I have Bitwarden Premium installed on 1 Oppo Android phone, 1 Amazon Fire tablet, and a Windows 11 desktop. None of these are set up to use 2FA. This is how I want it and it works well for me.
I have just acquired a new Xioami Android phone and installed Bitwarden on it. However, when I open the app, sign in with email address and master password, it then insists on presenting a screen requesting I confirm my identity using FIDO2 WebAuthn. I can’t spot any way to bypass this or use an alternative confirmation. I’m not aware that I’ve asked for this in what is an otherwise virgin phone. Bitwarden is the first and only app I’ve installed and tried to use.
I can’t work out what I may have done differently in this most recent installation compared to the other painless installations. Any hints or tips?
Hey @KenMuir just to confirm, you don’t think that you setup a passkey/webauthn as 2FA for your Bitwarden account while using the web vault on a mobile device?
I’m as certain as I can be that 2FA isn’t enabled. On the three devices I mentioned, login on the Oppo Android app is by fingerprint recognition only, login on the Windows 11 desktop is by fingerprint only (both for the Bitwarden app and for the browser extension), and login on the Amazon Fire tablet is by master password only. At no point do any of these instances prompt me for confirmation or acknowledgement.
The Xiaomi Android phone showing the problem is certainly a much more recent version of Android than the Oppo: it’s 12 with latest security updates dated Nov 2022.
I’ll keep poking around and try un/re-install, and checking settings elsewhere. I think I’m right that the Bitwarden website is the only place one can enable or disable 2FA for an account?
Well, as usual with odd symptoms like these, there is a very clear cause when one eventually finds it, but not one that I can explain.
Un/re-installing on my phone made no difference. I went to the website using my desktop browser, and there, in ACCOUNT SETTINGS > SECURITY > TWO-FACTOR AUTHORISATION was WebAuthn with a green tick alongside it. What? How? When? I have no idea. I clicked on “manage” and, listed along with the default 5 WebAuthn Key #s was a browser WebAuthn key. No idea how that got there or whether it was affecting my phone. There was an extra button for “reset”, or “clear” (I can’t recall exactly, and it’s no longer there). I clicked on this, the web vault key disappeared, and everything on my phone kicked in to life immediately.
So problem solved, case closed, but no real idea of root cause - simply a rather coarse but effective solution.