Hi, just started using BW. I setup my account with a fido hardware key as 2fa.
Works fine in the browser and in the Windows app: I enter my master password and then use the fido2 key as the second factor when asked. Except on Android where it just logs in with the master password only. Also in the web interface security device list I get a "Invalid device data " message and only see the browser and Windows sessions, Android is missing.
Is this a bug?
@olyandros Welcome to the forum!
Did you login with another form of 2FA on the mobile app before and checked “remember me”? That’s usually the reason, you don’t get asked for 2FA for a while (see here: Why is Bitwarden not asking for my enabled two-step login method? | Bitwarden Help).
As explained in the link, you can “Deauthorize Sessions” in the web vault (Settings → My account → “Danger Zone”), as that also “resets” the “2FA remember me”. But be sure to have all login credentials for your Bitwarden account at hand, as you get logged out on every BW app if you deauthorize sessions.
Hm, there was at least another report of that: An error has occured. Invalid device data I don’t see it as an issue on GitHub, so it probably should be reported as a bug (“New issue”).
Are you logging in or unlocking? There is a difference. Unlocking only requires a single factor, whereas Login typically requires two factors.
Thanks, the reset solved the problem on my Android phone, I must have accidentally checked the “remember me” toggle.
But I now tried to set it up on my tablet: I enter the master password and then tab webauth, the toast menu comes up and I plug in the key and tab it. It then takes me back to BW with the message “An error has occured. We were unable to process your enquiry. Please try again or contact us.” (translated from german). It’s a Xiaomi Pad 5 running a custom rom with Android 15 (play services are up to date).
Also another cquestion: I only use this fido key to try out BW so I thought BW would store a passkey on it when used as a second factor. But looking into the key with a separate program there are no passkeys stored on it. How does it work then?
Assuming you used the mobile app there also with another 2FA before, I would probably delete the app data and try to log in again.
Oh, yeah… Bitwarden calls the FIDO2-2FA now also “passkey”, probably to keep it “easy” for everyone… In technical terms, though, it isn’t a passkey in the strict official definition.
Bitwarden’s “passkey”-2FA is a so-called non-discoverable credential, which isn’t stored on the YubiKey, but associated with the YubiKey. That’s why you can’t “see” / “discover” it on the YubiKey.
(–> and passkeys are - strict official definition - discoverable credentials)
Blockquote
Assuming you used the mobile app there also with another 2FA before, I would probably delete the app data and try to log in again.
Did that, unfortunally no change. Also checked that the time in correctly set.
Blockquote
Bitwarden’s “passkey”-2FA is a so-called non-discoverable credential, which isn’t stored on the YubiKey, but associated with the YubiKey. That’s why you can’t “see” / “discover” it on the YubiKey.
Thanks for the clarification.
Hm, I just checked whether there is a current bug report on GitHub regarding this - doesn’t seem so. (of course, there could be new bugs, though) – Did you try it with both USB and NFC connection? (see also here: NFC troubleshooting | Bitwarden)
You’re welcome. Bzw. gerne geschehen. (damit jeder mitlesen kann, hatte ich jetzt nicht auf Deutsch geantwortet )
The tablet does not have NFC. The key I’m using is a T2F2-PIN+ Release3 TypeC
Maybe it has compability issues with some devices.
Finally got it working on the tablet! I tried if the fido key would work with passkeys.io in Firefox and it did and somehow it then started working in the BW App too.
But man is the process using this 2fa cumbersome. You enter your master password, then have to press webauth, then you are taken to a new site where you have to press start webauth, then the toast menu comes up, then you have to press to choose another device (the usb key) then you have to enter the key’s pin and finally you can touch the key to unlock. Phew.
That really is too many steps to be practicable. Above all, why have I to enter the key’s pin every time? That’s not necessary on Windows or Web, I think I had to do it once. Is this enforced by the os?
That’s good news!
Hm, from Bitwarden’s side, the FIDO2 PIN is only asked when you register the security key as 2FA-“passkey”… when you authenticate with it, then the PIN isn’t requested. In fact, there is a Feature Request about making it optional to get asked for the PIN: Optionally require PIN code when using hardware key / security key (FIDO2 / "passkey"-2FA)
When you get asked for the PIN when authenticating, then that is probably due to some setting/configuration of the security key. - Did you enable always_UV
? (see here: https://www.token2.com/site/page/fido2-security-keys-pin-protection-when-and-why-pin-is-asked-)
… though, that doesn’t sound like you enabled always_UV
… ?!?
always_UV
is definitely turned off. Maybe there is a connection between the required pin entry and both android devices not showing up in the devices list in the web interface (getting 2x "Invalid device data " popup)?