0xdddd
December 9, 2025, 9:07pm
1
Add support for FIDO2/WebAuthn authentication using hardware security keys (YubiKey, SoloKey, etc.) on Android devices without Google Play Services.
The Bitwarden Android app currently relies on Google Play Services for FIDO2/WebAuthn. Users on degoogled Android (GrapheneOS, CalyxOS, LineageOS) cannot authenticate with hardware security keys β ironically, the most security-conscious users who would benefit most from hardware 2FA.
Implement the hwsecurity SDK as an alternative FIDO2 library.
Nextcloud has already done this. Their Android app uses hwsecurity SDK successfully, allowing users on degoogled devices to authenticate with hardware keys. Reference: GitHub - nextcloud/android: π± Nextcloud Android app
GrapheneOS users (rapidly growing privacy-focused community)
opened 03:58AM - 31 Jan 23 UTC
closed 07:32PM - 20 Jun 24 UTC
bug
### Steps To Reproduce
1. Enable TOTP as a 2FA method on your Bitwarden accou⦠nt via the web vault
2. Add a FIDO2 hardware security key as an additional 2FA method on your Bitwarden account via the web vault
3. Download Bitwarden Android app
4. Launch app
5. Type in valid username and submit
6. Type in valid password and submit
7. Observe bug (see screenshot below)
### Expected Result
I would expect to be able to switch my 2FA method to TOTP, type in my TOTP code, and be signed in.
### Actual Result
A "validating" modal appears and stays until the app is quit. This modal blocks the ability to click the hamburger dot in the top right, therefore blocking the ability to swap over to a different 2FA method.
### Screenshots or Videos
(sorry for the poor quality, I had to take a picture of the screen with a different camera because Bitwarden blocks screenshots)
### Additional Context
This bug is occurring on GrapheneOS with no Google Play Services installed.
~Because there are no Google Play Services installed, and Bitwarden doesn't support FIDO2 hardware keys without depending on Google Play Services,~ I cannot use my FIDO2 hardware key as a 2FA method. However, because of this bug, I cannot switch to using any other 2FA method either (in this case, TOTP), meaning that I can't log into the app at all unless I remove my FIDO2 hardware key as a 2FA method, which downgrades my security.
### Operating System
Android
### Operating System Version
GrapheneOS Android 13 (No Google Play Services Installed)
### Device
Pixel 5a
### Build Version
2023.1.0 (5786)
### Beta
- [ ] Using a pre-release version of the application.
opened 08:56PM - 30 Dec 23 UTC
closed 07:28PM - 20 Jun 24 UTC
bug
### Steps To Reproduce
1. Configure BitWarden.com account to use FIDO2 on a Yub⦠ikey 5 as a second factor.
2. Install BitWarden from the F-Droid repository on a Pixel 6a running GrapheneOS with Google Play Services sandboxed.
3. Attempt to sign into a BitWarden.com vault using the BitWarden application.
4. When prompted, swipe your Yubikey over your phone's NFC reader.
### Expected Result
I expect to be signed into my BitWarden account :-)
### Actual Result
I'm not signed into my BitWarden account :-(
Instead, I get this error:
```
An error has occurred.
Please make sure your default browser supports WebAuthn and try again.
NotReadableError: An unknown error occurred while talking to the credential manager.
```
### Screenshots or Videos
### Additional Context
1. Google Play Services are installed and sandboxed.
2. I'm using the default Vanadium browser.
3. BitWarden was installed using F-Droid, *not* Google Play (the Google Play version has Microsoft telemetry enabled last I checked).
4. I think that I've enabled Storage Scopes for Google Play as mentioned here ( https://discuss.grapheneos.org/d/1274-how-to-use-fido2-security-keys/4 ).
5. I'm pretty sure that my BitWarden account is configure to use FIDO or FIDO2, not Yubico's proprietary Yubikey OTP service.
6. I contacted GrapheneOS about this issue, and I was told that it's probably an issue related to the BitWarden application in the F-Droid repository not implementing a FIDO2 library: https://github.com/GrapheneOS/os-issue-tracker/issues/2974
If the theory posited in item number 6 is correct, perhaps there should be a more descriptive error message to alert the user that the F-Droid version of BitWarden doesn't support FIDO2.
Thank you for your time and hard work!
P.S. I'm filling in the "Build Version" as "2023.12.0" since that's the version shown in F-Droid. I cannot check the version in the app since tapping the "Settings" button (circle with two dots in the upper right of the log-in page) results in a screen flicker but no menu.
### Operating System
Android
### Operating System Version
14
### Device
Pixel 6a
### Build Version
2023.12.0
### Beta
- [ ] Using a pre-release version of the application.
opened 01:06PM - 27 Feb 25 UTC
closed 03:42PM - 04 Dec 25 UTC
bug
app:password-manager
### Steps To Reproduce
1. Insert yubikey via USB-C.
2. Open the app
3. Enter em⦠ail address and password. "Login with master password"
4. Page opens "Authenticate WebAuthn...Continue to complete WebAuthn verification".
5. Click "Launch WebAuthn"
6. Default browser opens vault.bitwarden.com with FIDO2 WebAuthn. Click "Authenticate WebAuthn".
7. Google Passkeys prompt opens. It says "There aren't any passkeys for vault.bitwarden.com on this device" (this is expected). Click "Use a different device".
8. If yubikey is connected in the USB-C port, simply touch the yubikey. Otherwise click "NFC security key" and touch the back of the phone with yubikey.
9. I get switched back to the app, error: "An error has occurred. Two-step token is invalid. Try again."
### Expected Result
I expect to be logged in as soon as I authenticate with my yubikey.
### Actual Result
Error "An error has occurred. Two-step token is invalid. Try again."
### Screenshots or Videos
_No response_
### Additional Context
Issue occurs with F-Droid and Google Playstore (via Aurora Store) builds, and with Vanadium browser and Brave browser. Javascript JIT is enabled.
I'm able to login using the same yubikey on desktop.
Passkey integration over the last few years has negatively impacted the flow for hardware keys. It used to be possible to login with your hardware keys without the Google stack being involved at all - I didn't need to even install Google Services Framework. But ever since Passkeys were introduced, I've experienced nothing but problems when using my hardware keys, more especially on Android but desktop too.
I looked at similar issues on the bitwarden community forum. My phone's time is synced properly, I've rebooted my phone, and no other devices are logged into my account. None of my yubikeys are marked "Migrated from FIDO" under Settings β Security β Two-step login β FIDO2 WebAuthn β βManageβ. I last successfully logged into Bitwarden with this phone in June 2024 (I rarely login to this account).
### Build Version
2025.1.2
### What server are you connecting to?
US
### Self-host Server Version
_No response_
### Environment Details
Pixel 7, Android 15.
GrapheneOS build 2025021100 using secondary profile.
### Issue Tracking Info
- [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.