I could use some help securing my Bitwarden account using a Yubikey 5 NFC. This is my first Yubikey so I could be making a silly mistake. I’m running Firefox (129.0.2) on Windows 10.
I am trying to follow the instructions from this page:
Using the Yubikey Manager, I created a PIN for my new Yubikey. I’m not sure if that is required but the manager software recommended it.
After logging into my Bitwarden web vault, I went to Settings → Security → Two-Step Login and then selected “Manage” next to the “Passkey” item.
I entered a name for my key and then selected “Read Key”. It prompted me for a PIN which I entered and then I selected “Save”. It was not clear to me if the PIN requested was the PIN associated with my Windows 10 computer or if it was the PIN associated with the new Yubikey.
All seems good so far.
Then I logged out of my web vault.
When I try to log back in, I am prompted for my username and password, which I enter. It then prompts me for a PIN as shown below.
It does not ask for my Yubikey. If I enter my PIN, it logs me in. If I cancel the PIN entry, I see this dialog:
When that error message goes away, I am left with this screen:
So I click on “Authenticate WebAuthn” and I get this error:
… you created that credential in your Windows Hello.
You would have to choose “Security Key” to create the credential on your YubiKey. (and the same goes for logging in then: also choose “Security Key”)
The popups of Windows Hello / Windows Security are a bit tricky… if you don’t choose the option you (really) want… well… then it doesn’t choose/use that option.
Thanks for sticking with me. When I removed the security key and select “Read key” again, I now always get this error. I tried different USB ports, but always get the same error.
If I remove the key here do I now have to reset it first using the Yubikey Manager before adding it again to Bitwarden?
Okay, but after “Read key”, then first Windows Hello/Windows Security pops up, you choose “Security key” and then you get this error from Bitwarden, right?
(normally, after you choose “Security Key” in the prompt, it should recognize the YubiKey and I guess prompt you for “touching” the YubiKey - and then the YubiKey should be registered here… so again, please describe a bit more what happens between clicking “Read key” and the error message)
I think this is not necessary, as you presumably didn’t create a credential on the YubiKey here yet.
Regarding the error message: what you could check in the YubiKey Manager would be, that FIDO2 is checked for USB usage in the “Interfaces” section. Because otherwise the YubiKey can’t be registered here.
When I selected “Read Key” I immediately got that error message with no popup. So, I closed my browser and restarted it. When I went back into the Bitwarden page for managing security keys and clicked on “Read Key” again, it worked! As you stated, the Windows Hello dialog popped up. Previously, as you said, I provided my PIN. This time I cancelled and another dialog popped up asking me to touch my Yubico key. It registered it and now I can use my Yubikey as a 2FA to log in. Thank you so much for helping me through this. The dialogs that pop up when setting this up make it more confusing and don’t match what is shown in the Bitwarden guide. It’s all good now. Thanks again!