How do I fix a corrupt passkey?

Problem

Login with passkey from another device does not work:

Bitwarden Web app in Win11 VM’s thinks the Samsung S10+ phone passkey belongs to my Samsung Galaxy Tab S2 tablet (which is way too old to support passkeys).

There seems to be a corruption in my Bitwarden Samsung Galaxy S10+ passkey when attempting ‘Login with passkey’ on the Web app in Chrome from a Windows11 PC VMware Workstation Windows11 virtual machine.

The problem only manifests in both Windows11 VM’s (but not the host PC Win11 OS). However the VM’s are where I need the functionality to work - so that I can use my phone as a passkey 2FA device and don’t need to buy a separate Yubikey for each VM, or continually manually switch my existing USB Yubikey between the host and different VM’s every time I need to authenticate.

‘Login with passkey’ also does not work back the other way from Android Samsung S10+ to any Win11 host or VM OS.

How do I resolve this?
.

My Devices:

• Windows11 PC (MSI Z590 motherboard, Intel CPU 8-core, 64GB RAM, NVMe4 C: drive)
• Windows11 VMware Workstation VM’s.
• Samsung Galaxy S10+ phone with Secure Folder sandbox enabled (Model: SM-G975F. Android version: 12)

Bitwarden on Windows11 thinks the S10+ passkey belongs to:

• Samsung Galaxy Tab S2 tablet (Model: SM-T819Y. Android version: 7.0)

The S2 tablet is way too old to support any passkey functionality whatsoever.
.

My Bitwarden Web app login passkeys:

Bitwarden web app / Security menu / Log in with passkey section:

• Yubikey 5C NFC (Used for encryption)

• YubiKey 5C Nano (Used for encryption)

• Samsung Galaxy S10+ (Used for encryption)

• Windows11 VM #1 (Encryption not supported)

• Windows11 VM #2 (Encryption not supported)

.
Detail of Problem:

Attempting Bitwarden web app login in Chrome browser from the Windows11 PC:

Click ‘Login with passkey’

Click ‘Use a different passkey’

Click ‘On other devices’:

[email protected]

From ‘SM-T819Y’ (Samsung Galaxy S2 tablet. Should say: ‘SM-G975F’ (S10+))

‘A notification was sent to SM-T819Y’ (Should send to: SM-G975F … so authentication has failed)
.

Click ‘Try again’

Click ‘Use a different passkey’

Click ‘Use a different phone, tablet or security key’

Click ‘Use another device’

Click ‘More choices’: then click ‘iPhone, iPad, or Android device’

It then presents the QR code.

It will not successfully authenticate with QR code via either the Samsung S10+ or ‘SM-T819Y’. The Android device cameras on both devices read the QR code, but the URL does not establish communication and validate the authentication attempt. It just times out attempting.
.

Attempting ‘Login with passkey’ in the opposite direction (from S10+ to Win11) presents a similar problem.

From the Web app in Chrome browser on S10+ to both Windows11 host and Win11 VM it presents, then accepts, the ‘Are you trying to login’ window with the ‘Fingerprint phrase’ after clicking on ‘Confirm login’.

But then it fails with error on the S10+ ‘No passkey found on device’. Even though I have a fully functioning Yubikey inserted into the Win11 PC, and a Windows Hello passkey created in Bitwarden for each Win11 virtual machine.

If I use the Yubikey 5C Nano inserted into my S10+, local passkey login works immediately.

I need ‘Login with passkey’ to work from the S10+ to the Win11 PC, because neither the USB nor NFC Yubikeys work in the Samsung Secure Folder sandbox. This is where I store all my sensitive Android apps that require passkey login. Android blocks USB and NFC into Secure Folder.
.

Total Passkeys:

• I have about 25 relying party passkeys setup in each of the five above passkey authenticators.
• The Bitwarden sync’d passkeys work fine on the S10+ for relying party passkey login’s on both the Android host OS, and in Samsung Secure Folder.
• Apart from the ‘Login with passkey’ problem, all of these passkeys work fine on all supported devices, O.S.’s, and virtual machines.
  .

Possible solution but catch:

• I could try deleting the ‘Samsung Galaxy S10+’ passkey and recreating it, to see if it fixes the corruption. But then I would have to re-create the passkeys for the 25 relying party passkeys attached to that Android S10+ device passkey.
• Plus, I would have to re-create all passkeys for all devices with relying parties that do not allow labelling of passkeys – there is no way to identify which passkey is which, so they all need to be deleted and re-created.
• Even if I did all that work, there is no guarantee it would fix the corruption.

Is there an alternative way to fix this?

@Paradox I don’t know if I understand you correctly:

1. You write of “login with device” also… but that is not a passkey functionality, as I understand it. Do you really use both (“login with passkey” and “login with device”) or was that a typo?

2. Does any of your bitwarden-login-passkeys work on your VM for “login with passkey”?

PS: As far as I know, there is no “repair function” for passkeys…

… to my second question: I guessed, there could be restrictions for passkeys on VM (my simple thought: hardware-bound passkeys also have mechanisms to ensure “being close-by” - I can imagine that VMs hinder that…). And Brave KI (AI) says me also, that there are limitations - e.g. with the “QR-code-thing”. So I would recommend searching for more info on passkeys and VMs. And so I would guess, the passkey may be not corrupt, but it maybe doesn’t work on VM.

Hi Nail1684.

Apologies - typo - I am just learning all this - I meant login with passkey from another device.
I have corrected my post.

You asked:
" 1. Does any of your bitwarden-login-passkeys work on your VM for “login with passkey”?"
Reply:
The Yubikey and Windows Hello Bitwarden passkeys perform successful local Bitwarden login on all Windows VM’s (and the Win11 host OS).

On the Android S10+, from Chrome browser, if I try to ‘Authenticate WebAuthn’, it say’s: ‘No passkey found on device’.

@Paradox Okay. And did you see my second post (right before/above your second post)?

Thanks for pointing out your second post … it was bedtime here in Australia, I am just returning to it now.

Regarding VM restrictions and proof of proximity:
I have paired both VM’s Win11 Bluetooth with the S10+, and there is no change to the problem.
Both Win11 VM’s still think the Android device is ‘SM-T819Y’ (Samsung Galaxy S2 tablet) when it should say: ‘SM-G975F’ (S10+).

This still happens even when the ‘SM-T819Y’ is powered down, so it is not picking it up on Wi-Fi or Bluetooth.

This is why it behaves like a passkey corruption, even though there may be a different underlying cause.

My Bose QC45 Bluetooth headphones pair simultaneously to both Win11 PC and Android S10+, and automatically switch between each device and VM’s, depending on which is playing audio. Bluetooth audio works seemlessly and perfectly.

The only difference I can see, is that the Bluetooth SSID for the Win11 PC host shows up in the S10+ list of Bluetooth devices, but the Win11 VM Bluetooth SSID’s do not, even though the Bluetooth headphones connect and work via Bluetooth in VM’s, and I could successfully pair Bluetooth between Win11 VM to S10+.

I am wondering if it is something to do with the way VMware handles Bluetooth.

Also, even though both Win11 host and Win11 VM’s devices successfully pair with the Android S10+, they connect briefly for about 60 seconds, then the connection drops and they both say ‘not connected’ (but remain paired).

I am wondering if Samsung Galaxy S10+ does not support the Windows11 “Join Personal Area Network (PAN)” function profiles, and if this has any bearing on the problem. But this is not an issue for the Win11 PC host Web app login with passkey on the S10+. I would have thought this would affect host and VM’s equally.

Thanks for your detailed answers, though I have difficulty understanding everything. (I’m not familiar with VMs and English is not my mother tongue) And so, I think I can not really help you and hope, someone else might “chime in”.

Only a few speculations:

So, if I understand you correctly, the Bitwarden-login-passkey on your S10+ doesn’t work at all? Not on VM and not on “normal” Windows 11? So then the VM is only an additonal problem, but the problem is there without the VM as well?

Is there a possibility, that you didn’t create it on the S10+ device? E.g. by accident rather in the Google Password Manager? (though that couldn’t have led to “with encryption” ) Maybe a bit silly, but could it have happened, that you accidentally created that passkey on another device, like one of the YubiKeys or even (attempt) on the Tab S2?

… and the S10+ “Secure Folder sandbox” can not interfere here? (e.g. so that if the passkey was created on the S10+, it may be “protected/hidden” via this sandbox)

I think you mean by “deleting” the passkey, you can only delete all passkeys on the S10+? But if you delete the entry in the web vault for the S10+ and try to create the login-passkey again, it should either only overwrite your old passkey on the S10+ (if it was there and maybe indeed corrupted) or create a new passkey on the S10+.

I don’t understand, if doing this, you would have to re-create all other passkeys new as well?

PS: To my very last point: as far as I understand it, a passkey “stands for itself” (or rather is “connected” between the “wallet” and the “relying party”) - but anyway, a passkey is not connected to another (or other) passkeys… As I wrote: as long as you don’t delete all passkeys in a wallet (like a FIDO2 reset on a YubiKey would delete all stored passkeys (and reset the FIDO-PIN)) I don’t see how one newly created passkey would affect other stored passkeys. Or am I missing something?

.

It works perfectly locally on the Android device and locally inside a Windows VM. 'Login with passkey from another device’ does not work.

.

I have done a lot more work, and I think I have finally got to the bottom of it:

.

Cause:

The Samsung S10+ has limited support for passkeys, and does not support natively storing the private key and passkeys in the device Secure Enclave / TEE (Trusted Execution Environment). Neither Android 12 nor Samsung Pass/Wallet on the S10+ has a passkey menu.

Instead, the S10+ uses Google Password Manager as a sort of proxy Android passkey authenticator.

I mistakenly thought that the Bitwarden passkey (and all other passkeys) were device bound passkeys stored on the S10+, but the passkeys are actually sync’d passkeys stored in Google Password Manager.

Also, I am not sure if Bitwarden passkey Beta, Windows Hello passkey functionality, and VMware, fully support ‘login from another device’.

.

Work-around:

I have now created a full set of passkeys for Bitwarden and all other ‘relying parties’ on both a Windows VM in Hello, and in Google Password Manager (in addition to Bitwarden itself, and my two Yubikeys). This gives me enough passkey login functionality in Android Secure Folder and VM’s.

.

Fix:

Regarding the ‘corruption’ described above, and 'Login with passkey from another device’ not working – I will get by without it for a while, until I buy a new current model phone that supports full passkey functionality, and the passkey software environment matures. Maybe a year or two.
.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

‘Gotcha’:

Some passkey authenticators do not display all passkeys stored in them.

This is what confused and tricked me about where the passkeys were stored on the S10+ (they are stored in Google Password Manager – not on the device).

The Yubikey Authenticator ver.7 and Google Password Manager only display ‘discoverable’ passkeys. ‘Non-discoverable’ passkeys are still stored, and fully functional, but not displayed.

.

Discoverable passkeys:

• Amazon
• Bitwarden
• Github
• Google
• Microsoft (all email accounts)
• Telstra
  .

Non-Discoverable passkeys:

• Discord.com
• Dropbox.com
• Facebook.com
• Proton mail
• X (Twitter)
  .

@Paradox I’m glad, you worked it out for yourself.

Are you sure about that? - On my Fairphone 5 with Android 13, when I go to Settings → Passwords etc. → Google, I’m in the Google Password Manager section. On the top right, I have an account symbol. If I tap on that, the last point is something like “Manage passwords on this device”. (loose translation from German) There I can change between the Google (account) and the (Android) device. Do you see that on the S10+? Or is it different with Samsung (and Android 12, and Samsung UI)?

Unfortunately, both functions run under Google Password Manager, which adds confusion to an already confusing thing (passkeys…).

That was something I suspected as well…

That was something I realized the last weeks as well. And to add a bit of clarity here: strictly speaking, “non-discoverable credentials (FIDO2)” are not called passkeys - and they function mostly (only?) for 2FA/MFA.

Only “discoverable credentials (FIDO2)” are called passkeys (again, strictly speaking) and make it possible to login only with that passkey (that is not possible with a non-discoverable credential) and of course PIN/biometrics as user verification for that passkey.

Nail1684: For a non-native English speaker, your written English is better than a lot of natives – I would never have guessed.

.

Fairphone 5 vs. Samsung Galaxy S10+:

Fairphone 5 (2023 model, Android 13) is equivalent to Samsung Galaxy S23. I am jealous. I think most of my problems would disappear if I had one of those.

I have Samsung Galaxy S7 (2016 model, Android 9) and Samsung Galaxy S10+ (2019 model, Android 12). My Samsung Galaxy S2 Tab (2015 model, Android 8) is pre-passkey official support.

On all Samsung devices, in the Android Settings app, when I navigate to the password manager menu, Samsung have replaced Google Password Manager with their integrated Samsung Pass / Wallet apps (depending on phone model), which are lagging Google in passkey support. There is no user-configurable way to change this.

In Chrome, in both phones, I can navigate to Google Password Manager, the top right account symbol. If I tap on that, it is the same as yours – I tap on: “Manage passwords on this device”. However, this only gives me a list of non-passkey app login accounts (as opposed to website login accounts)

.

Please refer to webpage: “Can I use passkeys on my devices?”:

You can see that the industry proudly proclaims passkey support going back to Android 9 …… but in the real world, it does not fully function as designed on old devices and operating systems. It is very difficult to find a list of things that only partially work, or don’t work at all.

Galaxy series is Samsungs flagship model line. S7 and S10+ were the top-of-the-line phones in their day when they were released. So, if support for all passkey functionality actually worked in the day, it would have worked on these phones and their subsequent 3 years of Android O.S. upgrades. It appears that passkey technology is an evolutionary ‘work in progress’.

On the S7, passkeys appear in Google Password Manager, (and Bitwarden and USB Yubikey) but they don’t work logging into any website no matter what I try.

On the S10+, everything works except ‘login with passkey on another device’.

.

Thanks for the clarification.

dev.yubico has a good explanatory article:

https://developers.yubico.com/Passkeys/Passkey_concepts/Discoverable_vs_non-discoverable_credentials.html

“ While non-discoverable credentials are not considered passkeys …. they are still valid WebAuthn credentials” …. It may all be straightforward to the passkey Gods, but it gets confusing to mere mortals such as myself.

@Paradox

Yeah, passkeys are new (though FIDO / FIDO2 are not that new…) and it is a “bumpy road”…

Interesting, to hear about the situation with Samsung phones… The next Samsung I can get into my hands, will be examined closely.

And thanks for the link! That one I didn’t know. Very nice overview. - Here is an overview from the more or less official site (though they write, it is for developers and not end-users): Device Support | passkeys.dev

By the way, with “login with passkey on another device” I think you mean Cross-device authentication (Terms | passkeys.dev), as I newly learnt myself, right?

Passkey Cross-device Authentication (CDA) device support:

Good link – thanks.

According to the matrix in that link, passkey CDA for Bitwarden ‘login with passkey on another device’ from:

• Windows ( v23H2+) client to Android (v9+) authenticator is supported by FIDO2 standards - but does not work for me on my Samsung S7 (Android 9) or S10+ (Android 12)
• Android client (planned) to Windows authenticator (N/A) is not supported.

.

My understanding is that Cross-Device Authentication is a general term which may, or may not, employ passkeys.

Microsoft’s number matching from PC to the Microsoft Authenticator app on a phone is a form of non-passkey CDA.

Bitwarden’s non-passkey fingerprint CDA works even on my old devices where passkey CDA does not:

Bw-admin post: “Have you tried out the new Login with Device functionality?”

https://community.bitwarden.com/t/have-you-tried-out-the-new-login-with-device-functionality/

The FIDO alliance uses the term ‘CDA’ only in the context of passkey CDA, because that is their focus.

.

A source of confusion is that Bitwarden have two ‘login with device’ CDA methods:

• Non-passkey, using fingerprint phrases.
• Passkey, using passkeys.

@Paradox … Hey, just another thought about the QR codes… A thing, I just remembered: how did you try to scan the QR code?

A few weeks ago, I experimented myself with the “login with passkey” and “FIDO2 WebAuthn-2FA” with Bitwarden, and experienced, that the “QR-code-thing” only worked, when I use the Android-built-in-camera, that I can open by “swiping down” on my display, and there is the option “scan QR code”. Here is a screenshot of what I mean:

Screenshot_20240602-152841367×509 41.5 KB

If I did it with my normal camera app or via another camera function, it didn’t work. - I don’t know if this is different on a Samsung device. But if you have more than one option of scanning the QR code - did you try them all? (my hunch is you already did, but better safe than sorry)

.
Good suggestion - I hadn’t tried that - but I did just now, and unfortunately I got the same symptoms: Timed out trying, but couldn’t connect.
I also checked that I had Chrome set as the default browser.

I figured out how to get this passkey CDA to work:

On the Windows browser Bitwarden Web app, select ‘Login with passkey’, choose my Samsung S10+.

This invokes the Google Password Manager authenticator passkey login prompt on the Android S10+.

On the Android passkey prompt, the trick is to tap on the email address, instead of the ‘Continue’ button. It then prompts for a PIN, accepts the PIN, and logs in the Windows Bitwarden browser Web app with a passkey via cross device authentication.

I don’t know why the ‘Continue’ button fails to do the same thing.

I don’t know what happened overnight - but it is now working.

Tap on ‘Continue’ button was saying ‘Passkey not found’

Now it prompts for PIN or fingerprint, and both work, and the Windows Bitwarden Web app successfully logs in via passkey with cross device authentication from the Samsung S10+.

If the developers fixed it - thanks!

@Paradox Hi! Nice to hear from you.

And sounds good, that it works now. Yeah, maybe Bitwarden updates (or Windows updates?) changed something…

Nail1684 - Good to hear your cheery voice

After a month off, I have come back to the problem … and digging deeper - it is not as resolved as I thought …

Passkey ‘Login with device’ now works perfectly on the Windows11 host PC, but I still get the same passkey cross-device authentication problem from the Windows11 VMware VM’s …

The Problem:

Bitwarden T819Y passkey652×855 74.2 KB

The Cause:
I think I may have cracked the cause of it - but not the fix (if it is even fixable at all).

Checkout this screenshot of my Google account passkeys:

(Note: There are two ‘automatically created’ passkeys for each device model - one for the Android host, and one for the Android Secure Folder sandbox (VM))
(Click to enlarge)

Google account passkeys754×2042 190 KB

Note the section:
" Automatically created passkeys

Android devices automatically create passkeys for you when you sign in to your Google Account."

However the hardware and Android versions of the S2 and S7 devices all pre-date by 2 years and more the 2018 worldwide passkey general release date - how can Google possibly be creating FIDO2/WebAuthn-compliant passkeys of these legacy devices?

Samsung Galaxy Tab S2 tablet:

• Model: SM-T819Y
• Release Date: 2016
• Android version: 7.0

Samsung Galaxy S7 phone:

• Model: SM-G935F
• Released March 2016
• Android version: 8.0.0

Note that the Google account also say’s that the passkeys of these old devices were recently used.

Is Google using ‘smoke and mirrors’ to create something on these old devices that emulates some passkey functionality? Something that pre-dates the Samsung Trusted Execution Environment (TTE) chipset and passkey authenticator, therefore must be using some other older storage and authenticator?

On a legacy Android device:

• These Google pseudo-passkeys work to login into a Google account, but
• 3rd-party website passkeys are not even synchronised in Google Password Manager
• 3rd-party website passkeys stored in Bitwarden appear but cannot be used to login
  with passkey into any relying party website.

The Fix:
For some inexplicable reason, when in a Windows VM, Bitwarden selects the oldest device out of the automatically created Google passkeys, and gives me no option to select from a list of devices so I can pick the device that works (S10+).

I suspect this problem affects every VMware Workstation Windows VM where the user has multiple Android devices and a legacy pre-passkey era Android device in the mix.

The solution would be for Bitwarden to present a list of the device passkeys in the Google account, and allow the user to choose.

Hi!

Only some comments, as I still am not familiar with the combination of Windows, VMs, Bitwarden and passkeys…

Some caution of wordings: though you added the word “passkey” before it, “login with device” is another thing with Bitwarden…

To this screenshot… You are in the web vault and got this “passkey prompt”, right? Well, I don’t think, “Bitwarden thinks” this… that prompt is offered by your browser I guess. It’s not a Bitwarden prompt. (it looks like a prompt, a Chromium-based browser would produce?!) And I guess, it may be (here) more be a combination of OS and browser, that leads to this prompt… not Bitwarden.

That is indeed a good question (what happens here with older devices, which shouldn’t be able to create passkeys, after all what was communicated?!).

My first thought was to ask that to someone who knows more about that… But I don’t know there is even a possibility to get into contact with the FIDO alliance, passkeys.dev - or at least Google itself, what they do with older devices and why there are passkeys created where there shouldn’t? (though, to get a good answer from support, may be an exercise in vain…)

Again, I don’t think Bitwarden selects something here (see my comment about the prompt…)

I think I repeat myself but the prompt you got doesn’t even get to a point where Bitwarden comes into play, as far as I see… (though you start something from the Bitwarden web vault - it get’s to the OS/browser then…)

And you say “Google account”… but you need a passkey from one of the (older) Android devices? That is a tricky question in and of itself, as we discussed earlier as I guess?! Because a passkey on an Android device can be stored in the Android device itself and only (then that is called “Google password manager” as well, but this passkeys shouldn’t be in the Google account then, but only on the device!)… and a passkey can be stored on the Android device AND is synchronized with the Google account (again, this would also be visible in the “Google password manager”)… so I guess, what is accessed here (and where that is really stored) is also a bit unclear here…

Thanks for your feedback Nail1684 – you gave me much food for thought – I hope my response below clarifies things.
.
.
Regarding ‘Login with device’ – my understanding is that Bitwarden supports two types of cross device authentication using an out-of-band device:

1. Non-passkey:

Uses fingerprint passphrase.

Official Bitwarden terminology: “Login with Device”

https://community.bitwarden.com/t/have-you-tried-out-the-new-login-with-device-functionality/

2. Passkey:

Passkey pop-up windows use cross-device authentication terminology variations such as: “On other device”, “Use another device”, “Use a different phone, tablet, or security key”, “iPhone, iPad, or Android device”.

Clearly, passkeys may be used to login with another device as if that device is a security key - it is just a matter of semantics.
.
.
Bitwarden Web App ‘Login with passkey’ workflow and issues
.
In the screenshot workflows attached below:

The explanatory excerpts in italics are from article: “How passkeys will impact app security and set us free”

My edit’s in green font.

Click to enlarge, then click a second time to blow up to full screen size:

Passkey CDA Z590 to S10 v81511×4936 657 KB

.
My graphic above describes three main things:

1. Cross device authentication using passkeys within VMware Workstation Windows VM’s does not work. (but the fingerprint passphrase method does work)
2. Bitwarden does not validate non-sync-able Windows Hello passkeys for the correct Windows O.S. instance, and presents them for login even if the Hello passkey was created on another O.S. instance. (i.e. Bitwarden is treating them the same as all other sync-able passkeys)
3. The Chrome WebAuthn dialog appears to be using passkeys from Google Account when I am using the Chrome browser (which works great on host PC, but not in VM’s)
   .
   .

Discussion thread from the Samsung Forum - “Issue with pass keys”:
Some other people are also experiencing problems with cross device authentication using their phones as security keys via login with passkey (phone as the second out-of-band device).

.

I am intending to eventually upgrade my phone to the latest Samsung Galaxy S24 with Android 14, but some of the users on the Samsung forum are experiencing problems even with that phone.
It would not be the solution to all the passkey problems.
The solution is probably allowing the whole passkey ecosystem to mature with the passage of time.