Email two-step login option not shown in web vault despite _enable_email_2fa = true (v1.36.0)

[mm-mediamix]

Summary
On the personal Settings → Security → Two-step login page, only three providers are listed: Authenticator app, Passkey, and Duo. The Email option is missing entirely — it is not shown as disabled/premium, it simply doesn't appear.

Email two-step is enabled server-side (_enable_email_2fa = true) and SMTP is fully working, so I'd expect the Email option to be offered. I'd like to know whether this is a known bug/regression in 1.36.0 or whether I'm missing something.

Question
Is this a known issue in 1.36.0 / web-vault 2026.4.1 — i.e., the server not advertising Email as an available two-step provider — or is there an additional setting required? Happy to provide the raw GET /api/two-factor response or the login TwoFactorProviders2 payload if that helps.

Environment
Vaultwarden version: 1.36.0 (gitHash f21a3ad)
Web-vault version: 2026.4.1
OS/Arch: linux/x86_64, running in a container (Base: Debian)
Database: SQLite 3.51.3
Reverse proxy: yes (IP header X-Real-IP)
Diagnostics: all green except the Browser/Server time check (my client clock is ~40s behind; server↔NTP is OK — unrelated, I believe)
Relevant config (effective, from the diagnostics page)
_enable_email_2fa: true
_enable_smtp: true, smtp_host set, smtp_port: 465, smtp_security: "force_tls"
_enable_duo: true, but duo_host: null, duo_ikey: null, duo_skey: null
The key observation
The visibility of the tiles does not match the configured providers:

Provider Configured? Shown in web vault?
Authenticator always yes
Passkey (WebAuthn) domain set yes
Duo no credentials (duo_host/ikey/skey = null) yes
Email enabled (_enable_email_2fa = true, SMTP working) no
So Duo is shown even with no credentials, while Email is hidden even though it's enabled. That makes it look like the set of providers the server advertises to the web vault is the deciding factor (not the actual config), and that set currently appears to be {Authenticator, Duo, WebAuthn} only.

Looking at the bundled web-vault code, the two-step setup list seems to be built from the server-provided providers (setProviders(response.twoFactorProviders2) → providers$), and a tile is only rendered if its type is in that set. Email is not in it.

What I've already ruled out
Not browser cache — reproduced in a fresh private/incognito window and a different browser.
Not a stale runtime config — restarted the container; effective config still shows _enable_email_2fa: true.
Not SMTP connectivity — TLS handshake to the SMTP host on :465 succeeds (220 … ESMTP), and invitation/account emails are delivered normally.

Not premium gating — in the web-vault provider catalog, Email has premium: false; premium only disables the "Manage" button, it doesn't hide the tile.

[stefan0xC]

Did you configure SMTP recently? The /css/vaultwarden.css file might have been cached as static asset by your reverse proxy.

[mm-mediamix]

Cool, thanks let me check. I am aready a bit deperated and tried everything ...

[mm-mediamix]

Nuked the whole Cloudflare cache vaultwarden.css went 1190→1173 at the edge, matching origin), hard-reloaded, fresh incognito — Email still not available - only Authenticator/Passkey/Duo show up.

So not the cache: _enable_email_2fa is true and SMTP works fine, but Email's just not in twoFactorProviders2… meanwhile Duo struts in with zero Duo creds configured.

[stefan0xC]

So vaultwarden.css does not include .providers-2fa-1 as selector anymore?

Regarding Duo: If you don't configure Duo globally for all users, users can still configure it themselves. You can hide it via custom CSS.

[mm-mediamix]

You nailed it 😅 — the stale vaultwarden.css was exactly 17 bytes bigger (1190 vs 1173), which is precisely .providers-2fa-1,. So the cached css was hiding Email; the fresh one (post-purge) doesn't include .providers-2fa-1 anymore. Just had to also kill the browser's own cached copy of the css (it's max-age=86400 client-side too) and Email's back. Thanks a ton — and the Duo thing makes total sense now.

[mm-mediamix]

Thank you!