… more an info than a question:
The old FIDO U2F security key configurations (as 2FA for the Bitwarden account) are going to be “phased out” in the next year, so think of replacing this with FIDO2 security keys via the “passkey”-2FA-option or other forms of 2FA for your Bitwarden account…
Here is the corresponding note in the Release Notes:
(source: https://bitwarden.com/help/releasenotes/#2024-12-0 )
Thanks for that tidbit…
Hoping it remains enabled for access to the Web vault’s Security page for many months after it is disabled for all other logins. This will facilitate a graceful recovery for people who did not get the memo.
Perhaps a similar thing ought to be done with the recovery code. Instead of removing MFA, maybe allow access to only the security tab so that the user can fix whatever is broken with their MFA.
In light of the considerable confusion surrounding passkeys registered for two-step login in Bitwarden, it would be very helpful to publicize a simple procedure for determining whether a registered key is a FIDO U2F key or a FIDO2 key.
For example, should a Yubikey passkey be assumed to be a U2F key, if it is not listed when executing the command ykman fido credentials list?
@kpiris — any thoughts on this?
@grb I remember that discussion in general… and as I don’t know an answer to the question you posed (for the device-side)… according to the Help Sites, U2F keys should be recognizable (“marked” as Migrated from FIDO) in the web vault:
(–> https://bitwarden.com/help/setup-two-step-login-fido/)
PS: Okay, as far as I remember that discussion, it remained a bit unclear, what kind of credential really get’s created in the now-called “passkey”-2FA-option… but I would think that, nevertheless, no “old” kind of “FIDO1” credential that in 2025 get’s invalidated, can be created since maybe mid 2021 ?! (PPS: Or am I too naive, again? 
):
No, it should not. If a credential is listed on a security key (with ykman or any other credential management program for that security key), that means it is a discoverable credential (aka. resident credential).
Discoverable credentials are a FIDO2 thing, they do not exist on the U2F specification.
But a non-discoverable credential can be FIDO2.
If anyone is interested in the evolution of these FIDO protocols, I just found out this. I just took a quick look at it, I will be reading it more thoroughly later.
Regarding this upcoming bitwarden’s phase out of U2F:
I would guess that bitwarden would be able to tell if a fido credential stored as 2SV in a user’s account is U2F or FIDO2.
If it were so, the logical thing would be to flag them in big red bold letters in the web vault so that the user would be aware that that key will stop working when they phase out U2F.
I would also asume that they even would have the possibility of notifying any user that has a soon-to-be phased out security key in his account.
With a YubiKey, you can enable and disable FIDO2 and FIDO U2F independently. And disabling an application is not destructive at all. If you disable an application and later find out you need it, you just have to re-enable it and continue using it as you were before disabling it.
This afternoon I will perform some tests enabling and disabling FIDO2 to see if I can find out anything interesting.
I should have read this before replying…
Then I guess it would be a matter of changing that “Migrated from FIDO” mark to something like “Please, remove this key, it will stop working after day D” in big red bold letters.
Hi all!
Hopefully this note did not cause any panic. The goal of including this in the release notes is to make sure communication begins early, but it will be a gradual process of phasing out support for these key types. There will be in product communications, as well as direct communication with users who risk being locked out.
Thank you for all the thoughtful suggestions around how we can help users identify which keys are U2F vs which are FIDO2. For those that want to get a jump start on that, i recommend Yubico’s website provides a helpful tool.
Well, this couple of tests did not shed any light, rather the opposite:
These are the two YubiKeys I used:
Device type: YubiKey Bio - FIDO Edition
Serial number: ***
Firmware version: 5.5.6
Form factor: Bio (USB-A)
Enabled USB interfaces: FIDO
Applications
Yubico OTP Not available
FIDO U2F Enabled
FIDO2 Disabled
OATH Not available
PIV Not available
OpenPGP Not available
YubiHSM Auth Not available
Device type: YubiKey 5 NFC
Serial number: ***
Firmware version: 5.1.2
Form factor: Keychain (USB-A)
Enabled USB interfaces: FIDO
NFC transport is disabled
Applications USB NFC
Yubico OTP Disabled Disabled
FIDO U2F Enabled Disabled
FIDO2 Disabled Disabled
OATH Disabled Disabled
PIV Disabled Disabled
OpenPGP Disabled Disabled
YubiHSM Auth Not available Not available
As you can see: all applications disabled, except FIDO U2F.
Well, I was able to add them to my bitwarden account as 2SV and there is no indication at all that they are U2F on the web vault:
According to the documentation linked by @Nail1684, I should not have been able to add them (if the keys really are U2F only, after having disabled all the other applications).
I tried that tool with the YubiKey 5 NFC (having only FIDO U2F enabled), but it is for developers and I’m unable to understand anything there.
Can somebody PLEASE put that announcement into layman’s english and tell us how we can determine if we do (or do not) need to do something ?
I have no $#%#$% idea what a FIDO U2F key even is let alone what the setup instructions are trying to tell us to do.
FWIW - I’m a premium user setup currently with an authenticator app and multiple yubikey 4 and 5NFC physical keys. No passkeys. I get prompted to insert a yubikey and press the button on it. Simple. Do I have to do anything at all ?
With e.g. a YubiKey 5 that tool more or less finishes with “successfull” ***. Could you please explain in what way the outcome would be different with an old non-FIDO2 YubiKey to be able to compare it? 
And regarding @kpiris 's tests I would like to ask whether you can enlighten us about what exactly happens (= what kind of credential get’s created), when you had only FIDO U2F enabled on a YubiKey (i.e. every other protocol disabled, including FIDO2) and obviously can successfully register that key for the FIDO2-2FA-Bitwarden option? (especially because according to the Bitwarden documentation one shouldn’t be able to create a “FIDO1” credential here any longer…)
*** PS: Oh, thanks to @grb 's post below, I now learned at least that you can see the “technical details” there also.
Go into the web vault → 2FA section → “passkey” option → if you can see a marking “Migrated from FIDO” then that is definitely an old FIDO-credential that will be invalidated next year.
Another “test” would be, to delete all 2FA-“passkeys” as well in the web vault as on every device - and set them up again after that. Old credentials can’t be created, so only valid credentials get newly created. Of course, make sure to have your 2FA recovery code and probably a current export of your vault before doing those operations with your accessibility of your vault, in case something goes wrong.
And of course, this bears the “risk” that you are not be able to re-create a new 2FA-credential with security keys that don’t support the newer FIDO2 protocol at all. (though that would be the case in 2025 anyway…)
PS: Maybe a bit of history, as I understand it now: that 2FA for Bitwarden we are talking here about, was initially called FIDO U2F (“FIDO1”). Then the protocol changed to FIDO2 and it was renamed to “FIDO2 WebAuthn”. Then recently it was renamed to “passkey” (and I still have my problems with that most recent name…).
And it was originally a premium feature (though I don’t know if that was also the case for FIDO U2F?!), but about one and a half years ago that kind of 2FA was also made available for “free” accounts.
PPS:
Ah, the YubiKeys 4 don’t support FIDO2 as it seems, so those will stop to work for Bitwarden next year here… With the YubiKeys 5 on the other hand, you are on the safe side here, as they support FIDO2.
As others have already noted, we “jump starters” will need some instruction on how to use the tool. When I used the tool to register one of my Yubikeys, it created a non-discoverable credential, and produced the output shown below (in slightly redacted form). What do I learn from this JSON salad?
{
"publicKey": {
"attestation": "direct",
"authenticatorSelection": {
"requireResidentKey": false,
"residentKey": "discouraged",
"userVerification": "discouraged"
},
"challenge": "redacted",
"excludeCredentials": [],
"pubKeyCredParams": [
{
"alg": -7,
"type": "public-key"
},
{
"alg": -257,
"type": "public-key"
}
],
"rp": {
"id": "demo.yubico.com",
"name": "Yubico Demo"
},
"timeout": 600000,
"user": {
"displayName": "Yubico demo user",
"id": "redacted",
"name": "Yubico demo user"
}
}
}
{
"id": "redacted",
"response": {
"attestationObject": "redacted",
"clientDataJSON": "redacted",
"transports": [
"nfc",
"usb"
],
"publicKeyAlgorithm": -7,
"publicKey": "redacted"
},
"authenticatorAttachment": "cross-platform",
"clientExtensionResults": {}
}
Parsed clientDataJSON response:
{
"type": "webauthn.create",
"challenge": "redacted",
"origin": "https://demo.yubico.com",
"crossOrigin": false
}
{
"success": true,
"attestationObject": {
"attStmt": {
"alg": -7,
"sig": "Redacted",
"x5c": [
"Redacted"
]
},
"authData": {
"credentialData": {
"aaguid": "redacted",
"credentialId": "redacted",
"publicKey": {
"1": 2,
"3": -7,
"-1": 1,
"-2": "redacted",
"-3": "redacted"
}
},
"flags": {
"AT": true,
"BE": false,
"BS": false,
"ED": false,
"UP": true,
"UV": true,
"value": 69
},
"rpIdHash": "redacted",
"signatureCounter": 2
},
"fmt": "packed"
},
"clientData": "redacted",
"device": {
"mds": {
"certifications": [
"FIDO_CERTIFIED_L1"
]
},
"mdsUnavailable": false,
"names": [
"Security Key NFC by Yubico",
"Security Key C NFC by Yubico"
],
"type": "skynfc-skycnfc",
"yubicoFirmwareVersion": "5.4.3"
}
}
Hey @Micah_Edelblut , thanks but I already posted that tip box and link to the FIDO2-2FA help site - and don’t really know, if that should have been an answer to @vince (#10), @grb (#13) or me (#11)? 
@Micah_Edelblut It seems that the UI indicator is not reliable. Did you see the test above by @kpiris, in which he added two U2F keys as two-step login passkeys (and found that there was no indication shown in the UI to warn that these were U2F keys)?
