mirror of
https://github.com/bitwarden/android.git
synced 2026-05-06 07:48:22 -05:00
[GH-ISSUE #6526] [PM-32136] Bitwarden is hallucinating some TOTP verification codes #21728
Open
opened 2026-04-16 22:20:54 -05:00 by GiteaMirror
·
14 comments
No Branch/Tag Specified
main
sdlc/sdk-update
new-item-types/PM-32810_bank-account-view
new-item-types/PM-32810_bank-account
beta-for-qa
BWA-253/not-displaying-totp-coded-with-empty-key
target-sdk-37
vvolkgang/renovate-remove-group
pm-34038/card-scanner-qa-fixes
PM-33982/build-device-screen
PM-30625/filter-out-empty-totp-vault-count
vvolkgang/update-jira-release-notes
new-item-types/PM-34123_new-item-menu
new-item-types/PM-32806_passport
new-item-types/PM-32808_drivers-license
BWA-99/show-next-totp
BWA-99/add-preview-next-totp-code-setting
renovate/glidecompose
chore/improve-android-ui-verification-skill
sync-min-sdk
release/2026.4-rc51
fix/security-sast-22741894-bvwj
related-origin-passkey-creation
release/2026.4-rc50
platform/android-breaking-change-detection
innovation-sprint-2026-send-folder
release/2026.3-rc49
PM-34193-vault-lockout
android-collections
llm/add-resolving-sdk-updates-skill
QA-1523/sanity-test-saucelabs
release/2026.3-rc48
PM-26577-app-links-support
PM-26896-autofill-fix
release/2026.2-rc47
pr-6572
release/2026.2-rc46
release/2026.1-rc45
PM-30644/added-logs-for-debug
PM-30644/quicktile-nav-not-showing-migration
minor-gradle-updates
release/2026.1-rc42
release/2026.1-rc44
release/2026.1-rc43
PM-28834/set-landscape-on-horizonos-devices
PM-28468/validate-and-navigate-to-vault-migration
PM-20026/force-ltr-passwords-and-codes
release/2025.12-rc41
cmcg/testCoverage
PM-29014/talkback-support-for-passwords
release/2025.12-rc40
BRE-1305/publish_test
accept-user-certs
autofill-permissions
release/2025.11-rc39
PM-22479/check-all-certificates-validate-asset-links
release/2025.10-rc38
agalles/android-latest
retro-agent
PM-27001/skip-account-selection-only-one-exists-cxp
release/2025.10-rc37
agalles/test-1118
release/2025.10-rc36
PM-20593-token-refresh
QA-1126b/adding-native-sanity-test
release/2025.9-rc35
pm-25933/sdk-update-password
release/2025.9-rc34
release/2025.8-rc33
agalles/20250821-release
debug-release-issues
pm-24249-allow-automated-prs-for-sdk-updates
release/2025.8-rc32
release/WORKFLOW-TEST-2025.8-rc28
agalles/20250807release
release/2025.07-rc25
release/hotfix-v2025.7.0-bwa
pm-23311/export-vault-policy-bypass
release/2025.07-rc24
authenticator-pm-sync-flags-issue
release/hotfix-v2025.6.0-bwpm
release/2025.06-rc21
agalles/automate-android-fastlane-patch
release/2025.05-rc20
release/2025.04-rc19
languages/basque
release/2025.03-rc19
update-readme
qrcode/feature
innovation/archive/pm-19153-archive-items
qrcode/2-ui-fields
qrcode/1-page
hold-on-biometric-prompt-alternative
release-notes-process
release/2025.02-rc16
bwa-monorepo
PM-8223/new-device-verification-ux-improvements
pm-18451/exempt-from-policies
test-bwa
release/2025.01-rc15
release/2025.01-rc14
release/2024.12-rc13
pm-16670/sync-leave-notice
821
PM-16695/backport-lean-more-new-device-verification
release/hotfix-v2024.11.7
release/2024.11-rc1
pm-11304/collection-add-item-button
PM-14241/disabling-logs-app-crash
poc/offline-editing
new-version-calc
pm-11649/expired-link-services
pm-6702/add-feature-flag
pm-6702/email-verification-feature
pm-9933/marketing-copy-update
pm-6702/registration-flows
update-templates
pm-6701/email-verification-selfhost-registration
v2026.4.0-bwa
v2026.4.0-bwpm
v2026.3.1-bwa
v2026.3.1-bwpm
v2026.3.0-bwpm
v2026.3.0-bwa
v2026.2.1-bwpm
v2026.2.1-bwa
v2026.2.0-bwpm
v2026.2.0-bwa
v2026.1.1-bwa
v2026.1.1-bwpm
temp-test
v2026.1.0-bwpm
v2026.1.0-bwa
v2025.12.1-bwa
v2025.12.1-bwpm
v2025.12.0-bwa
v2025.12.0-bwpm
v2025.11.1-bwpm
v2025.11.1-bwa
v2025.11.0-bwpm
v2025.11.0-bwa
v2025.10.1-bwa
v2025.10.1-bwpm
v2025.10.0-bwa
v2025.10.0-bwpm
v2025.9.1-bwa
v2025.9.1-bwpm
v2025.9.0-bwa
v2025.9.0-bwpm
v2025.8.1-bwa
v2025.8.1-bwpm
v2025.8.0-bwa
v2025.8.0-bwpm
v2025.7.2-bwa
v2025.7.2-bwpm
v2025.7.1-bwa
v2025.7.1-bwpm
v2025.7.0-bwa
v2025.7.0-bwpm
v2025.6.1-bwpm
v2025.6.0-bwa
v2025.6.0-bwpm
v2025.1.0-bwa
v2025.5.0-bwa
v2025.5.0-bwpm
v2025.5.999
2025.4.0
v2025.4.0
untagged-4731eaadac73f3dfbbb8
v2025.3.0
v2025.2.0
untagged-815a165c5d70ffe75bc7
v2025.1.2
v2025.1.1
v2025.1.0
v2024.12.0
untagged-5a76b6392a4c8998c63a
v2024.11.7
v2024.11.6
v2024.11.5
v2024.11.4
v2024.11.3
v2024.11.2
v2024.11.1
v2024.11.0
v2024.10.2
v2024.10.1
v2024.10.0
v2024.9.0
v2024.8.1
v2024.8.0
v2024.7.3
v2024.7.2
v2024.7.1
v2024.7.0
v2024.6.1
v2024.6.0
v2024.5.1
v2024.4.1
v2024.4.2
v2024.4.0
v2024.3.3
v2024.3.1
v2024.3.0
v2024.2.1
v2024.2.0
v2024.1.1
v2024.1.0
v2023.12.0
v2023.10.0
v2023.9.2
maui-single-project-android
v2023.9.1
v2023.9.0
v2023.8.0
v2023.7.0
v2023.5.0
v2023.4.0
v2023.3.2
v2023.3.1
v2023.3.0
v2023.2.0
v2023.1.0
v2022.11.0
v2022.10.0
v2022.9.1
v2022.9.0
v2022.8.0
v2022.6.2
v2022.6.1
v2022.6.0
v2022.05.0
v2.18.0
v2.17.0
v2.16.4
v2.16.3
v2.16.2
v2.16.1
v2.15.0
v2.14.2
v2.14.1
v2.14.0
v2.13.0
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.0
v2.9.1
v2.9.0
v2.8.2
v2.8.1
v2.8.0
v2.7.2
v2.7.0
v2.6.1
v2.6.0
v2.5.6
v.2.5.5
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.1
v2.3.0
v2.2.8
v2.2.7
v2.2.6
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.0
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.22.1
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.1
v1.18.0
v1.17.0
v1.16.0
v1.15.2
v1.15.1
v1.15.0
v1.14.4
v1.14.1
v1.14.0
v1.13.0
v1.12.2
v1.12.1
v1.12.0
v1.11.1
v1.11.0
v1.10.0
v1.9.0
v1.8.1
v1.8.0
v1.7.0
v1.6.5
v1.6.1
v1.6.0
v1.5.1
v1.5.0
v1.4.4
v1.4.3
v1.4.0
v1.3.0
v1.2.1
v1.2.0
v1.1.0
v1.0.0
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/android#21728
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @zotabee on GitHub (Feb 12, 2026).
Original GitHub issue: https://github.com/bitwarden/android/issues/6526
Steps To Reproduce
Basically, the Bitwarden (full password manager) android app is showing me some TOTP codes for some entries who don't have TOTP key/code at all. (Field completely empty - never used - never filled)
It's definitively a new / recent bug on the Android app. Not sure if it's reproducible.
It's only happening on my most recently created entries, from these past couple days. I noticed because I have a discrepancy of how many TOTP I have between my different password managers.
My usual process is creating entries manually in the web version of Bitwarden. Auto-filling with the addon or Android app when needed to login.
I confirm that on like my 4-5 most recent entries from the past few days, I have this bug. It's services/websites without TOTP keys.
Interestingly these entries are all showing the same fake TOTP code. No idea where is this getting from.
There is no problem on the web version or the Firefox addon, only happening on the android app. A sync doesn't help.
Expected Result
Don't show TOTP/Verification code if the TOTP field is empty, like it always did in the past.
Actual Result
I'm seeing fake TOTP that doesn't exist for entries that don't have a TOTP at all, never had.
Screenshots or Videos
Additional Context
It seems that only my last newly created logins/entries are impacted, from the last two weeks maybe. From end of January ~31th to Feb 8 are impacted. All created from the web version.
Build Version
© Bitwarden Inc. 2015-2026
Version: 2026.1.1 (21176)
📱 samsung SM-S931B 🤖 16@36 📦 prod
🧱 commit: bitwarden/android/release/2026.1-rc45@0ee3e2e24968837b9c8b260e105751750271540f
💻 build source: bitwarden/android/actions/runs/21527118876/attempts/1
🦀 SDK: 2.0.0-4676-0544ddec
🌩 Server: 2026.1.1 @ US
What server are you connecting to?
EU (well it seems it's US from the android app but I'm EU based)
Self-host Server Version
No response
Environment Details
Issue Tracking Info
@bitwarden-bot commented on GitHub (Feb 12, 2026):
Thank you for your report! We've added this to our internal board for review.
ID: PM-32136
@pamperer562580892423 commented on GitHub (Feb 12, 2026):
Another user here.
In the app, go to Settings --> Other --> "Allow screen capture" and you can...
It would also be useful, if you copied & pasted everything from BW app --> Settings --> About --> Version in here (best: add it to your OP).
@Krychaz commented on GitHub (Feb 12, 2026):
Hi there,
Are you able to replicate it if you create a new, dummy entry? As mentioned by @pamperer562580892423 it would be very useful to get a screen recording.
@zotabee commented on GitHub (Feb 12, 2026):
@pamperer562580892423 Done, thanks.
@Krychaz Done. I tested a new dummy entry like I usually do, didn't reproduce. I'm going to try again. No, I can't reproduce with new entries so far. But my "ghost" TOTP entries are still there, with the same common fake code. It's life for 4-5 entries, all recently created in the last couple weeks max. On about 110 total TOTP entries.
@zotabee commented on GitHub (Feb 12, 2026):
All good on the web version and via the addon, no TOTP, as expected, chess dot com doesn't even have nor never supported TOTP.
@pamperer562580892423 commented on GitHub (Feb 12, 2026):
Ha, seems you could make good use of the screen capture function now. 😉
Maybe a bit silly, but just to be sure:
Probably it doesn't mean anything, but I recognized that your Chess.com login item has time stamps that are one hour apart (Android app <--> web vault), so your devices are in different time zones?
Ah, and just FYI:
Okay, you're EU based, but when the Android app shows "US", that should mean the BW account you're currently logged in with was created on the BW US cloud server (
vault.bitwarden.com) - and not on the BW EU cloud server (vault.bitwarden.eu).@zotabee commented on GitHub (Feb 13, 2026):
👍
Yep, 100% affirmative, only entry of each, no duplicate. And yes, I enter "Edit" from the "View" screen to show there is no key set in those entries.
Amongst these bugged entries, they all show the same TOTP code. They take it from somewhere, somehow.
Yep, you are right, It's because I use a privacy focused browser that set me in a different timezone, UTC. That's why there is a difference between the browser and the app. Never had been an issue since I use BW though.
Interesting, maybe because I use bitwarden.com.
@pamperer562580892423 commented on GitHub (Feb 15, 2026):
There now is another report about this issue: https://community.bitwarden.com/t/bitwarden-created-a-bogus-totp-for-google-for-nonprofit-users/93904
@cyfra80 commented on GitHub (Mar 24, 2026):
I have the same issue.
When I create a item on the website or in the extension, a 6-digit TOTP code appears in the Android app.
The only workaround is to go to the edit screen in the Android app and delete the empty “authentication key” field
@TheRealOwnerOfTheDimmsdaleDimmadome commented on GitHub (Mar 25, 2026):
Same issue here on Android 13. Have to fix it after every new entry.
@weirdcrap commented on GitHub (Mar 25, 2026):
This just appeared for the first time for me as well. I created an account on backerkit and saved my info in the browser extension. I never setup MFA and the secret field is empty yet the Android app now has a phantom TOTP code for that entry.
@florian101010 commented on GitHub (Mar 27, 2026):
Have the same problem on iOS app. I just saved a passkey (nothing else) into a new entry, now its showing a TOTP entry for this...
@dclaar commented on GitHub (Apr 2, 2026):
I have a bunch of email passwords for our domain users. (This is https://community.bitwarden.com/t/bitwarden-creates-a-bogus-totp-code/93904). So, username1@domain, username2@domain, etc.
These all have the same bogus TOTP. They do not show up as having a code in the authenticator app.
Since I wrote that report, I added another TOTP via the authenticator app, using a Google authenticator QR code.
It shows up 3 times in the authenticator app: 2 times under "LOCAL CODES", and 1 time under my bitwarden account. All 3 have the same TOTP. (This seems to happen for all TOTPs added via Google authenticator QR codes: The vault one is probably WAI, since I copied it to the vault).
This TOTP spawned another bogus TOTP:
I had 2 entries: "Synology Disk station" and "Synology Disk Station Time Machine". The authenticator app asked which one I wanted to use. I picked "Synology Disk station", and that has the correct TOTP; however, the other entry has the same bogus TOTP as the emails.
Deleting them manually appears to work, and--so far--they haven't come back, but I haven't added another @domain entry, so the jury's still out....
@richtesoriero commented on GitHub (Apr 10, 2026):
I have the same problem on the iOS app. Each new login entry adds a bogus TOTP. Just wasted 90 minutes on this after upgrading my account to premium to "clean up" my shared accounts. Disappointing.