Support more than 5 FIDO2/WebAuthn keys for 2FA

Currently up to 5 FIDO U2F keys may be added. It would be awesome to allow some more. I don’t want to go into details but I myself have 8 keys and when rotating them (replacing with new) it may temporarily be up to 10 keys. It would be great if you could add support for some more keys.


Bump for reply?

Edited the topic to reflect the ‘count’ instead of seeming like we needed to support more ‘types’ of keys :+1:

1 Like

Is it possible to increase Yubikey U2F and/or OTP slots beyond 5?

Anecdotally, I think other Yubikey-protected services (Google, Facebook, GitHub) do not have a slot limit. (They also seem to bundle U2F and OTP together, but that’s a discussion for another day).

I’ve seen Increase YubiKey slots from 3 to 5 · Issue #135 · bitwarden/server · GitHub but it leads to a dead forum link. What was the rationale for limiting to 5 slots?

1 Like

Would it be possible to allow a user to register more than 5 FIDO2 keys for the account?

FIDO2 Authenticator can be cross platform (eg Yubikey) and platform (eg TPM, ecc) with multiple devices and a few security keys you can easily max out the available slots.


As a user with 2 YubiKeys, 5 standalone WebAuthn-supporting keys, and 3 WebAuthn-supporting devices, I require more than 5 WebAuthn key slots.

10 slots sounds fair.

1 Like

Still very much needed. I agree with the others, 10 sounds like a good number. If a limit at all, I don’t see the need for one. Storage doesn’t seem to be a problem if users can add unlimited vault items.

I personally have a couple of WebAuthn keys at my residence. Then, I have more scattered across different family members’ residences.

A limit increase becomes even more necessary for those without NFC on their phones. My immediate family all have Motorola phones released after 2020 that don’t support NFC. So, my family has to have a couple USB C WebAuthn keys, and a couple USB A WebAuthn keys. You can see how the requirement for more than five keys is quickly surpassed in scenarios like these.

1 Like

Adding my support for this. The 5 key limitation is limiting and seems like it wouldn’t take all that much to expand it.

thank you @wendor @wnelson03 @AlCar! we appreciate you sharing this feedback. as security keys become more popular it may make sense to look at this further

Allowing the user to register 10 FIDO2 credentials (passkeys or device-bound credentials) seems to be the standard.

This is impacting me as well - I have a few different laptops / desktops + phone at work/home and I would like them all to be registered plus a couple spare keys ideally. But sadly I need to pick only a few given then limit of 5 keys.

@gtran are there any plans to increase the limit? Now that WebAuthn is included in the free subscription, it makes sense to extend the limit for the paid subscription.

Maybe reduce the limit for free subscription to 2 keys, just enough to have 1 backup. And then increase the limit for the paid subscription to 10 keys.

Thank you for your time! I look forward to hearing back about this.

@go12 any updates considering now that WebAuthn has been brought to free users?

Seems that the limit for free & paid users should be more distant to make the paid plan more enticing.

Big +1 for this.

I have 4 yubikeys (2x primary, backup, and off-site), and now need to choose between setting my primary laptop as a device, or my phone. Very frustrating. A larger device limit would be incredibly helpful.

I’ve edited the topic title (was: “Support more than 5 U2F keys”) to clarify two potential sources of confusion:

  • U2F is now deprecated, and replaced by the FIDO2/WebAuthn protocol.

  • Bitwarden can now (as of 2023.4.0) use FIDO2 keys both for two-step login (2FA) and for passwordless login (passkeys). This thread is strictly about increasing the number of keys that can be registered for 2FA. It turns out that with the new passkey login feature, the number of passkeys that Bitwarden can register for passwordless login is also limited to 5 keys; however, if anybody wants to propose that this limit (for login passkeys) should be increased, a separate feature request thread should be started.

Thanks. Yes I think that limit should be increased on both: two-step login (2FA) and for passwordless login (passkeys). At least a clearification why that limitation was implemented would be great since it seems rather artificial / random. I created a new topic for the suggested increase of passkeys here.

1 Like