Remove Phone as a WebAuthn Security Key

kris411 · October 25, 2021, 6:52am

Hello,

without any active doing from my side suddenly when I am prompted in Chrome in Windows10 to confirm my U2F Security Key I am also presented with the option to confirm my identity with my (android) Phone.
When I check the 2 factor authentication page in my bitwarden account I can see a second entry under WebAuthn besides my U2F key, but this one is not removable.
I do not want the option to confirm my login with my phone, I want it to be strictly with the U2F key. I haven’t found anything yet how to get rid of the phone as an authentication mechanism, I only could backtrack it that it somehow seems to be related to google chrome and/or my google account.
Help is appreciated, thank you.

jamandbread · November 26, 2021, 12:46am

I hope it’s not super belated, but I’m seeing this as well. To be safe, I’d like to remove the WebAuthn entries. However, as mentioned above I don’t have a means of manually removing these ones.

sugianto · November 26, 2021, 2:05am

It’s a new feature from Google (Chrome). If you’ve never added your phone to your Bitwarden account Webauthn 2FA, your phone couldn’t be used as 2FA device.

Keepaster · January 12, 2022, 2:20pm

Hi.

I have exactly the same issue noticed today.

How do i remove it?

I also only want security keys to be added.

Should say I am using Brave browser so could be behind the Chrome implementation.

Thanks.

Rich.

Keepaster · January 13, 2022, 3:48pm

Just to add.

I have today tried to uninstall the Bitwarden app off the phone and it still pings it from the web vault somehow!

Highly frustrating and cannot stop it?

My other account stored on a Huawei phone doesn’t do this?

not · January 13, 2022, 4:43pm

I suggest everyone having this issue to go to their Google Account settings and check their GOOGLE options for MFA. Especially if they are on mobile, because I believe you gave Google Play Services permission to use your phone as a security key.

I became the owner of my first set of yubikeys yesterday and this was my first (and hopefully only) problem with them. They work as expected now.

Keepaster · January 13, 2022, 5:26pm

I have just checked and it is shown as follows:

Only way to remove it there is sign out of the account by the looks?

How did you get around that stupid idea?

Thanks.

not · February 16, 2022, 1:24am

Skip down for TL;DR for importantance:

Sorry, somehow I completely missed this. NO! You don’t want to remove that. Your phone is a security key in and of itself. Google jumped on the Yubikey train long ago (we wouldn’t even be talking about them without it honestly) and your modern Android phone is fully FIDO2 compliant.

That option will delete your access from your Google account. Not insurmountable, but it could be very inconvenient for a few days.

What I was talking about is a little dialog box when you use the Yubikey on a service for the first time.

I’ve since found that clicking “Remember this device” will cause the same behavior–you can log in with no Yubikey. You can fix this by going to any service that requires it and telling it to forget all sessions.

As usual with Bitwarden, make sure your recovery strategy is good and logout+in on all your Bitwarden clients.

TL;DR - NO NO NO

Keepaster · February 16, 2022, 11:17am

Thanks.

Not sure that would work as i use the Yubikey in Fido mode not validating against Yubico servers.

Tbh, I have pretty much moved away from Google but get a prompt to my new phone which isn’t signed in to any Google services.

It seems to be related to the fact that i sync Brave Browser so Brave will know that I have a phone as well as this PC.

I did just try and login using Chrome and it just prompts to insert the key instead of giving options for a phone as well.

Thanks.