th6mas
December 1, 2024, 11:15am
41
I agree. However, a certain rundancy in IT has always helped me: e.g. if a key needs resetting, it is good to have another working one to peep.
th6mas
December 27, 2024, 11:56am
42
It is a shame, I am not able to register the two new Google Titan hardware keys (Xmas present) for FIDO2-2FA with Bitwarden. If only that upper limit of maximum 5 keys was released to e.g. 10, it would not always be on our minds.
Allow users to register more than 5 WebAuthn authenticators.
As for now we can add Platform authenticators (Windows Hello, Touch ID, etc.) to Bitwarden, if the user has multiple physical authenticators plus multiple devices, the 5 WebAuthn slots will be used up quickly, so it is time to set the device limit of WebAuthn to unlimited.
1 Like
Person
September 5, 2021, 6:16am
44
I total agree I don’t really see the point in have a limit on the amount of webauthin authenticators that we can use
2 Likes
s_c
March 17, 2022, 4:07pm
45
leak if your ever attacked via man in the middle etc it will come back to haunt you. It is highly in your interest to get folks on the most secure authorization mechanism and make it ea
Checking back again. can we not just increment the number from 5 to 10? Why don’t you look at it this way → the complexity to make this fix is low, and you make customers happy? Again I pay can you do this? I’d like to use my mac … itouch, ipad faceid, linux and my windows computer fingerprint and yubiekey. They all have different 2fa mechanism built in. i’m a dev with a ton of computers. It’s a still limitation by my view. I can’t fathom why we limit it to 5. Who these days doesn’t have a different computer in each room
The first post perfectly captures the issue.
Another thing i can offer, i 'm recalling this is open source which is why i signed up for bitwarden originally. I wonder if i push a pr if you’d approve it? What’d i’d love to do is make this like a user driven setting.
1 Like
I think this is getting quite important especially as Windows Hello / Fingerprints / TPMs are all valid WebAuthn keys nowadays.
Personally, I have set up 2 physical FIDO2 token, a mobile phone, a desktop and a laptop. This firmly takes up all 5 slots available, and I’d be in an awkward situation if I got another phone or computer.
1 Like
I merged a “duplicate” Feature Request (FR) to this existing one into this one. I put the posts “en bloc” at the end of this FR to maintain the consistency of this exchange.
Thereby, I adapted the title of this FR to the currently used terminology (before, the title was “Support more than 5 FIDO2/WebAuthn keys for 2FA”).
1 Like
Something is going on here now…
main ← auth/pm-20109/increase-2fa-webauthn-security-key-limit
opened 02:01PM - 18 Dec 25 UTC
## 🎟️ Tracking
[PM-20109](https://bitwarden.atlassian.net/browse/PM-20109)
…
🔗 This coordinates with `server` PR [6751](https://github.com/bitwarden/server/pull/6751)
## 📔 Objective
Update WebAuthn 2FA configuration component to:
- Be unaware of credential limits (configurable at the server).
- Show _n_ number of configured credentials in the dialog.
- Use translation key `unnamedKey` ("Unnamed key") for keys saved without being given a name during creation.
- No longer show un-configured credential slots in the dialog.
Previously, credentials were bound to a limit of 5 by both the client and server, and the collection IDs of keys was validated to be an integer <= 5. As this limit is increasing and becoming configurable, the client will use a gap-filling strategy to assign collection IDs at creation time. This will prevent unbounded growth over time of collection IDs.
## 📸 Screenshots
📓 Credential limits have been set locally to lower values (1 or 2, case-dependent) in order to illustrate these cases.
### Limit Exceeded
When a user at their credential limit attempts to register a new credential, boundary checking will provide an error.
https://github.com/user-attachments/assets/40efb83c-3449-4153-95f5-f59e0412d71f
### All Registered Credentials Function
When a user is in a state where they have more credentials registered than are allowed, they can not register additional credentials, but all registered credentials continue to function for 2FA.
https://github.com/user-attachments/assets/bd63149a-498d-4867-ab81-414653cf322d
### All Registered Credentials Are Removable
When a user is in a state where they have more credentials registered than are allowed, including _n + 2_ states where removing a single credential would still be above the allowed limit, any credential can be removed.
https://github.com/user-attachments/assets/68617ae7-6329-4e16-ac97-bcd19f8dda5a
## ⏰ Reminders before review
- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team
## 🦮 Reviewer guidelines
- 👍 (`:+1:`) or similar for great changes
- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
- ❓ (`:question:`) for questions
- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
- 🎨 (`:art:`) for suggestions / improvements
- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention
- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt
- ⛏ (`:pick:`) for minor or nitpick changes
[PM-20109]: https://bitwarden.atlassian.net/browse/PM-20109?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
main ← auth/pm-20109/increase-2fa-webauthn-security-key-limit
opened 01:52PM - 18 Dec 25 UTC
## 🎟️ Tracking
[PM-20109](https://bitwarden.atlassian.net/browse/PM-20109)
…
🔗 This coordinates with `clients` PR [18040](https://github.com/bitwarden/clients/pull/18040)
## 📔 Objective
- Refactor WebAuthn credential limit for 2FA to be configurable.
- _Default_ configurations are supplied at design time: 10 for premium, 5 for non-premium.
- `GlobalSettings.WebAuthn` can also be used to override these defaults.
- Introduce boundary and persistence-time validation of credential limits, allowing the client to be made unaware of limits.
- Scope of work involves updating the `UserService`; test cases are added.
## 📸 Screenshots
### Limit Exceeded
When a user at their credential limit attempts to register a new credential, boundary checking will provide an error.
🪪 Max credentials configured for current user: **2**.
https://github.com/user-attachments/assets/40efb83c-3449-4153-95f5-f59e0412d71f
### All Registered Credentials Function
When a user is in a state where they have more credentials registered than are allowed, they can not register additional credentials, but all registered credentials continue to function for 2FA.
🪪 Max credentials configured for current user type: **2**.
🪪 Number of credentials currently configured for user: **3**.
1. 3 Max were configured.
2. User set a third credential.
3. 2 Max was configured.
4. User is able to log in successfully.
https://github.com/user-attachments/assets/bd63149a-498d-4867-ab81-414653cf322d
### All Registered Credentials Are Removable
When a user is in a state where they have more credentials registered than are allowed, including _n + 2_ states where removing a single credential would still be above the allowed limit, any credential can be removed.
🪪 Max credentials configured for current user type: **1**.
https://github.com/user-attachments/assets/68617ae7-6329-4e16-ac97-bcd19f8dda5a
## ⏰ Reminders before review
- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team
## 🦮 Reviewer guidelines
- 👍 (`:+1:`) or similar for great changes
- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
- ❓ (`:question:`) for questions
- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
- 🎨 (`:art:`) for suggestions / improvements
- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention
- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt
- ⛏ (`:pick:`) for minor or nitpick changes
[PM-20109]: https://bitwarden.atlassian.net/browse/PM-20109?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
1 Like
dwbit
March 6, 2026, 8:23pm
49
This is now available for premium accounts:
Up to 10 hardware security keys, Yubico OTP, Duo, Email, Authentication app
2 Likes
