Locked out during Yubikey set up

Ask the Community Password Manager
,
1

I have been using Bitwarden Premium happily and maybe should have left well enough alone.

I am using the desktop app in windows and the firefox extension. I have today picked up a Yubikey NFC, the USB C version.

I did an export of a json file, not the encrypted version, before I tried this. I don’t recall it asking me to set a password for the backup file. That may mean it is the version that can only be opened in the app that made it. I haven’t tried that with my backup which was done on a usb key then removed from the system as I understand it could be overwritten.

I intended to use the yubikey to access my bitwarden vault from a computer, a tablet and an android phone. I went into my vault using the desktop app. I thought I followed all of the set up steps carefully using the authenticator in BW. I chose Manage for FIDO2 WebAuthn. It took a couple of attempts to get it to the green check mark indicating that the key is enabled. I closed it out.

Somewhere along the line it gave me a string of alpha characters to save. I have a screen shot of that even though the description said I did not need to write them down. I understood I was to do that again once I logged in again but I didn’t get that far.

When I tried to log in to my vault, I got a message that the security key did not look familiar, please try a different one.

And that is where I am stuck. To get into this forum I had to get a new password.

Am I hooped or is there a way back into my vault?

2

I just flipped over to a separate computer running ubuntu, that has not been online in the last few days and it let me in to my vault with my pass phrase alone. I did an export of the vault. It is still running and I could take any other steps to save the data it still seems to have access to.

Is it normal that I was still able to access the data?

3

This does not sound familiar, unless Bitwarden has significantly altered the work flow for registering WebAuthn keys. Would you be able to redacted the screen shot to obfuscate or delete the actual alpha code, and post the redacted screen shot here?

Also, please let us know what version of Windows and Firefox you did this on, and please confirm that the work you did to attempt to register the Yubikey was done in the Web Vault (vault.bitwarden.com). even though you wrote “I went into my vault using the desktop app”.

Please provide some additional details. Which Bitwarden client instance were you trying to log in to? At what point in the process did the message appear? Can you post a screen shot of the error message (redacting any personally identifying information, if applicable)?

No, it just means you made a plaintext JSON export. It can be imported into any Bitwarden account, using the Web Vault’s import tool.

You may want to type >attachments:* into the vault search, to check if you have any file attachments in your vault. File attachments are not included in vault exports, so you would have to download those separately of you have to transfer everything to a new account.

If the issue is caused by some temporary glitch (or even a rare bug), it may eventually resolve itself. You should also contact support if you have not already done so. Depending on your answers to the above questions, it might also be something simple that can be figured out here on the forum.

4

  1. Firefox is 120.0.1. It says it is up to date. Windows 11, v. 23H2
    Looking at the screen shot I saved, I did not describe it well. It gave me a pass phrase. Here is a screen shot with passphrase obscured.

    image
    image968×298 20.3 KB

    I think you are right that I was online in the web vault when I tried to register the key and did it through FF

  2. Additional details:
    Which Bitwarden instance: I am not sure how to answer this. I use the web based main instance as far as I know. I am not self hosted.
    When message appeared: My recollection is that I followed these instructions: Two-step Login via FIDO2 WebAuthn | Bitwarden Help Center In step 4 I chose Webauthn Fido2. I gave it a name. When I got to step 7 and inserted the key, it did not give me a green check mark. I tried it again and this time it gave me the check mark. I moved on to try to log in with it, but no luck. It produced the unfamiliar key error I mentioned.

    image
    image1154×792 67.7 KB

  3. JSON export: OK, so can you point me to something with the steps to restore it from that backup file? After I posted this, I fired up a ubuntu box had not been online since I started this process and it let me into my vault, (a local version maybe?) and I was able to make both plaintext and encrypted exports so I have those as well.

  4. Attachments: I have not saved any separate files to bitwarden but I have notes in individual entries that I would like to recover.

  5. I have contacted support but I did that Saturday night and it is Sunday morning so I assume that would hold up a response from them. The unfamiliar key error still comes up this morning so a night’s sleep did not make it go away.

Thanks for your help.

Ken

5

Thanks for the added information. FYI, I further redacted your screenshot to delete personal information like your email address.

This is you account’s “fingerprint phrase”. It is used when joining organizations or setting up “login with device” functionality, etc. — it is not necessary when logging in to your account using master password plus 2FA, and it is not needed to set up 2FA.

Which Bitwarden instance: I am not sure how to answer this.

I was just asking whether you were using the browser extension, the Desktop app, or the Web Vault (vault.bitwarden.com).

It produced the unfamiliar key error I mentioned.

Technically, this error message is from Windows, not from Bitwarden. What were the steps that you performed just prior to seeing the error message? Normally, when you get to Bitwarden’s “FIDO2 WebAutn” screen (shown in the background of the error message in your screenshot), you may or may not need to click the blue Authenticate WebAuthn button on that screen, but then you should get a pop-up from Windows Security, which says “Sign in with your passkey”. You then have to select the option “Security key” on that screen, and click the Next button. Next, you should be presented with another prompt from Windows Security, which says “Making sure its you”, and prompts you to insert your security key (if your key was not already inserted). Could you pull the security key out of the computer, try the login process again, and confirm that all of these steps are occurring in your case?

JSON export: OK, so can you point me to something with the steps to restore it from that backup file?

Instructions for importing are available here; when it comes time to specify the file format, select “Bitwarden (json)”. Please note that if you are importing into a vault that is not empty, the import process will create duplicate entries. I assume that your plan is to create a new account, and import everything there.

After I posted this, I fired up a ubuntu box had not been online since I started this process and it let me into my vault, (a local version maybe?) and I was able to make both plaintext and encrypted exports so I have those as well.

If that vault was previously logged in, and you accessed it by unlocking it as opposed to logging in, and if the “ubuntu box” has been disconnected from the internet this whole time, then it is likely that it is showing you a locally cached version of your vault. In this case, your exports from that computer may (or may not) be outdated.

What Bitwarden client app ( browser extension, Desktop app, or Web Vault) are you using to access the vault on your Ubuntu machine? Is the machine connected to the internet?

I have notes in individual entries that I would like to recover.

All notes are included in the exports.

6

Thank you for your help, lots of good stuff here from my perspective.

I did not understand the fingerprint phase process. Good info, thanks, but I gather that does not move my situation ahead.

As to Bitwarden instance, I use the desktop app, the browser extension and the web vault interchangeably, whichever seems to do what I want at the moment. I think that there were some parts of the process that made me change instances but I don’t recall which I was using.

As to unfamiliar key error: The process you describe lays out the steps I took. Trying it again after removing the key, I went to the bitwarden.com site and chose login. At the “Log in or create a new account to access your secure vault.” screen I gave it my Master password and got this screen:

image
image895×752 23.7 KB

I chose Security key and it gave me this

image
image868×699 18.1 KB

I inserted the key and got the error I mentioned earlier about an unfamiliar key.

As to JSON export: Thanks for the link. I had seen that page but it all seemed to deal with importing the data from a different app rather than from a file exported from BW. I will have a closer look. I had not considered opening a separate vault but it sounds like I should do it that way.

As to the vault on the ubuntu box, it was previously logged in, I accessed it by unlocking it I think as the computer at the time had no internet connection. It has not been connected since a few days before I started this process. When I saw it seemed to have the contents of my vault I did exports from it of both encypted and not encrypted versions.

Notes recovery: Great!

So, now I am not sure what to do next . . .

7

Don’t worry about the fingerprint phrase. It is a red herring, and not relevant to your situation.

I had initially asked about this code because I thought you might have been referring the the “Two-Step Login Recovery Code”, which would have been very handy to have in your situation. However, I’m assuming that you never saved your recovery code.

Importing is pretty straightforward. However, you have to be logged in to your vault to import, so I don’t think you have any choice but to create a new account, unless we figure out your login problem (in which case there won’t be a need to import your data anymore).

It has not been connected since a few days before I started this process.

I would advice you not to reconnect the Ubuntu machine to the internet until you have resolved your problem, because doing so could cause it to automatically get logged out without warning – which erases the locally cached copy of your vault data. For now, just use the Ubuntu vault to look up any passwords that you may need access to while waiting for this problem to get resolved.

So, now I am not sure what to do next . . .

Because the various Windows prompts that insert themselves into the WebAuthn process can get confusing, I have a hunch that you may have unintentionally registered a passkey as your FIDO2/WebAuthn 2FA, instead of registering your Yubikey as intended.

In your Windows Settings, go to Accounts > Passkeys. Do you see anything listed there, in the “Saved Passkeys” section?

8

I looked in Win Settings Accounts Passkeys. It says I have 1 passkey for login.microsoft.com with my email address.

9

No that’s probably not it, then. Any chance that you got a cell phone or other mobile device involved during the process of attempting to register your Yubikey in Bitwarden? For scanning some QR code, etc.?

10

I tried to use my android phone to get in using the yubi key both via usb plug and via nfc but got no where.

11

I was referring to your original statement that “It took a couple of attempts to get it to the green check mark indicating that the key is enabled.” During that process, is it possible that you may have used your Android phone because you interpreted some prompt you that you might have read as instructing you to do so?

12

So I have the backups I did from my ubuntu box on a usb key now. Tried creating a new account in the app but it won’t let me because it already has an account with my email address . . . .

13

I thought I used android only after I could not get in using the key on my desktop but I could have that wrong. Not sure . . .

14

In the off chance that you unintentionally registered a passkey that is stored on your Android phone (instead of registering the Yubikey as intended), you could try the Bitwarden login process again, but when you get the Windows Security “Sign in with your passkey” prompt, just click “Next” without changing the selection to “Security key” (i.e., leave the selection as “iPhone, iPad, or Android device”). The follow whatever prompts you are given, and see if this works.

The only other thing I can think of is that your Yubikey NFC model as the ability to store multiple “resident” FIDO2 credentials. So there is perhaps some trick required to get the Yubikey to present the correct FIDO2 key. These subtleties are unfortunately beyond my expertise, as I only have experience with the “simple” Yubikey Security Key series, which does not store any “resident” keys (only a single, hardware-bound key). Maybe somebody lurking in this thread can chime in, or perhaps Bitwarden’s customer support will be able to provide some advice.

Tried creating a new account in the app but it won’t let me because it already has an account with my email address . . . .

This is expected. Do you have another email account that you can use?

If you only have access to your one email account, and if you’re ready to give up on your original account (i.e., you don’t want to wait to see if you get any solution from customer support tomorrow), then you can delete your original account to make it possible to set up a new one. To delete the account, just submit the account’s email address on the deletion form available at https://vault.bitwarden.com/#/recover-delete, then look for the confirmation email and follow the instructions to verify that you want to delete the account.

15

Tried the phone approach. It popped up a QR code which lead to a link in my phone that ended with No Passkey Available.

16

Thanks for the tip on account deletion. I think I will hold off until support has a chance to respond.

17

So, locked out for a couple of days, I must move forward. I would have preferred to do it with support from BW but after several requests I have only 2 emails asking for information already given. Bot responses I think. In order to end up with my long time email address as a login, I guess I need to get them to delete my whole account so I can set up another with the same email address. Wish me luck!

18

First, it is possible to change the email address associated with a Bitwarden account, so in case you’d like to start by setting up your new account under a different email address, then you could keep your original Bitwarden account for a while (if there is any reason to do so); after you delete the original Bitwarden account, you would then be able to change the email associated with your new Bitwarden account back to your preferred email address.

Second, please note that after deleting your original account and setting up your new account, you can ask support to transfer your Premium subscription from the old account to the new account.

Third, if you have any inclination to give customer support a chance to help further with the actual troubleshooting of your issue, I would suggest that you refer them to this thread, and specifically the second paragaph of my previous response, above. I am also pinging @sj-bitwarden here, to see if they can escalate your ticket.

19

Thanks very much for this. I have created a new vault and exported my back up data to it. It all looks good so far. I have asked them to delete my old one and change the login name on my new account to the email they had as login for the old vault. If that all works out, then I can try again to set up 2FA with my yubikey.

20

There were two areas of the various documents on the BW site that are either out of date, incorrect or I misunderstood them, probably the latter.

Encrypted Exports | Bitwarden Help Center talks about exports. The encrypted one I did from the old account could not be uploaded into the new account. The web site gave me no opportunity to enter the file password and then refused to upload it for lack of a password. Fortunately I had also done an unencrypted export and that I could import.

The other issue is that I missed the opportunity to get the recovery key that I was to get after 2FA was enabled. I looked unsuccessfully for how get that key and then I was locked out. Next time round, I need to get this part right.

These things are always an adventure, but I am nearly back to where I started and will press on.

Thanks again for your help.

Ken