I am trying to use the FIDO2 WebAuthn to add two security keys as my 2fa login (one to use and one to have in my safe).
I add the first one fine, but every time I try to add the second one, I get the error message “A Passkey Already Exists for This Application.”
Is it because these are old security keys??
https://www.amazon.com/gp/product/B07BYSB7FK
This is on an iMac, Ventura 13.6, using the browser app.
Are you sure you’re doing this in the web vault (I’m not sure because your error message mentions “application”)? I would start in the web vault and from there, every application requires your set-up 2FA: Password Manager Web Vault | Bitwarden Help Center (“Secure your vault”)
Yes, I’m on the web. I go to Bitwarden.com, log in, then choose Account Settings/Security/Two-step login and click the Manage button on the Webauthn line.
The error message I get looks like this:
I’m certainly not understanding something, because I’m not clear on why anything needs to be saved to a login. I just want to register the key.
Thanks for the help.
PS Maybe it’s because I’m using Brave.
This page
says "The only things you’ll need to use physical keys are a Bitwarden account and an unused physical key. "
I’ve used the keys for another web site, so perhaps prevents them from being used for Bitwarden?? But the first key works fine—the second one fails.
Well, this is interesting - and may be a new “error” which the Bitwarden team should address?!
But I think, this only happens when you are not only logged in in the web vault, but at the same time are logged in in the browser extension. I guess, when you are just logged in in the web vault and logged out (or “locked”) in the browser extension, then you would be able to just add your Yubikeys in the web vault itself. (because I think normally, or rather until the October-Passkey-Update, adding Yubikeys was only a web-vault-operation - and now the browser extension seems to interfere with that ?!)
PS: Or maybe it is enough to choose “Use browser” and you can stay logged in in the browser extension? However, until recently, the browser extension didn’t have anything to do with adding 2FA to the web vault (at least in the adding-process itself) - but on the other hand I don’t know if this now somehow changed with the added passkey functionality. 
That’s why I already wrote, the Bitwarden team maybe should clarify (and maybe update the “help pages”)…
Now that I learned how to Deauthorize Sessions, I tested things, and the first Yubikey that I used didn’t even work. My guess is that it’s too old.
Now I have to decide between just using the authenticator app or spending $100 for two newer Yubikeys.
I think that when you are trying to register the physical key, the browser extension detects it as an attempt to create a passkey.
The first time it creates it, the second it tells you that you already have created another passkey.
When the browser extension detects that attempt to create a passkey you need to tell it to use the browser:
so that the browser reads the physical key and it gets registered as a second factor for your account.
Also, you will need to unregister those passkeys from you account as security keys and I also would delete them from the vault where they were created by the extension.
Edit to add: When this is set-up, I would also test everything on another computer with a browser that does not have the bitwarden extension.
Also, very very important: write down your recovery code before doing any configuration of two-step-verification.
Because if, somehow, you register a passkey stored in bitwarden as the only second factor for your account, you will get locked out of your vault.
Well, that can be one of the problems as well. Here is a link on Yubico: Bitwarden Premium | Yubico I didn’t find another overview, which security keys work with Bitwarden FIDO2, although I’m sure I once saw one… 
I appreciate the help.
Can you explain why BW needs to save anything in a login? That is, why is it trying to create a Passkey?
I have another issue that I’ll post on a separate thread.
No, as I was trying to explain in my previous post: I’m pretty sure you didn’t add that physical key to your bitwarden account. You added a passkey stored in your vault (that the browser extension created against your intentions).
I don’t think so, if they are fido (U2F or FIDO2) compliant, they should work.
Excellent, it is now working. I was going too fast and didn’t grok your “Use browser” explanation (also, I’d tried that at some point and nothing seemed to happen).
Yes, my recovery code is locked away in my safe.
When this is set-up, I would also test everything on another computer with a browser that does not have the bitwarden extension.
Do you mean I should try to log in to bitwarden on a computer without the BW extension installed?
Thanks.
On a computer that you trust, yes that’s what I meant (and didn’t write). But now that you got things working pearhaps this is not necessary anymore.
Still, shouldn’t Bitwarden give you the option to replace it? That’s how I’ve seen it working so far. The second time it’s very similar to the first one with the difference that when you click “Save”, it asks for confirmation that you want to replace the previous passkey. This seems quite different.
Hello,
You are adding WebAuthn as a 2FA during the passkey storage rollout for BW, which has changed the existing functionalities, and would certainly change some more because the issues that people are having with both passkeys and WebAuthn 2FA.
I personally would think about:
Create a backup 2FA method just in case. I know this is not the usual way when you have a hardware 2FA, but this is temporary until BW resolves the Passkey/WebAuthn 2FA issues.
If possible, use the extension prior to v2023.10.0 (where passkey store is rolled-out). I personally would stick to this until the complaints about this rollout die down.
Bear in mind not to fall in love with / hate any workflow passkey/webauthn 2FA at the moment, because it may change to fix issues.
I figure I’m covered by having a printed out recovery code in my safe, yes?
Yes, using your recovery code will disable your 2FA, though. I am unclear if re-enabling it will recover your prior setups (multiple 2FA keys, etc.).
