I am having problems logging into the Bitwarden website using a YubiKey. Today is my first exposure to YubiKeys so it’s new to me. I setup the YubiKey on the Bitwarden web site. Have no problems logging in using Windows 11 Pro/Edge/Bitwarden Extension with the YubiKey. Login works fine. However when I try to login to the Bitwarden Website after entering the email address and master password and selecting Security Key, Windows responds with “This security key doesn’t look familiar. Please try a different one.” Can’t seem to get past it and not sure what to do next. Any ideas anyone ? Cheers.
It is a little difficult to discern what is going on in your setup, but my best guess is that you are confusing two distinct uses of Yubikeys:
Passwordless authentication for logging in to your Bitwarden account, in which the Yubikey is the first credential provided (and the only credential required, if you enabled encryption when registering your login passkey). This is currently only possible on the Web Vault app (https://vault.bitwarden.com), and is not possible in browser extensions.
Two-step login into your Bitwarden account, in which the Yubikey is provided as a second authentication factor (2FA) after inputting the email address and master password.
If you registered a Yubikey as a passkey for passwordless login, but did not register that same key as an approved method for two-step login using FIDO2/WebAuthn, then you will get an error if you attempt to use that Yubikey as 2FA.
If you registered a Yubikey as a 2FA method, but did not register is as a passkey for passwordless login, then you will get an error if you attempt to use that Yubikey for passkey login.
Many thanks for replying. You’re right at the moment I’m a tad confused. What doesn’t help is that my YubiKey seems to have died. Got in touch with Yubico and they had me go through registration and authentication tests on the key and the registration test comes back with Device Not Registered and nothing happens when I press the disc on the key. The LED doesn’t illuminate at all when the disc is pressed. Additionally the safely remove hardware option doesn’t appear on the taskbar. I have to remove the key using Bluetooth/Other Devices settings. This happens on both a Windows 10 Home PC and Windows 11 Pro PC. First things first, I believe I’ll probably need a new key before going any further with this. For the moment thanks again.
FWIW, I have never seen the “Safely Remove Hardware” icon in the systray when I plug in my Yubikeys (this is on a Windows 11 system). The keys can just be pulled out without any preliminary steps to “safely remove”.
With regards to your other problems, please check if they still occur after you get a replacement key, and report back after testing.
Thanks for getting back to me again. On my Windows 11 Pro System the option to safely remove the YubiKey was definitely available when I first started using the key but stopped becoming available after using the key a few times. I know for some hardware you don’t necessarily need to go through the safely remove hardware process due to Microsoft’s continued past work on the technology. The main problem for me at the moment though is Yubico’s Registration test coming back with Device Not Registered, although the key passed the authentication test ok and the key not responding to disc presses. I’ll stay in touch in due course. Cheers.
Hey @reachnet , is there a link to the “Yubikey registration test”? (couldn’t find it)
And I can report, I also see the “safely remove” for my YubiKey 5C NFC (on Windows 11):
But the thought occurred to me, if one only sees that when OTP, FIDO, CCID (or something else?) is still activated on the YubiKey?
That leaves me to: did you @reachnet change something for the YubiKey with the YubiKey Manager (YubiKey Manager | Yubico)? E.g. deactivate some functions/services on the YubiKey?
From my experience so far with they key, although I definitely saw the Safely Remove hardware option for the key, it didn’t list the Interfaces that were active on the key, just the YubiKey itself. Enabling/disabling the interfaces on the key using YubiKey Manager didn’t seem to make a difference at all.
When I was having problems logging into Bitwarden’s web vault I disabled all the Interfaces on the YubiKey Manager so that only Fido2 was being used for both USB/NFC. That’s the current state of the Interfaces on the key.
I’m not doing anything more with the key at the moment. Waiting for Yubico coming back to me (hopefully tomorrow) regarding my request for a replacement key if they believe the key is now in effect a small brick.
Okay, and thanks for all the other info (and the link!).
But if the Yubikey is really broken, maybe you can experiment, with activating all protocols again and see if the Yubico registration test delivers a different result? (if I understood you correctly, you did the test with only Fido2 activated, right?)
I think that is the standard setting (and how it still looks on my YubiKeys):
… and I don’t want to quibble with Yubico support but did you try to reset FIDO2… just in case something was “messed up” there and a reset could “repair” (though I’m not sure if “reset” only resets the PIN/PUK here or something else for the FIDO2 function in general - EDIT: “reset” here also deletes FIDO2 credentials - so whoever reads this later on: make sure to not need those credentials anymore before deleting them…)?
Have already done enough troubleshooting with the software to be of the belief that the main problem for me at the moment is with the hardware and not the software.
The best thing for me to do at the moment is just to wait on Yubico to come back to me regarding my belief that I need to resolve the hardware issue first. Once I believe that’s been resolved, then I can hopefully move forward by experimenting with the software.
@reachnet Okay, but honestly (and I don’t mean this personal so please don’t be “offended” by it ), to me it sounds more like a configuration problem.
You said in the first place, your YubiKey worked, and then you got “problems”. It sounds a little bit odd, that they first seem to work and in one or two days “break” - but everything is possible, I reckon.
Either way, I just did some testing with one of my 5C NFC keys, so that you know it (as well for your replacement key, if you get one): if I disable every interface except FIDO2, then my LED doesn’t work as well. And I can not “see” (or “safely remove”) the YubiKey then, as you experience it. So these two things are quite normal under these mentioned circumstances/configuration and (alone) don’t hint to a defect Yubikey.
PS: Addition to the “safely remove”: whether it’s there or not - I usually don’t use it with the YubiKeys.
That’s interesting. I may just try your suggestions.
Leave it with me. I’m in a bit of a lazy mode at the moment. I’ll probably have a play with the Yubikey later on tonight to see what happens.
Could you possibly do me a favour ? Could you disable all the Interfaces on your 5C NFC key again except FIDO2 and run Yubico’s registration/authentication test again and see what happens ? I’ll be really interested to know if the registration test fails in that scenario, if it passed for you before.
To add some information: My keys only have the FIDO protocol, so perhaps that is the reason they do not appear in the “Safely Remove” menu for me (on Windows 11).
I’m on Windows, too. When I just tried it, Windows Security/Hello came up. Are you sure, you then chose “security key”? Because otherwise, you’re trying to test “Windows Hello” on the Yubikey registration test.
I would recommend, to try FIDO2 reset, as I suggested a few posts above. (I think this also deletes FIDO2 credentials, you added to the Yubikey, so be sure to not needing them - and it may reset something, what maybe messed up here)
If both things don’t change anything, then I personally would go with a broken YubiKey… (as long as Yubico doesn’t have another idea )
Just tried running Yubico’s reg/auth tests again following your suggestions and this time both passed. Made sure I used the security key option and not Windows Hello.
So it looks like the key is ok. Many thanks for helping prove me wrong and I really mean that.
Enabled all Interfaces on the key and the Safely Remove Hardware option has reappeared in the systray. Looks like you’re spot on that it doesn’t appear if you only use the FIDO2 Interfaces on the key. Not exactly sure in what other scenarios that would happen and to be perfectly honest I just can’t be bothered testing them all.
Looks like I should now only need to get passed logging into Bitwarden’s Web Vault now. grb’s previous post has perhaps pointed me in the right direction (I hope) in that I setup all the passkeys for all of my devices (Win10 Home PC/Win 11 Pro PC/Android Smartphone) previously. At that time I didn’t have the YubiKey to setup I did that later. grb pointed out that I could have problems logging into the Web Vault if I didn’t setup the keys, including the YubiKey at the same time.
That’s my job for later on this evening after dinner.
Cheers m8 (and grb). Owe you a pint if we ever meet. Thanks.
Ah, and in addition to @grb first answer to you: you can actually add your YubiKey as 2FA (WebAuthn-option, no login possible but merely the “second factor”) and as a “login-passkey” (as a “passkey with encryption” in the “login with passkey” section in the web vault). So both things can be stored on your YubiKey at the same time.
Info to that: at the moment, “login with passkey” is only possible to the web vault.
And in that instance…: safe your 2FA-recovery-key, if not already done.
Just to let you guys know I was previously storing my login ids/unique strong passwords in plaintext files and encrypting them with the freely available open source program Veracrypt (paid the developer a contribution as I found Veracrypt very useful and used it daily) on the local file systems of 2 PCs. Served me well for years, but I decided to join the modern World and start using Bitwarden instead. There’s an obvious learning curve involved, but the end result is you’ll be in a better place going forward, as long as you continue to trust the software ?
Just to completely close this thread off. I’m now able to access the Bitwarden Vault using both the Web Interface and Browser Extensions with the YubiKey. Cheers guys.
but did you try to reset FIDO2… just in case something was “messed up” there and a reset could “repair” (though I’m not sure if “reset” only resets the PIN/PUK here or something else for the FIDO2 function in general 
- EDIT: “reset” here also deletes FIDO2 credentials - so whoever reads this later on: make sure to not need those credentials anymore before deleting them…)?
), to me it sounds more like a configuration problem.
)
