duo for orgs documentation (#470)

_articles/plans-and-pricing/about-bitwarden-plans.md

@@ -47,7 +47,7 @@ In the following table, "premium features" (included for **Premium Individual**
 |Secure Password Generator|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|
 |Cloud or Self-hosting|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|
 |[Encrypted Export]({% link _articles/importing/encrypted-export.md %})|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|
-|*[Two-step login]({% link _articles/two-step-login/setup-two-step-login.md %})|via authenticator apps or email|via authenticator apps, email, Yubikey, U2F, and Duo|via authenticator apps, email, Yubikey, U2F, and Duo|
+|*[Two-step login]({% link _articles/two-step-login/setup-two-step-login.md %})|via authenticator apps or email|via authenticator apps, email, Yubikey, U2F, and Duo|via authenticator apps, email, Yubikey, U2F, and Duo (does not include [Duo for Organizations]({% link _articles/two-step-login/setup-two-step-login-duo.md %}))|
 |*[Encrypted file attachments]({% link _articles/features/attachments.md %})|-|1 GB|1 GB per user + 1 GB shared|
 |*[Bitwarden Authenticator]({% link _articles/features/authenticator-keys.md %}) (TOTP)|-|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|
 |*[Vault Health Reports]({% link _articles/features/reports.md %})|-|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|
@@ -92,6 +92,7 @@ In the following table, "premium features" (included for **Teams Organizations**
 |Max no. of Collections|2|Unlimited|Unlimited|
 |[Encrypted Export]({% link _articles/importing/encrypted-export.md %})|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|
 |*[Two-step login]({% link _articles/two-step-login/setup-two-step-login.md %})|via authenticator apps or email|via authenticator apps, email, Yubikey, U2F, and Duo|via authenticator apps, email, Yubikey, U2F, and Duo|
+|[Duo for Organizations]({% link _articles/two-step-login/setup-two-step-login-duo.md %})|-|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|
 |*[Encrypted file attachments]({% link _articles/features/attachments.md %})|-|1 GB per user + 1 GB shared|1 GB per user + 1 GB shared|
 |*[Bitwarden Authenticator]({% link _articles/features/authenticator-keys.md %}) (TOTP)|-|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|
 |*[Personal Emergency Access]({% link _articles/security/emergency-access.md %})|-|<i class="fa fa-check" aria-hidden="true"></i>|<i class="fa fa-check" aria-hidden="true"></i>|

_articles/two-step-login/lost-two-step-device.md

@@ -1,6 +1,6 @@
 ---
 layout: article
-title: Lost Two-step Device
+title: Lost Secondary Device
 categories: [two-step-login]
 featured: false
 popular: false
@@ -8,24 +8,38 @@ tags: [two-step login, 2fa, two factor authentication, account]
 order: 09
 ---
 
-If you lose access to the device or method that you use for Two-step Login, you can recover your account using a Two-step Login **Recovery Code**. If you have your Recovery Code, see [Two-step Recovery Code]({% link _articles/two-step-login/two-step-recovery-code.md %}) to learn how to use it to recover your account.
+Losing access to your secondary device(s) (e.g. a Mobile device with an installed Authenticator, a Security Key, or a linked Email inbox) has the potential to lock you out of your Bitwarden Vault.
 
-## I Don't Have a Recovery Code
+What to do when you've lost access to your secondary device(s) depends on whether you've saved your [Two-step Login Recovery Code]({% link _articles/two-step-login/two-step-recovery-code.md %}). If you're unsure, remember that Recovery Codes need to be actively saved (i.e. Bitwarden won't save it anywhere *for you*) and look something like this:
 
-If you've lost your Two-step Login Device and don't have a Recovery Code, there is unfortunately no way for the team to recover the account or the data therein. You will need to delete your account and start a new one.
+{% image /two-step/recoverycode.png Sample Recovery Code %}
+
+## Have a Recovery Code?
+
+Excellent! If you have have your Recovery Code saved somewhere, you can use it to disable all Two-step Login methods from outside your Vault. Learn more [here]({{site.baseurl}}/article/two-step-recovery-code/#use-your-recovery-code).
 
 {% callout success %}
-If you're using any Bitwarden client applications (Mobile Apps, Browser Extensions, etc.) you should check whether any of these sessions are still logged in prior to deleting your account. If a client application is still logged in, [Export Vault Data]({% link _articles/account/export-your-data.md %}) to a file for import into a new account.
+Recovery Codes **won't disable Duo for Organizations**. You can tell that a Duo prompt is Organization-wide by the **(Organization)** header, as in the following screenshot:
+
+{% image /two-step/duo/duo-orgs.png Duo (Organization)%}
+
+If you're locked out of your Vault by a **Duo (Organization)** prompt, reach out to the Duo Administrator at your company for help bypassing the prompt.
 {% endcallout %}
 
-Complete the following steps to delete your account:
+## Don't have a Recovery Code?
 
-{% callout warning%}
+If you don't have your Recovery Code saved somewhere outside of your Vault, there is unfortunately no way for the team to recover the account or data therein. You'll need to delete your account and start a new one.
-This action is permanent and cannot be undone.
+
+{% callout success %}
+Before proceeding to delete your account, **check if you're currently logged in to any Bitwarden client applications** (Mobile Apps, Browser Extensions, etc.). If you are, [export your vault data]({% link _articles/account/export-your-data.md %}) to preserve your data.
 {% endcallout %}
 
+To delete your account:
+
 1. Navigate to [vault.bitwarden.com/#/recover-delete](https://vault.bitwarden.com/#/recover-delete).
 2. Enter the **Email Address** associated with your account.
 3. In your email inbox, open the email and verify that you want to delete this Bitwarden account.
 
-Once deleted, you're free to create a new Bitwarden account with that email address. If you delete a Bitwarden account that has a Premium subscription associated with it, [Contact Us](https://bitwarden.com/contact/){:target="\_blank"} and we'll reapply your existing subscription to the new account.
+Once deleted, you're free to create a new Bitwarden account with that email address.
+
+If you delete a Bitwarden account that has a Premium subscription associated with it, [Contact Us](https://bitwarden.com/contact/){:target="\_blank"} and we'll reapply your existing subscription to the new account. If you were able to successfully export your Vault data prior to deletion, you can easily [import it into the new account]({% link _articles/importing/import-data.md %}).

_articles/two-step-login/setup-two-step-login-authenticator.md

@@ -15,7 +15,7 @@ Two-step Login using a third-party authenticator app (for example, [Authy](https
 Complete the following steps to enable Two-step Login using an authenticator app:
 
 {% callout warning %}
-**Losing access to your authenticator app can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place.
+**Losing access to your authenticator app can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place or have an alternate Two-step Login method enabled and available.
 
 [Get your Recovery Code]({% link _articles/two-step-login/two-step-recovery-code.md %}) from the **Two-step Login** screen immediately after enabling any method.
 {% endcallout %}

_articles/two-step-login/setup-two-step-login-duo.md

@@ -8,13 +8,15 @@ tags: [two-step login, 2fa, two factor authentication, account, duo, sms]
 order: 05
 ---
 
-Two-step Login using Duo is available for Premium users, including members of a Paid Organization (Families, Teams, or Enterprise).
+Two-step Login using Duo is unique among Bitwarden's [available Two-step Login methods]({% link _articles/two-step-login/setup-two-step-login.md %}) in that it can be enabled for a Personal Vault (like the other methods) or **enabled for an entire Organization** by [Teams and Enterprise Organizations]({% link _articles/organizations/about-organizations.md %}).
 
-Enabling Duo for your Organization will prompt all enrolled members to register a device for Duo Two-step Login on their next login. Users with user type **Owner** can enable Two-step Login via Duo for the Organization. For more information, see [User Types and Access Control]({% link _articles/organizations/user-types-access-control.md%}).
+Enabling Duo for an Organization will prompt all enrolled members to register a device for Duo Two-step Login on their next login.
 
-## Activate Bitwarden in Duo
+[Configuring Duo](#activate-bitwarden-in-duo) in the Admin Panel and [registering a device](#register-a-device) will follow the same procedure in either case, but the interstitial [setup procedure](#setup-duo) varies slightly depending on whether you're setting up Duo for yourself or for an Organization.
 
-In order to use Two-step Login to access Bitwarden using Duo, you'll need a Duo account. [Sign up for free](https://signup.duo.com/){:target="_blank"}, or log in to your existing [Duo Admin Panel](https://admin.duosecurity.com/login){:target="_blank"}, and complete the following steps:
+## Configure Duo
+
+You'll need a Duo account in order to obtain some information required by Bitwarden to complete setup. [Sign up for free](https://signup.duo.com/){:target="_blank"}, or log in to your existing [Duo Admin Panel](https://admin.duosecurity.com/login){:target="_blank"}. To configure Duo:
 
 1. In the left menu, navigate to **Applications**.
 2. Select the **Protect an Application** button.
@@ -26,43 +28,91 @@ Take note of the **Integration Key**, **Secret Key**, and **API Hostname**. You
 
 ## Setup Duo
 
-Complete the following steps to enable Two-step Login using Duo:
+Setting up Duo in Bitwarden is slightly different depending on whether you're enabling it for your **Personal Vault** or **Organization**. Select one of the following tabs accordingly for instructions:
+
+<ul class="nav nav-tabs" id="myTab" role="tablist">
+  <li class="nav-item" role="presentation">
+    <a class="nav-link active" id="andtab" data-bs-toggle="tab" data-target="#personal" role="tab" aria-controls="personal" aria-selected="true">Personal</a>
+  </li>
+  <li class="nav-item" role="presentation">
+    <a class="nav-link" id="orgtab" data-bs-toggle="tab" data-target="#organization" role="tab" aria-controls="organization" aria-selected="false">Organization</a>
+  </li>
+</ul>
+
+<div class="tab-content" id="clientsContent">
+  <div class="tab-pane show active" id="personal" role="tabpanel" aria-labelledby="pertab">
+{% capture and_gs %}
+
+#### Setup for your Personal Vault
 
 {% callout warning %}
-**Losing access to your Duo-enabled device can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place.
+**Losing access to your Duo-enabled device can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place or have an alternate Two-step Login method enabled and available.
 
-[Get your Recovery Code]({% link _articles/two-step-login/two-step-recovery-code.md %}) from the **Two-step Login** screen immediately after enabling any method.
+[Get your Recovery Code]({% link _articles/two-step-login/two-step-recovery-code.md %}) from the **Two-step Login** screen immediately after completeting the following steps.
 {% endcallout %}
 
-1. Log in to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"}.
+To enable Two-step Login using Duo for your Personal Vault:
-2. If you're an Individual User, select **Settings** from the top navigation bar.
 
-   If you're an Organization Owner, open your Organization and select the **Settings** tab.
+1. Log in to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"}.
-3. Select **Two-step Login** from the left-side menu.
+2. Select **Settings** from the top navigation bar.
-4. Locate the **Duo**  or **Duo (Organization)** option and select the **Manage** option.
+
+   {% image /two-step/wv-settingstab.png Select Settings %}
+3. Select **Two-step Login** from the left-side Settings menu.
+4. Locate the **Duo** option and select the **Manage** button.
 
    {% image two-step/twostep-options-duooverlay.png Select the Manage button %}
 
    You will be prompted to enter your Master Password to continue.
-5. Enter the **Integration Key**, **Secret Key**, and **API Hostname** provided in your Duo Admin portal (see [Activate Bitwarden in Duo](#activate-bitwarden-in-duo)).
+5. Enter the **Integration Key**, **Secret Key**, and **API Hostname** [retrieved from your Duo Admin Portal](#configure-duo).
-6. Select the **Enable** button. A green `Enabled` message will indicate that Two-step Login using Duo has been enabled.
+6. Select the **Enable** button.
-7. Select the **Close** button and confirm that the **Duo** option is now enabled, as indicated by a green checkmark ( {% icon fa-check %} ).
 
-{% callout info %}
+A green `Enabled` message should appear to indicate that Duo has been enabled for your Vault. You can double-check by selecting the **Close** button and seeing that the **Duo** option has a green checkmark ( {% icon fa-check %} ) on it.
-When you setup Two-step Login, you should logout of all your Bitwarden apps to immediately activate Two-step Login for each app. You will eventually be logged out automatically.
+
+Once enabled, make sure you get your [Recovery Code]({% link _articles/two-step-login/two-step-recovery-code.md %}). You should also log out of all Bitwarden client apps (mobile, browser extension, etc.) to immediately trigger the Two-step Login requirement. If you don't, you will be automatically logged out of these apps eventually.
+
+{% endcapture %}
+{{ and_gs | markdownify }}
+  </div>
+  <div class="tab-pane" id="organization" role="tabpanel" aria-labelledby="orgtab">
+{% capture ios_gs %}
+
+#### Setup for your Organization
+
+{% callout warning %}
+**Organizations Only:** Once you initially [Configure](#configure-duo) and [Setup](#setup-duo) Duo, it is **critically important** that you disable it for the Organization before making any further application configuration changes from the Duo Admin Panel. To make configuration changes; disable Duo in Bitwarden, make the required changes in the Duo Admin Panel, and re-enable Duo in Bitwarden.
+
+This is because Duo for Organizations does not currently support [Recovery Codes]({% link _articles/two-step-login/two-step-recovery-code.md %}), instead you will need to rely on the Duo Admin panel to bypass Two-step Login for members who lose access to Duo. Altering the application configuration from the Duo Admin Panel while Duo is active risks losing the ability to bypass Two-step Login for you or your Organization's members.
 {% endcallout %}
 
+You must be an [Organization Owner]({% link _articles/organizations/user-types-access-control.md%}) to setup Duo for your Organization. To enable Two-step Login using Duo for your Organization:
+
+1. Log in to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"}.
+2. Open your Organization and select **Settings** from the Organization navigation.
+
+   {% image /two-step/wv-orgsettingstab.png Select Settings %}
+3. Select **Two-step Login** from the left-side Settings menu.
+4. Locate the **Duo (Organization)** option and select the **Manage** button.
+
+   {% image /two-step/duo/enable-org.png Select Manage %}
+
+   You will be prompted to enter your Master Password to continue.
+5. Enter the **Integration Key**, **Secret Key**, and **API Hostname** [retrieved from your Duo Admin Portal](#configure-duo).
+6. Select the **Enable** button.
+
+A green `Enabled` message should appear to indicate that Duo has been enabled for your Vault. You can double-check by selecting the **Close** button and seeing that the **Duo** option has a green checkmark ( {% icon fa-check %} ) on it.
+
+{% endcapture %}
+{{ ios_gs | markdownify }}
+  </div>
+</div>
+
 ### Register a Device
 
-In a new tab, navigate to the [Web Vault](https://vault.bitwarden.com){:target="\_blank"}. If Duo is your highest-priority Two-step Login method, you will be prompted by a Duo setup screen. Organization members will be prompted by this screen on their next login.
+Once [Duo is setup](#setup-duo), navigate to the [Web Vault](https://vault.bitwarden.com){:target="\_blank"} in a new tab. If Duo is your highest-priority Two-step Login method, you will be prompted by a Duo setup screen.
 
 {% image two-step/duo/enroll1.png Duo Setup Screen %}
 
-Follow the on-screen prompts to finish configuring Two-step Login using Duo (for example, *type of device to register* and *send SMS or send push notification*). If you haven't already downloaded the [Duo Mobile App](#get-the-duo-mobile-app), you will be prompted to do so.
+Follow the on-screen prompts to configure a Secondary Device to use Duo (for example, *type of device to register* and *send SMS or send push notification*). If you haven't already downloaded the [Duo Mobile App](#get-the-duo-mobile-app), it's recommended that you do so:
-
-### Get the Duo Mobile App
-
-To take advantage of quick Two-step Login with Duo Push, download the Duo Mobile app for free. You can alternatively use Duo for SMS, phone call, or U2F security key verification.
 
 - [Download for iOS](https://itunes.apple.com/us/app/duo-mobile/id422663827?mt=8){:target="_blank"}
 - [Download for Android](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile){:target="_blank"}

_articles/two-step-login/setup-two-step-login-email.md

@@ -15,7 +15,7 @@ Two-step Login using email is available for free to all Bitwarden users.
 Complete the following steps to enable Two-step Login using email:
 
 {% callout warning %}
-**Losing access to your Two-step Login linked email can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place.
+**Losing access to your Two-step Login linked email can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place or have an alternate Two-step Login method enabled and available.
 
 [Get your Recovery Code]({% link _articles/two-step-login/two-step-recovery-code.md %}) from the **Two-step Login** screen immediately after enabling any method.
 {% endcallout %}

_articles/two-step-login/setup-two-step-login-u2f.md

@@ -26,7 +26,7 @@ Supported applications:
 Complete the following steps to enable Two-step Login using FIDO U2F:
 
 {% callout warning %}
-**Losing access to your FIDO U2F device can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place.
+**Losing access to your FIDO U2F device can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place or have an alternate Two-step Login method enabled and available.
 
 [Get Your Recovery Code]({% link _articles/two-step-login/two-step-recovery-code.md %}) from the **Two-step Login** screen immediately after enabling any method.
 {% endcallout %}

_articles/two-step-login/setup-two-step-login-yubikey.md

@@ -17,7 +17,7 @@ Any [YubiKey that supports OTP](https://www.yubico.com/products/yubikey-hardware
 Complete the following steps to enable Two-step Login using Yubikey:
 
 {% callout warning %}
-**Losing access to your Yubikey can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place.
+**Losing access to your Yubikey can permanently lock you out of your Vault,** unless you write down and keep your Two-step Login Recovery Code in a safe place or have an alternate Two-step Login method enabled and available.
 
 [Get your Recovery Code]({% link _articles/two-step-login/two-step-recovery-code.md %}) from the **Two-step Login** screen immediately after enabling any method.
 {% endcallout %}

_articles/two-step-login/setup-two-step-login.md

@@ -8,13 +8,13 @@ order: 02
 tags: [two-step login, 2fa, two factor authentication, account]
 ---
 
-Using Two-step Login (also called *Two-factor Authentication*, or *2FA*) to access your Bitwarden Vault protects *all* your logins by preventing a malicious actor from accessing Vault items, even if they discover your Master Password. Since your Password Manager stores all your logins, we highly recommend that you secure it with Two-step Login.
+Using Two-step Login (also called *Two-factor Authentication*, or *2FA*) to protect your Bitwarden Vault prevents a malicious actor from accessing your Vault even if they discover your Master Password by requiring authentication from a secondary device when you log in. If you're unfamiliar with the basics of 2FA, check out our [Field Guide]({% link _articles/two-step-login/bitwarden-field-guide-two-step-login.md %}).
 
-Enabling Two-step Login will require you to complete a secondary step each time you **Log In**, in addition to entering your Master Password. You will not be required to complete the secondary step to **Unlock** your Vault. For help configuring Log Out vs. Lock behavior, see [Vault Timeout Options]({% link _articles/account/vault-timeout.md %}).
+There are lots of different methods for Two-step Login, ranging from dedicated Authenticator Apps to Hardware Security Keys. Whatever you choose, Bitwarden highly recommends that you secure your Vault using Two-step Login. In fact, we think it's so important that we're happy to offer a few methods [for free](#free-methods).
 
-## Available Methods
+## Two-step Login for Individuals
 
-In the [Web Vault](https://vault.bitwarden.com/){:target="\_blank"}, enable Two-step Login methods from the **Settings** menu.
+The following Two-step Login methods can be enabled on an individual-by-indivual basis from the [Web Vault's](https://vault.bitwarden.com/){:target="\_blank"} **Settings** menu.
 
 ### Free Methods
 
@@ -35,15 +35,25 @@ For Premium users (including members of Paid Organizations), Bitwarden offers se
 |via YubiKey (any 4/5 series device or YubiKey NEO/NFC)|Click [**here**]({% link _articles/two-step-login/setup-two-step-login-yubikey.md %}).|
 |via FIDO U2F (any FIDO U2F certified key)|Click [**here**]({% link _articles/two-step-login/setup-two-step-login-u2f.md %}).|
 
+## Two-step Login for Teams and Enterprise
+
+While all of the above methods can be enabled on an individual-by-individual basis, Teams and Enterprise Organizations can enable the following methods **Organization-wide** from the **Organization's Settings** menu.
+
+|Method|Setup Instructions|
+|------|------------------|
+|via Duo Security with Duo Push, SMS, phone call, and U2F security keys|Click [**here**]({% link _articles/two-step-login/setup-two-step-login-duo.md %}).|
+
 ## Using Multiple Methods
 
-You can choose to enable multiple Two-step Login methods. Logging in to Bitwarden will prompt for your highest-priority enabled Two-step Login method, according to the following order of preference:
+You can choose to enable multiple Two-step Login methods. When you log in to a Vault with multiple enabled methods, Bitwarden will first prompt you for the highest-priority method according to the following order of preference:
-1. FIDO U2F
-2. YubiKey
-3. Duo
-4. Authenticator App
-5. Email
 
-You can swap to a lower-preference method by selecting the **Use another two-step login method** button:
+1. Duo (Organizations)
+2. FIDO U2F
+3. YubiKey
+4. Duo (Individual)
+5. Authenticator App
+6. Email
+
+Any option will work, though. Authenticate with a lower-preference method by selecting the **Use another two-step login method** button:
 
 {% image two-step/twostep-diffmethod.png Use another two-step login method %}

_articles/two-step-login/two-step-recovery-code.md

@@ -1,6 +1,6 @@
 ---
 layout: article
-title: Two-step Recovery Code
+title: Recovery Codes
 categories: [two-step-login]
 featured: false
 popular: false
@@ -8,32 +8,41 @@ tags: [two-step login, 2fa, two factor authentication, account]
 order: 08
 ---
 
-Your Two-step Login Recovery Code is a 32 character alpha-numeric code that, when used, will deactivate all Two-step Login methods from your account. Recovery Codes are designed for scenarios where you have lost your Two-step Login Device.
+If you enable any [Two-step Login methods]({% link _articles/two-step-login/setup-two-step-login.md %}), it's important to understand that losing access to your secondary device(s) (e.g. a Mobile device with an installed Authenticator, a Security Key, or a linked Email inbox) has the potential to lock you out of your Bitwarden Vault.
+
+To protect against this, Bitwarden generates a **Recovery Code** that can be used with your Master Password to disable any enabled Two-step Login methods from outside your Vault.
 
 {% callout success %}
-Without your Recovery Code, losing access to your device or method will permanently lock you out of your Vault. Bitwarden highly recommends downloading your Recovery Code from the Two-step Login screen **immediately after enabling any method**.
+You should [get your Recovery Code](#get-your-recovery-code) **immediately** after enabling any Two-step Login method.
 {% endcallout %}
 
-## Get Your Recovery Code
+## Get your Recovery Code
 
-Complete the following steps to retrieve your Recovery Code:
+To get your Recovery Code from your [Web Vault](https://vault.bitwarden.com){:target="\_blank"}:
 
-1. Log in to your [Web Vault](https://vault.bitwarden.com/){:target="\_blank"}.
+1. Select **Settings** from the top navigation bar.
-2. Select **Settings** from the top navigation bar.
+2. Select **Two-step Login** from the left-side Settings menu.
-3. Select **Two-step Login** from the left-side menu.
+3. Select the **View Recovery Code** button near the top of the screen. You'll be prompted to enter your Master Password, which will open a Recovery Code panel:
-4. Select the **View Recovery Code** button at the top of the screen.
 
-   You will be prompted to enter your Master Password in order to retrieve your Recovery Code.
+   {% image /two-step/recoverycode.png Sample Recovery Code %}
-5. Print your Recovery Code and put it somewhere safe.
 
-## Use your Recovery Code
+Save your Recovery Code in the way that makes the most sense for you. Believe it or not, printing your code and keeping it somewhere safe is one of the best ways to ensure that the code isn't vulnerable to theft or inadvertent deletion.
 
-Using your Recovery will deactivate all Two-step Login methods from your account. You will be required to enter all of the following to use your Recovery Code:
+### Use your Recovery Code
 
-- Email Address
+To use your Recovery Code, navigate to [https://vault.bitwarden.com/#/recover-2fa/](https://vault.bitwarden.com/#/recover-2fa/) (or, if you're self-hosting, [https://your.domain.com/#/recover-2fa/](#use-your-recovery-code)).
-- Master Password
-- Recovery Code
 
-To use your Two-step Login Recovery Code, navigate to [https://vault.bitwarden.com/#/recover-2fa](https://vault.bitwarden.com/#/recover-2fa){:target="\_blank"} or, for self-hosted installations navigate to [https://your.vault.domain.com/#/recover-2fa](#).
+Using your Recovery Code is like a normal log in procedure, requiring your Email Address and Master Password, but will also take your Recovery Code. On successful authentication of all three, you'll be logged in to your Vault and **all Two-step Login methods will be disabled**.
 
-Once you use your Recovery Code, you will be required to manually re-activate any Two-step Login methods. Using your Recovery code will also **reset your Recovery Code**. We recommend re-printing your code and to replace the previous one before re-activating any Two-step Login methods.
+Once used, you'll need to:
+
+- Re-enable any Two-step Login methods you want to use in the future.
+- [Get your Recovery Code](#get-your-recovery-code) again, as it'll be reset upon use.
+
+{% callout info %}
+Recovery Codes **won't disable Duo for Organizations**. You can tell that a Duo prompt is Organization-wide by the **(Organization)** header, as in the following screenshot:
+
+{% image /two-step/duo/duo-orgs.png Duo (Organization)%}
+
+If you're locked out of your Vault by a **Duo (Organization)** prompt, reach out to the Duo Administrator at your company for help bypassing the prompt.
+{% endcallout %}

_scss/_article.scss

@@ -117,3 +117,36 @@
         margin-left: 0.5rem;
     }
 }
+
+.nav-tabs {
+  border-bottom-width: 1px;
+  border-color: $border-color;
+
+  .nav-link {
+    font-weight: bold;
+
+    &.active {
+      background-color: #fafafa;
+      border-width: 4px 4px 0px 4px;
+    }
+  }
+}
+
+.tab-content {
+  .tab-pane {
+    padding: 0.1rem 1rem 1rem 1rem;
+    border-style: solid;
+    border-width: 0px 1px 4px 4px;
+    border-color: $border-color;
+    border-radius: 0px $border-radius $border-radius $border-radius;
+    background-color: #fafafa;
+
+    pre {
+      background-color: white;
+    }
+
+    .callout {
+      background-color: white;
+    }
+  }
+}