I have tried using WebAuthn 2FA with Yubikey 5 usb-c NFC hardware key, on a iPhone X, on the Bitwarden App (not on a web browser). I cannot seem to get it to work using NFC. This is supported?
I think perhaps on new iPhone’s like 12, 13, 14 it will work. Can someone verify this does or does not work? Thanks!
Yubikey 5 NFC works good with webauthn/fidio2 with iPhone 11. Tryed to use it as just a yubikey, when I did that the nfc reader didn’t get triggered and started looking, even though it said it was looking.
After I began to use FIDO2 I haven’t had that same problem and works like a charm every time.
as I can se for me it works with and older iPhone like 11. So there is that yubikey only that don’t work. If I use FIDO2 it works.
Also if you use FIDO2 you can even use your iPhone as a Fido key, be aware that is a security risk, since everything is on that phone. So it will be your phone security that determines it safety.
It works well. If you have an issue, upgrade to iOS 16.3 and then remove and re-add your Yubikey.
I think I was on iOS 16.1, Bitwarden App (not the web site on Chrome or Safari) would not read my Yubikey 5 usb-C NFC, via NFC. I though it may be the iPhone X. It seems that Apple slowly added support for reading NFC to it.
I’m pretty sure it would work if I was using Chrome or Safari on the Bitwarden web site. I just want to use the standalone Bitwarden App.
Btw, what happens if I don’t have internet access? Would Bitwarden with either TOTP 2FA or U2F/Fido2 work? I’m guessing no.
I’m a pretty poor student in college and don’t want to spend $10 to upgrade Bitwarden unless I know it works.
Thanks!
Thanks for the feedback! But I need verification on a iPhone X.
I don’t know about iPhone X, but I can’t get it to work on iPhone 7. There is some years between 7 and X so I suppose it should work. But I can’t confirm that.
Be sure to upgrade to iOS 16.3 first. Apple’s Yubikey NFC implementation was broken for some sites (Google) for many months. Apple introduced security keys for their own service with 16.3 and it seems to have fixed the other issues. But, remove and re-add keys after upgrading to 16.3. You will need to just test iPhone 7 through iPhone X. I have never had any issues with NFC and Bitwarden.
By the way, make sure to add your hardware keys to the WebAuthn section under 2FA. This will work for most Bitwarden apps. However, it won’t work for the Mac desktop app so you will also need to add the keys to the Yubikey OTP section so you have fallback. Always save a printed copy of your 2FA Recovery Code, of course, in case you run into trouble. And always keep a backup key stored safely somewhere. If you are really worried about NFC you can always use TOTP codes as fallback.
222 Number Six,
Thank you for the response. I will try with iOS 16.3.
I don’t usually use the Mac Desktop application, just the browser extensions on Mac. So WebAuthn doesn’t work with the Desktop application?
In addition to the Fido2 WebAuthn 2FA, I can also use Yubikey OTP 2FA, that is both can exist at the same time as 2FA?
IS Yubikey OTP safer than standard TOTP? TOTP is just a hash of a fixed secret key and a time value (with a resolution of 30 seconds). At each new (or older) 30 seconds, a new hash value can be calculated. Yubikey OTP talks to yubikey servers first right? Not alot of applications use Yubikey OTP.
As security is only as strong as the weakest link, I will probably not use the OTP variants. I think Bitwarden with TOTP (eg via it’s web page URL) can be phished. I’ll just not use Mac Desktop and use browser extension on a Mac.
Thank you for the response.
Yes, you can use Yubikey OTP and Yubikey WebAuthn at the same time. It’s not clear in the 2FA settings and you need to set them up separately. If WebAuthn is then available, you’ll be served that option. If it’s not, it will fall back to Yubikey OTP, as that is considered weaker than WebAuthn. The Mac desktop doesn’t do WebAuthn but the website, iOS app, and browser extensions do. Third down in the safety chain is TOTP. It’s not considered as strong as Yubikey OTP as Yubi is a separate hardware key. But, frankly, they are all very good for most users.
As long as you have your 2FA recovery code printed and stored safely offline, you should be fine as you can always disable it if you lose your 2FA. You will also need at least two Yubikeys. I do not recommend setting up security keys if you don’t have a backup. But, if you only have one, I would personally also set up TOTP. You don’t want to lock yourself out of your own vault.