I click on the YubiKey 3 box;
I insert the YubiKey (with fingerprint reader version);
I touch the YubiKey pad and nothing happens.
A few years ago I was able to add 2 earlier versions of Yubikey to my profile. I want to add these because they have the fingerprint, USB-C, where my old key has no fingerprint and is USB-A.
note: No probs using them with the Yubikey Auth app and Google 2FA.
Any ideas?
In the Yubikey Manager (ykman) or in the Yubikey Authenticator, have you verified that the Yubico OTP protocol is enabled for the new Yubikey?
It sounds like you are using a Yubikey Bio Series key, which does not support the OTP protocol (only FIDO2, FIDO U2F, and PIV). So you will not be able to register this key to be used with the Yubico OTP protocol.
Why are you not using the passkey option instead for your 2FA?
As you can see from the images, I have the Yubikey FIDO edition. I was able to add a passkey to Google. It looks in BW like I was able to add my 2 new keys: Yubikey0 and Yubikey2. My original Yubikey (touch, not fingerprint) already appears. However, when I try and use Passkey login, the Yubikey0 and Yubikey2 do not work.
I tried using the Android QR passkey option, but for some reason the phone doesn’t seem to communicate with the Mac. But one problem at a time, right?
So far as I can tell, I have the 2 Yubikey Bio registered but they do not work, nor appear in the YAuth app as passkeys.
What do you suggest?
If your goal is to use your Yubikey Bio as a second factor when logging in to Bitwarden using a master password (or “Login with device”), then I suggest that you (carefully) follow the step-by-step instructions provided in the documentation. Pay special attention to Step 3, where you must click the Manage button for the Passkey option, not the Yubico OTP Security Key option.
Edited to Add: If your goal is to use your Yubikey Bio as a passkey for accessing your Bitwarden account using “Login with Passkey”, then you should instead follow the directions here. As pointed out by @Nail1684 below, 2FA with passkey and login with passkey are two completely different things.
What operating system are you using for the device where you are plugging in your USB-C Yubikey Bio?
From what you describe, I think you’re mixing up two things now. Let me summarize it:
You started (in your OP) with Bitwarden’s 2FA options. @grb correctly hinted at the FIDO2-2FA-“passkey” option. This credential can be used as the “second step” when you log in to Bitwarden (usually after you entered your email address and master password – or after using “login with device”).
But when you want to “Log in with passkey” (i.e. only with a login-passkey), then you need to set that up in a different location in the web vault. This is described here: Log In With Passkeys | Bitwarden (PS: on that Help Site, ignore the “unlock” part for now… as you wrote, one problem at a time)
Did you have bluetooth activated on both devices? – Cross-device authentication (CDA) requires that.
Bitwarden’s 2FA-passkeys neither work for “Log in with passkey” nor are they listed as passkeys via (e.g.) the Yubico Authenticator app. - Only Bitwarden’s “login-passkeys” would be…
(BTW, Bitwarden’s login-passkeys on the other hand can’t be used as the second step for logging in… good new is: you can set up both – Bitwarden’s 2FA-“passkeys” and login-passkeys – at the same time with a YubiKey)
Success. I was able to use the Yubikey instead of the MP.
(Thanks also to @Nail1684)
The confusion: There are 2 Passkey places in Security —
(#1 - Under Master Password)
(#2 - Under Two-Step)
IIRC - Option #1 is to login using either MP or Yubikey. Option #2 is for requiring both MP & Yubikey.
Does #2 only require the Yubikey when logging into a new device for the 1st time?
IIUC - If I want to require the Yubikey for a new device but able to use either MP or Yubikey on subsequent logins, I should have the key registered in both locations. This would also mean that if I only use #2, then I only login using MP but need the Yubikey when registering a new device.
Do I have this right?
Thanks!
(Still figuring out the bluetooth phone thing. My Mac is paired, so I do not have any idea why the phone passkey QR Code thing doesn’t connect / work. 
)
Just for the overview:
Option #1 = Log in with passkey
Option #2 = 2FA-“passkey”
Almost.
Option #1 is to login with your YubiKey without your master password. (exception: if you had a login-passkey without encryption, you would have to use the master password along with that login-passkey)
No. And it doesn’t matter if it’s a “new” or a “known” device – if you want to log in with Option #2, you have to provide email and master password and your YubiKey.
For the “second step”, you can check “remember me for 30 days” on a given device, but that is independent of the 2FA method you use.
In principle yes, but “either MP or YubiKey” is not completely accurate as – in your current setup now – you would have to use the YubiKey both for Option #1 (as the login-passkey) and for Option #2 (as the second step / 2FA-passkey).
I think I may have tackled that above already – if you don’t check “remember me for 30 days” then, when you log in, you would have to use your YubiKey for any device (known or new) when you use Option #2 for logging in.
PS: Just for clarity: we are only talking about logging in to your Bitwarden account/vault now (which you only have to do when you logged out before, or on a new device: never logged in before). – There is also locking and unlocking the vault. → Understand Log In vs. Unlock | Bitwarden
I suppose you could say that if you configure/enable “Option #1”, then you can choose whether to use “Login with Passkey” or “Login with Master Password” when authenticating. But if you have not enabled encryption when you set up “Option #1”, or if you are using a browser or operating system that does not support passkey-based encryption (a.k.a. “PRF”), then you still need to supply both the Yubikey and the master password when using “Login with Passkey”.
Yes, although “Option #2” would also allow you to log in using “Login with Device” and then supplying the Yubikey as a second factor — no master password required.
If you meant that any “subsequent logins” after the first login on a device should be possible either using a Yubikey alone (no master password required), or using master password alone (no Yubikey required), then you would either need to disable all Two-Step Login methods (including your “Option #2”).
