Passwordless login to Bitwarden with FIDO2 security keys - Supported devices

I just tried passwordless login registration in web vault with my two different security keys

  1. Yubico Security Key NFC - U2F and FIDO2
  2. FEITIAN ePass K9

I was able to register the Yubico key but not the Feitian key. It is giving me “Your device can’t be used with this site” error (Chrome)

Interestingly, both keys are registered and work okay as a 2FA option. I am also able to register the Feitian device on https://webauthn.io

Are there any specific requirements for the passwordlesss login that might be the reason it’s not working for the second device ?

Here’s the comparison between the devices that I have been able to gather:

Feature FEITIAN ePass K9 Yubico Security Key NFC
Standards FIDO U2F, FIDO2 FIDO U2F, FIDO2
Connection USB-A, NFC USB-A, NFC
Supported Protocols Limited information available WebAuthn, FIDO2 CTAP1 & CTAP2, U2F
Multi-device Support Yes (limited documentation on specifics) Yes
Number of Credentials Up to 22 credentials Limited information available
Security Certifications FIDO Certified FIDO Certified
Additional Features None May lack in some areas like PIV support
Software Windows only Cross-platform (Windows, macOS, Linux)
1 Like

IINM, the browser (and operating system) have to support the PRF extension. And the security key has to support the HMAC-SECRET FIDO2 extension.

This is so that the security key can be used for vault encryption/decryption.

If the security key, for example, does not support hmac-secret extension, then it will be usable to authenticate you, but you will need to enter the master password to decrypt the vault (which makes that passwordless login kinda pointless).

2 Likes

@triceps-tamale Were you able to create a Bitwarden-passkey without encryption?

From what I see, it is said this K9 key can only be used for 2FA/MFA… I don’t read anything about the ability to saving passkeys. So my first bet would be, that that key can’t save any passkeys.

Do you have a source for that information?

The only source I can find for that claim regarding the Feitian K9 is in their product description on Amazon — hardly an authoritative source.

Meanwhile, the Yubico Security Key NFC series can hold up to 100 resident (discoverable) credentials with Firmware version 5.7 and higher, or up to 25 discoverable credentials with Firmware versions 5.0–5.6 (source).

2 Likes

Probably… Because that info is not even on the product description of their own website…

BTW, the change from max. 25 to max. 100 is also true for YubiKey series 5 with firmware 5.7 and above.

Google Gemini :sweat_smile:
So likely false

I did not get to that stage as the error message I get is the first step when I plug it in, before you get to the point where you have the checkbox to enable / disable encryption

I thought this is optional, so what you’re saying is that it’s a must. But that option appears as a checkbox that I assumed can be turned off. In any case, the error message I received was before I even got to the point where I could toggle the encryption / decryption

:wink:

So then I can only repeat myself… This seems to not fail on the encryption-part (it never get’s to the part where PRF would come into play) - but I still guess, the stick isn’t able to store discoverable credentials (aka passkeys) ?!

No, no, it’s optional. I think @kpiris just wanted to emphasize, that it doesn’t make too much sense to have such a Bitwarden-login-passkey without encryption, as you still have to enter the master password then.

1 Like

Did you try registering a discoverable credential there? (click on advanced settings and select required on discoverable credential field).

2 Likes

I just did and I got the same error message.
Can you explain please ?

1 Like

One general thing one could also check: are all relevant protocols/interfaces activated? I think, by default, they should be…

Though I don’t know if you can configure that at all with that FEITIAN key. - With a YubiKey, you can deactivate the FIDO/FIDO2 interfaces, and then you probably would get a similar error message, because it wouldn’t be possible to store discoverable credentials on that YubiKey, until the FIDO/FIDO2 interfaces get activated again.

1 Like

It seems that your security key does not support discoverable credentials (that’s the type of credential stored in the key for passwordless login to bitwarden -and other sites too-).

Also: security keys have a limited number of slots to store that kind of discoverable credentials, it could be that your security key supports them but has no available slots (although I doubt that).

2 Likes

Maybe look into some of the set-up tools mentioned here, to ensure FIDO2 is enabled and a PIN has been set:

https://fido.ftsafe.com/setupsecuritykey/

 

Also, what operating system are you using?