I recently setup a Yubikey Security Key as one of my MFA methods with Bitwarden. I also setup the Yubikey to require a pin.
I’ve been testing out Bitwarden on various devices to ensure it’s working properly, but unfortunately I’m hitting issues on iPhone with the Bitwarden app:
I open the Bitwarden app
I enter my master password
I then get prompted for Webauthn and I select Security Key in the native sheet that appears
When prompted, I hold my Yubikey near the top of the phone
Once recognized, it asks me to enter my pin.
After I enter the pin, it goes back to step #4 again and prompts me for my key
This continues infinitely
Has anyone experienced this issue? I’m on an iPhone 12 mini with iOS 17.7.1
The Yubikey, with pin, works fine otherwise with Bitwarden on my Mac in various browsers (safari, firefox, brave)
To my knowledge (and in my experience), when a Yubikey is used as a second factor for Bitwarden two-step login, you will not be asked to enter your PIN (except for when you first register the Yubikey as a 2FA passkey).
You might be afflicted by the problem described here, with a fix as detailed in the Help documentation:
Hm, I thought the whole put of adding the pin was to make it so I would be prompted for the pin each time I try to Login to (not unlock) my vault. And it does do this properly on the Web, just not in this mobile case
I took a look at the support link you sent and I don’t believe that applies to me since I’m using a Security Key, which doesn’t support OTP
Could be a bug in the new iOS app, then; you might consider filing a bug report (“New Issue”) in the GitHub repo.
The PIN is there for when the Relying Party (the web service you are logging in to) requires User Verification (instead of just confirming User Presence, which is done by touching the key, without PIN entry). Most web services (including Bitwarden) only require confirmation of User Presence when the Yubikey is used as a second factor in two-step login (since the user has already verified their identity by entering the password that they know).
For example, if using a Yubikey Security Key as a second factor when logging in to Bitwarden’s Web Vault (on a Windows system), this is the prompt that asks the user to confirm their presence by touching the key (note that no PIN is requested):
On the other hand, if you are using the Yubikey for usernameless/passwordless login (so-called “Login with Passkey”), then Bitwarden does require User Verification, so in that case you will be prompted for your Yubikey PIN when logging in.
On a Windows system, the PIN prompt looks like this when using “Login with Passkey” to access the Web Vault (and this prompt is then followed by a second prompt requesting the user to touch the key):
I ended up following the instructions here based on the potential vulnerability. So toggle-always-uv is set to enabled for me, so now Bitwarden always prompts me for the pin when logging in (which is what I was intending)
I will try logging a bug on Github to see what the devs think
I see, sorry, that wasn’t clear in your first post. Make sure that you explicitly describe this condition when you post your bug report.
It might also be helpful if you temporarily disable toggle-always-uv, and see if this allows you to successfully use the Yubikey as 2FA on your iPhone.
I recall having read somehere that setting alwaysUv to enabled can cause problems on certain relying parties (websites) with security keys like the yubikey 5 series. Where the flow for that RP is not prepared for the key asking for a pin.
Okay thank you for posting. According to that post, it seems it’s been fixed in the latest iOS 18.2. Sounds like for the time being, I’ll disable the pin and see how this place out
Though interestingly, I tried using an Android device that I have lying around and had a similar problem
You are correct, but I’ve learned over the years not to assume that reader’s self-reported actions can be interpreted literally, so I thought that what you wrote was just describing the act of setting a PIN for the Yubikey. Explicitly mentioning the toggle-always-uv flag will prevent such a misunderstanding if you decide to post a bug report or seek help from official support channels in the future.
