Securing my Bitwarden account with a Yubikey 5 NFC

I could use some help securing my Bitwarden account using a Yubikey 5 NFC. This is my first Yubikey so I could be making a silly mistake. I’m running Firefox (129.0.2) on Windows 10.

I am trying to follow the instructions from this page:

Using the Yubikey Manager, I created a PIN for my new Yubikey. I’m not sure if that is required but the manager software recommended it.

After logging into my Bitwarden web vault, I went to Settings → Security → Two-Step Login and then selected “Manage” next to the “Passkey” item.

I entered a name for my key and then selected “Read Key”. It prompted me for a PIN which I entered and then I selected “Save”. It was not clear to me if the PIN requested was the PIN associated with my Windows 10 computer or if it was the PIN associated with the new Yubikey.

All seems good so far.

Then I logged out of my web vault.

When I try to log back in, I am prompted for my username and password, which I enter. It then prompts me for a PIN as shown below.
Capture

It does not ask for my Yubikey. If I enter my PIN, it logs me in. If I cancel the PIN entry, I see this dialog:
Capture (5)

When that error message goes away, I am left with this screen:
Capture (3)
So I click on “Authenticate WebAuthn” and I get this error:

I clearly don’t know what I’m doing. Could someone help me with the correct steps to use a Yubikey 5 NFC using FIDO2 WebAuthn?

@wcb I have a theory about what happened:

When you chose “PIN” here…

Capture

… you created that credential in your Windows Hello.

You would have to choose “Security Key” to create the credential on your YubiKey. (and the same goes for logging in then: also choose “Security Key”)

The popups of Windows Hello / Windows Security are a bit tricky… if you don’t choose the option you (really) want… well… then it doesn’t choose/use that option. :sweat_smile:

Thanks. When I click on “Security key” from that dialog, I immediately receive this message:

Capture

Yeah, that’s when you try to login without having registered the YubiKey, but presumably Windows Hello.

You have to register the security key = YubiKey in the web vault first (by choosing “security key” after the “Read Key” as you described here):

As you wrote further on:

When you did that, you didn’t register the YubiKey but Windows Hello. You have to choose “security key” after / when selecting “Read Key”.

Thanks for sticking with me. When I removed the security key and select “Read key” again, I now always get this error. I tried different USB ports, but always get the same error.

Capture

If I remove the key here do I now have to reset it first using the Yubikey Manager before adding it again to Bitwarden?

Okay, but after “Read key”, then first Windows Hello/Windows Security pops up, you choose “Security key” and then you get this error from Bitwarden, right?

(normally, after you choose “Security Key” in the prompt, it should recognize the YubiKey and I guess prompt you for “touching” the YubiKey - and then the YubiKey should be registered here… so again, please describe a bit more what happens between clicking “Read key” and the error message)

I think this is not necessary, as you presumably didn’t create a credential on the YubiKey here yet.

Regarding the error message: what you could check in the YubiKey Manager would be, that FIDO2 is checked for USB usage in the “Interfaces” section. Because otherwise the YubiKey can’t be registered here.

When I selected “Read Key” I immediately got that error message with no popup. So, I closed my browser and restarted it. When I went back into the Bitwarden page for managing security keys and clicked on “Read Key” again, it worked! As you stated, the Windows Hello dialog popped up. Previously, as you said, I provided my PIN. This time I cancelled and another dialog popped up asking me to touch my Yubico key. It registered it and now I can use my Yubikey as a 2FA to log in. Thank you so much for helping me through this. The dialogs that pop up when setting this up make it more confusing and don’t match what is shown in the Bitwarden guide. It’s all good now. Thanks again!

1 Like

Ah, glad that it works now for you! And restarting would have been my next suggestion, if it would have still not worked. :wink:

And yeah, Windows Hello/Windows Security is confusing at first… now you are already more familiar with it. :wink:

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.