How do I fix a corrupt passkey?

Problem

Login with passkey from another device does not work:

Bitwarden Web app in Win11 VM’s thinks the Samsung S10+ phone passkey belongs to my Samsung Galaxy Tab S2 tablet (which is way too old to support passkeys).

There seems to be a corruption in my Bitwarden Samsung Galaxy S10+ passkey when attempting ‘Login with passkey’ on the Web app in Chrome from a Windows11 PC VMware Workstation Windows11 virtual machine.

The problem only manifests in both Windows11 VM’s (but not the host PC Win11 OS). However the VM’s are where I need the functionality to work - so that I can use my phone as a passkey 2FA device and don’t need to buy a separate Yubikey for each VM, or continually manually switch my existing USB Yubikey between the host and different VM’s every time I need to authenticate.

‘Login with passkey’ also does not work back the other way from Android Samsung S10+ to any Win11 host or VM OS.

How do I resolve this?
.

My Devices:

  • Windows11 PC (MSI Z590 motherboard, Intel CPU 8-core, 64GB RAM, NVMe4 C: drive)
  • Windows11 VMware Workstation VM’s.
  • Samsung Galaxy S10+ phone with Secure Folder sandbox enabled (Model: SM-G975F. Android version: 12)

Bitwarden on Windows11 thinks the S10+ passkey belongs to:

  • Samsung Galaxy Tab S2 tablet (Model: SM-T819Y. Android version: 7.0)

The S2 tablet is way too old to support any passkey functionality whatsoever.
.

My Bitwarden Web app login passkeys:

Bitwarden web app / Security menu / Log in with passkey section:

  • Yubikey 5C NFC (Used for encryption)

  • YubiKey 5C Nano (Used for encryption)

  • Samsung Galaxy S10+ (Used for encryption)

  • Windows11 VM #1 (Encryption not supported)

  • Windows11 VM #2 (Encryption not supported)

.
Detail of Problem:

Attempting Bitwarden web app login in Chrome browser from the Windows11 PC:

Click ‘Login with passkey’

Click ‘Use a different passkey’

Click ‘On other devices’:

[email protected]

From ‘SM-T819Y’ (Samsung Galaxy S2 tablet. Should say: ‘SM-G975F’ (S10+))

‘A notification was sent to SM-T819Y’ (Should send to: SM-G975F … so authentication has failed)
.

Click ‘Try again’

Click ‘Use a different passkey’

Click ‘Use a different phone, tablet or security key’

Click ‘Use another device’

Click ‘More choices’: then click ‘iPhone, iPad, or Android device’

It then presents the QR code.

It will not successfully authenticate with QR code via either the Samsung S10+ or ‘SM-T819Y’. The Android device cameras on both devices read the QR code, but the URL does not establish communication and validate the authentication attempt. It just times out attempting.
.

Attempting ‘Login with passkey’ in the opposite direction (from S10+ to Win11) presents a similar problem.

From the Web app in Chrome browser on S10+ to both Windows11 host and Win11 VM it presents, then accepts, the ‘Are you trying to login’ window with the ‘Fingerprint phrase’ after clicking on ‘Confirm login’.

But then it fails with error on the S10+ ‘No passkey found on device’. Even though I have a fully functioning Yubikey inserted into the Win11 PC, and a Windows Hello passkey created in Bitwarden for each Win11 virtual machine.

If I use the Yubikey 5C Nano inserted into my S10+, local passkey login works immediately.

I need ‘Login with passkey’ to work from the S10+ to the Win11 PC, because neither the USB nor NFC Yubikeys work in the Samsung Secure Folder sandbox. This is where I store all my sensitive Android apps that require passkey login. Android blocks USB and NFC into Secure Folder.
.

Total Passkeys:

  • I have about 25 relying party passkeys setup in each of the five above passkey authenticators.
  • The Bitwarden sync’d passkeys work fine on the S10+ for relying party passkey login’s on both the Android host OS, and in Samsung Secure Folder.
  • Apart from the ‘Login with passkey’ problem, all of these passkeys work fine on all supported devices, O.S.’s, and virtual machines.
    .

Possible solution but catch:

  • I could try deleting the ‘Samsung Galaxy S10+’ passkey and recreating it, to see if it fixes the corruption. But then I would have to re-create the passkeys for the 25 relying party passkeys attached to that Android S10+ device passkey.
  • Plus, I would have to re-create all passkeys for all devices with relying parties that do not allow labelling of passkeys – there is no way to identify which passkey is which, so they all need to be deleted and re-created.
  • Even if I did all that work, there is no guarantee it would fix the corruption.

Is there an alternative way to fix this?

@Paradox I don’t know if I understand you correctly:

  1. You write of “login with device” also… but that is not a passkey functionality, as I understand it. Do you really use both (“login with passkey” and “login with device”) or was that a typo?

  2. Does any of your bitwarden-login-passkeys work on your VM for “login with passkey”?

PS: As far as I know, there is no “repair function” for passkeys…

… to my second question: I guessed, there could be restrictions for passkeys on VM (my simple thought: hardware-bound passkeys also have mechanisms to ensure “being close-by” - I can imagine that VMs hinder that…). And Brave KI (AI) says me also, that there are limitations - e.g. with the “QR-code-thing”. So I would recommend searching for more info on passkeys and VMs. And so I would guess, the passkey may be not corrupt, but it maybe doesn’t work on VM. :thinking:

Hi Nail1684.

Apologies - typo - I am just learning all this - I meant login with passkey from another device.
I have corrected my post.

You asked:
" 1. Does any of your bitwarden-login-passkeys work on your VM for “login with passkey”?"
Reply:
The Yubikey and Windows Hello Bitwarden passkeys perform successful local Bitwarden login on all Windows VM’s (and the Win11 host OS).

On the Android S10+, from Chrome browser, if I try to ‘Authenticate WebAuthn’, it say’s: ‘No passkey found on device’.

@Paradox Okay. And did you see my second post (right before/above your second post)?

Thanks for pointing out your second post … it was bedtime here in Australia, I am just returning to it now.

Regarding VM restrictions and proof of proximity:
I have paired both VM’s Win11 Bluetooth with the S10+, and there is no change to the problem.
Both Win11 VM’s still think the Android device is ‘SM-T819Y’ (Samsung Galaxy S2 tablet) when it should say: ‘SM-G975F’ (S10+).

This still happens even when the ‘SM-T819Y’ is powered down, so it is not picking it up on Wi-Fi or Bluetooth.

This is why it behaves like a passkey corruption, even though there may be a different underlying cause.

My Bose QC45 Bluetooth headphones pair simultaneously to both Win11 PC and Android S10+, and automatically switch between each device and VM’s, depending on which is playing audio. Bluetooth audio works seemlessly and perfectly.

The only difference I can see, is that the Bluetooth SSID for the Win11 PC host shows up in the S10+ list of Bluetooth devices, but the Win11 VM Bluetooth SSID’s do not, even though the Bluetooth headphones connect and work via Bluetooth in VM’s, and I could successfully pair Bluetooth between Win11 VM to S10+.

I am wondering if it is something to do with the way VMware handles Bluetooth.

Also, even though both Win11 host and Win11 VM’s devices successfully pair with the Android S10+, they connect briefly for about 60 seconds, then the connection drops and they both say ‘not connected’ (but remain paired).

I am wondering if Samsung Galaxy S10+ does not support the Windows11 “Join Personal Area Network (PAN)” function profiles, and if this has any bearing on the problem. But this is not an issue for the Win11 PC host Web app login with passkey on the S10+. I would have thought this would affect host and VM’s equally.

Thanks for your detailed answers, though I have difficulty understanding everything. (I’m not familiar with VMs and English is not my mother tongue) And so, I think I can not really help you and hope, someone else might “chime in”.

Only a few speculations:

So, if I understand you correctly, the Bitwarden-login-passkey on your S10+ doesn’t work at all? Not on VM and not on “normal” Windows 11? So then the VM is only an additonal problem, but the problem is there without the VM as well?

Is there a possibility, that you didn’t create it on the S10+ device? E.g. by accident rather in the Google Password Manager? (though that couldn’t have led to “with encryption” :thinking:) Maybe a bit silly, but could it have happened, that you accidentally created that passkey on another device, like one of the YubiKeys or even (attempt) on the Tab S2?

… and the S10+ “Secure Folder sandbox” can not interfere here? (e.g. so that if the passkey was created on the S10+, it may be “protected/hidden” via this sandbox)

I think you mean by “deleting” the passkey, you can only delete all passkeys on the S10+? But if you delete the entry in the web vault for the S10+ and try to create the login-passkey again, it should either only overwrite your old passkey on the S10+ (if it was there and maybe indeed corrupted) or create a new passkey on the S10+.

I don’t understand, if doing this, you would have to re-create all other passkeys new as well?

PS: To my very last point: as far as I understand it, a passkey “stands for itself” (or rather is “connected” between the “wallet” and the “relying party”) - but anyway, a passkey is not connected to another (or other) passkeys… As I wrote: as long as you don’t delete all passkeys in a wallet (like a FIDO2 reset on a YubiKey would delete all stored passkeys (and reset the FIDO-PIN)) I don’t see how one newly created passkey would affect other stored passkeys. Or am I missing something?

.

It works perfectly locally on the Android device and locally inside a Windows VM. 'Login with passkey from another device’ does not work.

.

I have done a lot more work, and I think I have finally got to the bottom of it:

.

Cause:

The Samsung S10+ has limited support for passkeys, and does not support natively storing the private key and passkeys in the device Secure Enclave / TEE (Trusted Execution Environment). Neither Android 12 nor Samsung Pass/Wallet on the S10+ has a passkey menu.

Instead, the S10+ uses Google Password Manager as a sort of proxy Android passkey authenticator.

I mistakenly thought that the Bitwarden passkey (and all other passkeys) were device bound passkeys stored on the S10+, but the passkeys are actually sync’d passkeys stored in Google Password Manager.

Also, I am not sure if Bitwarden passkey Beta, Windows Hello passkey functionality, and VMware, fully support ‘login from another device’.

.

Work-around:

I have now created a full set of passkeys for Bitwarden and all other ‘relying parties’ on both a Windows VM in Hello, and in Google Password Manager (in addition to Bitwarden itself, and my two Yubikeys). This gives me enough passkey login functionality in Android Secure Folder and VM’s.

.

Fix:

Regarding the ‘corruption’ described above, and 'Login with passkey from another device’ not working – I will get by without it for a while, until I buy a new current model phone that supports full passkey functionality, and the passkey software environment matures. Maybe a year or two.
.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

‘Gotcha’:

Some passkey authenticators do not display all passkeys stored in them.

This is what confused and tricked me about where the passkeys were stored on the S10+ (they are stored in Google Password Manager – not on the device).

The Yubikey Authenticator ver.7 and Google Password Manager only display ‘discoverable’ passkeys. ‘Non-discoverable’ passkeys are still stored, and fully functional, but not displayed.

.

Discoverable passkeys:

  • Amazon
  • Bitwarden
  • Github
  • Google
  • Microsoft (all email accounts)
  • Telstra
    .

Non-Discoverable passkeys:

@Paradox I’m glad, you worked it out for yourself.

Are you sure about that? - On my Fairphone 5 with Android 13, when I go to SettingsPasswords etc.Google, I’m in the Google Password Manager section. On the top right, I have an account symbol. If I tap on that, the last point is something like “Manage passwords on this device”. (loose translation from German) There I can change between the Google (account) and the (Android) device. Do you see that on the S10+? Or is it different with Samsung (and Android 12, and Samsung UI)?

Unfortunately, both functions run under Google Password Manager, which adds confusion to an already confusing thing (passkeys…).

That was something I suspected as well…

That was something I realized the last weeks as well. And to add a bit of clarity here: strictly speaking, “non-discoverable credentials (FIDO2)” are not called passkeys - and they function mostly (only?) for 2FA/MFA.

Only “discoverable credentials (FIDO2)” are called passkeys (again, strictly speaking) and make it possible to login only with that passkey (that is not possible with a non-discoverable credential) and of course PIN/biometrics as user verification for that passkey.

Nail1684: For a non-native English speaker, your written English is better than a lot of natives – I would never have guessed.

.

Fairphone 5 vs. Samsung Galaxy S10+:

Fairphone 5 (2023 model, Android 13) is equivalent to Samsung Galaxy S23. I am jealous. I think most of my problems would disappear if I had one of those.

I have Samsung Galaxy S7 (2016 model, Android 9) and Samsung Galaxy S10+ (2019 model, Android 12). My Samsung Galaxy S2 Tab (2015 model, Android 8) is pre-passkey official support.

On all Samsung devices, in the Android Settings app, when I navigate to the password manager menu, Samsung have replaced Google Password Manager with their integrated Samsung Pass / Wallet apps (depending on phone model), which are lagging Google in passkey support. There is no user-configurable way to change this.

In Chrome, in both phones, I can navigate to Google Password Manager, the top right account symbol. If I tap on that, it is the same as yours – I tap on: “Manage passwords on this device”. However, this only gives me a list of non-passkey app login accounts (as opposed to website login accounts)

.

Please refer to webpage: “Can I use passkeys on my devices?”:

You can see that the industry proudly proclaims passkey support going back to Android 9 …… but in the real world, it does not fully function as designed on old devices and operating systems. It is very difficult to find a list of things that only partially work, or don’t work at all.

Galaxy series is Samsungs flagship model line. S7 and S10+ were the top-of-the-line phones in their day when they were released. So, if support for all passkey functionality actually worked in the day, it would have worked on these phones and their subsequent 3 years of Android O.S. upgrades. It appears that passkey technology is an evolutionary ‘work in progress’.

On the S7, passkeys appear in Google Password Manager, (and Bitwarden and USB Yubikey) but they don’t work logging into any website no matter what I try.

On the S10+, everything works except ‘login with passkey on another device’.

.

Thanks for the clarification.

dev.yubico has a good explanatory article:

https://developers.yubico.com/Passkeys/Passkey_concepts/Discoverable_vs_non-discoverable_credentials.html

While non-discoverable credentials are not considered passkeys …. they are still valid WebAuthn credentials” …. It may all be straightforward to the passkey Gods, but it gets confusing to mere mortals such as myself.

@Paradox

Yeah, passkeys are new (though FIDO / FIDO2 are not that new…) and it is a “bumpy road”…

Interesting, to hear about the situation with Samsung phones… The next Samsung I can get into my hands, will be examined closely. :wink:

And thanks for the link! That one I didn’t know. Very nice overview. - Here is an overview from the more or less official site (though they write, it is for developers and not end-users): Device Support | passkeys.dev

By the way, with “login with passkey on another device” I think you mean Cross-device authentication (Terms | passkeys.dev), as I newly learnt myself, right?

Passkey Cross-device Authentication (CDA) device support:

Good link – thanks.

According to the matrix in that link, passkey CDA for Bitwarden ‘login with passkey on another device’ from:

  • Windows ( v23H2+) client to Android (v9+) authenticator is supported by FIDO2 standards - but does not work for me on my Samsung S7 (Android 9) or S10+ (Android 12)
  • Android client (planned) to Windows authenticator (N/A) is not supported.

.

My understanding is that Cross-Device Authentication is a general term which may, or may not, employ passkeys.

Microsoft’s number matching from PC to the Microsoft Authenticator app on a phone is a form of non-passkey CDA.

Bitwarden’s non-passkey fingerprint CDA works even on my old devices where passkey CDA does not:

Bw-admin post: “Have you tried out the new Login with Device functionality?”

https://community.bitwarden.com/t/have-you-tried-out-the-new-login-with-device-functionality/

The FIDO alliance uses the term ‘CDA’ only in the context of passkey CDA, because that is their focus.

.

A source of confusion is that Bitwarden have two ‘login with device’ CDA methods:

  • Non-passkey, using fingerprint phrases.
  • Passkey, using passkeys.

@Paradox … Hey, just another thought about the QR codes… A thing, I just remembered: how did you try to scan the QR code?

A few weeks ago, I experimented myself with the “login with passkey” and “FIDO2 WebAuthn-2FA” with Bitwarden, and experienced, that the “QR-code-thing” only worked, when I use the Android-built-in-camera, that I can open by “swiping down” on my display, and there is the option “scan QR code”. Here is a screenshot of what I mean:

If I did it with my normal camera app or via another camera function, it didn’t work. - I don’t know if this is different on a Samsung device. But if you have more than one option of scanning the QR code - did you try them all? (my hunch is you already did, but better safe than sorry)

.
Good suggestion - I hadn’t tried that - but I did just now, and unfortunately I got the same symptoms: Timed out trying, but couldn’t connect.
I also checked that I had Chrome set as the default browser.