded. Agents should ensure thorough documentation of the root cause and resolution steps taken for each case.

---

Scenario: every-ignored-months-step#half-signed-admin-transaction

Trigger: Customer receives an automated email with subject "New Half-signed Admin Transaction" and contacts support to understand or act on it.

Signals: half-signed admin transaction, admin transaction, pending approval, wallet policy, whitelist, second signature

Steps:

1. Explain to the customer that a "New Half-signed Admin Transaction" notification indicates a pending administrative action on their wallet (such as a policy change, user role update, or whitelist modification) that requires a second signature from another wallet admin.
2. Direct the customer to log in at https://app.bitgo.com/auth/log-in and navigate to the wallet's pending approvals section.
3. If the customer recognizes the action, instruct the appropriate second admin to review and co-sign the transaction.
4. If the customer does not recognize the action or suspects unauthorized activity, escalate immediately to the security/compliance team for investigation.

Notes: These notifications are generated automatically by the BitGo platform whenever an admin-level wallet change is initiated. Multiple tickets for these notifications from the same enterprise may indicate a batch of policy or user changes being processed.

---

Scenario: every-ignored-months-step#npm-package-publication-delay

Trigger: Customer or developer reports that a BitGo NPM package (e.g., @bitgo/utxo-lib, bitgo, @bitgo/account-lib) has not been updated on NPM for an extended period despite new commits in the source repository.

Signals: npm, package, publish, utxo-lib, bitgo, account-lib, release, outdated, months, dev version, ecash

Steps:

1. Verify the current published version and date on the relevant NPM page:
   • https://www.npmjs.com/package/@bitgo/utxo-lib
   • https://www.npmjs.com/package/bitgo
2. Direct the customer to the latest available resources:
   • NPM: https://www.npmjs.com/package/bitgo
   • Docker: https://hub.docker.com/r/bitgo/express/tags
3. If the customer confirms the published version does not include the feature they need, escalate to the engineering team requesting whether a newer version or a dev/rc version can be published.
4. Follow up with the customer once engineering provides an update or a new release is published.

Notes: In at least one case, engineering published a new release within approximately two weeks of the escalation. Automated "Successfully published" notification tickets (e.g., bitgo@9.6.0-rc.1, bitgo@11.0.1, @bitgo/account-lib@1.0.0-alpha.1, bitgo-utxo-lib@1.8.0) confirm that package releases do occur but may lag behind the master branch by weeks or months.

"This hasn't been published in a couple of months. I'm looking to use the latest version to use the ecash tx support now in the latest master. If it's still not ready to publish a new version, could you publish a dev version of the latest master?" (ticket #209467)

"You can find the latest resources at the following links: https://www.npmjs.com/package/bitgo https://hub.docker.com/r/bitgo/express/tags" (ticket #209467)

"We are following up to check if you are still experiencing this issue or if your issue has been resolved. We are showing a new release as of yesterday." (ticket #209467)

Related

• managing-wallet-users — Covers wallet member roles and admin permissions relevant to half-signed admin transaction approvals.
• custodial-enterprise-overview — Describes enterprise user management, onboarding, and video verification processes relevant to 2FA setup.
• keycards-and-private-keys — Covers wallet security best practices including warm/hot wallet configurations that may trigger admin transactions.