Token2 Fido2 Key Android 14 Issue

secureblue · September 15, 2025, 5:56pm

I have a Token2 FIDO2 key that I have setup as my 2FA device.

It works on my Android 15 phone no problem, also works on Windows webvault and Bitwarden Windows application.

I have an Android 14 Xiaomi Pad 6 tablet that I can’t get it to work on.

Select webauthn
Takes me to the sign in site
connect it via USBC
Push the button to activate
Sometimes it takes me back to the login page which just says authenticate to continue
No errors repeat the same process nothing happens.

Any ideas?

mmja · September 16, 2025, 11:31am

Interesting, I have similiar issue with iPhone and Bitwarden, but mine keeps asking for Yubikey PIN.

Check this thread:

Nail1684 · September 16, 2025, 11:53am

@secureblue Welcome to the forum!

Could you specify those two steps a bit? You are talking about the Bitwarden mobile app, and “select webauthn” means, after you typed in your email and master password? – Or do you try to log in to the web vault on your tablet?

secureblue · September 16, 2025, 12:43pm

I am using the Bitwarden latest app from the play store. I’ve tried uninstall clearing storage cache, reinstalling, rebooting etc.

When opening the Bitwarden App, I first enter my username, master password select my Bitwarden server location and login. Then it takes me to the 2FA webuauthn process.

I have contacted Token2 and they’ve given some suggestions I’ll work my way through later.

Here are a few suggestions that might help resolve or narrow down the issue:

1. Confirm USB Permissions

When you plug in the security key via USB-C, make sure the tablet is granting the correct USB permissions.

2. Browser Compatibility

Bitwarden WebAuthn support often works best in Chrome or Firefox on Android. If you’re using a different browser (e.g., the default Xiaomi browser), try switching.

3. USB OTG Settings

Ensure that USB OTG (On-The-Go) is enabled on the tablet, if applicable. Some Xiaomi/Android devices disable it by default or turn it off to save battery

5. Android WebAuthn Bug

You’re correct that this could be an Android 14 or Xiaomi-specific issue. There have been reports across various forums of WebAuthn not fully working via USB on some Android 14 builds, especially with custom UI overlays like MIUI/HyperOS.

6. Test on Another Android 14 Device

If possible, try your Token2 key on a different Android 14 device to see if the issue is with Android 14 in general or just the Xiaomi Pad 6.

Have also contacted Xiaomi which is probably the root cause.

Nail1684 · September 16, 2025, 1:36pm

Hm. There are two open issues on GitHub, that have a similar “topic”:

github.com/bitwarden/android

Webauthn 2FA not working in Android app

opened 03:04PM - 09 Apr 25 UTC

GuidoCHLM

bug app:password-manager bug-passkey

### Steps To Reproduce 1. Provide Master Password and Login 2. For 2FA select w…ebauthn 3. Choose NFC device to get key (Yubikey 5C in my case) 4. Place the NFC key on the back on the phone 5. Continue to auth 2FA 6. You get an error "An error has occurred" Bitwarden: 2025.3.0 Android 14 Device Oneplus 9 Pro Same Yubikey works perfectly fine for 2FA webauthn on Windows client ### Expected Result Webauthn 2FA working on Android device ![Image](https://github.com/user-attachments/assets/8f76b756-2a9b-4cb5-869d-e30af332ff20) ### Actual Result Webauthn 2FA not working on latest Android client ### Screenshots or Videos _No response_ ### Additional Context _No response_ ### Build Version 2025.3.0 ### What server are you connecting to? US ### Self-host Server Version _No response_ ### Environment Details _No response_ ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

github.com/bitwarden/android

Can't login, unable to authenticate yubikey: "An error has occurred. Two-step token is invalid. Try again."

opened 01:06PM - 27 Feb 25 UTC

Opening-Button-8988

bug app:password-manager

### Steps To Reproduce 1. Insert yubikey via USB-C. 2. Open the app 3. Enter em…ail address and password. "Login with master password" 4. Page opens "Authenticate WebAuthn...Continue to complete WebAuthn verification". 5. Click "Launch WebAuthn" 6. Default browser opens vault.bitwarden.com with FIDO2 WebAuthn. Click "Authenticate WebAuthn". 7. Google Passkeys prompt opens. It says "There aren't any passkeys for vault.bitwarden.com on this device" (this is expected). Click "Use a different device". 8. If yubikey is connected in the USB-C port, simply touch the yubikey. Otherwise click "NFC security key" and touch the back of the phone with yubikey. 9. I get switched back to the app, error: "An error has occurred. Two-step token is invalid. Try again." ### Expected Result I expect to be logged in as soon as I authenticate with my yubikey. ### Actual Result Error "An error has occurred. Two-step token is invalid. Try again." ### Screenshots or Videos _No response_ ### Additional Context Issue occurs with F-Droid and Google Playstore (via Aurora Store) builds, and with Vanadium browser and Brave browser. Javascript JIT is enabled. I'm able to login using the same yubikey on desktop. Passkey integration over the last few years has negatively impacted the flow for hardware keys. It used to be possible to login with your hardware keys without the Google stack being involved at all - I didn't need to even install Google Services Framework. But ever since Passkeys were introduced, I've experienced nothing but problems when using my hardware keys, more especially on Android but desktop too. I looked at similar issues on the bitwarden community forum. My phone's time is synced properly, I've rebooted my phone, and no other devices are logged into my account. None of my yubikeys are marked "Migrated from FIDO" under Settings → Security → Two-step login → FIDO2 WebAuthn → “Manage”. I last successfully logged into Bitwarden with this phone in June 2024 (I rarely login to this account). ### Build Version 2025.1.2 ### What server are you connecting to? US ### Self-host Server Version _No response_ ### Environment Details Pixel 7, Android 15. GrapheneOS build 2025021100 using secondary profile. ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

You might join in there - of if your issue is different, you might consider opening a bug report on GitHub yourself (“New issue”): GitHub · Where software is built

lenkiatleong · January 28, 2026, 1:30pm

Hi Secureblue,
I’m sorry to hijack your post here. But i’m desperate to know how you managed to get your Token2 key to work as 2FA on the Windows webvault.
I tried to configure my Token2 keys using Brave with protection off, Edge and Chrome. I can create the passkeys but when i try to login using the Token2 as 2FA method or security key method, both failed as soon as i touch the Token2.
What have you done right?

secureblue · January 28, 2026, 2:07pm

Are you sure you are creating a 2FA method of decrypting your vault?

There are passkeys used as a hardware way of opening your vault used instead of a password. I haven’t been able to get that working yet, I’ve tried a few times but gave up. When I last tried it was still in Beta, so didn’t try too much.

Then there are 2FA methods under a different section Settings → Security → Two-step login

I used Edge to setup my Token2 key as 2FA. When you add it it defaults to trying to setup a Windows key at which point I clicked cancel. Then I was presented witha another popup to select my security Token2 key instead. Then it asks you to touch the key to confirm setting it up.

lenkiatleong · January 28, 2026, 11:21pm

Dear secureblue,
Thank you for your reply.

Setting up security key from master password page: Yes. I managed to set Token2 key from here but i got error with Set Up Encrypt. However, when i login the web vault from Brave browser, click using Passkey, the Token2 key works after the touch and popped up the master password window. I still have to enter the master password using this method.
Setting up security key from 2FA: Yes. I did the same as you, i.e., cancel the first hello pop up for pin and another pop up appear where i entered the key pin. Configuration was ok.
But when i login using master password first, the 2FA popped up and told me to touch the key. After touching the key, a window popped up asking for the key pin but was very quickly hidden by the touch the key window again. I could not enter the key pin.
So, i switch from Brave to Edge and reconfigure the Token2. And this time it behaved differently. After passing the master password, it asked for the hello pin and successfully entered without my Token2 inserted. This is clearly wrong.
I removed the hello pin and reconfigure Token2 again as 2FA. This time, it told me to touch the key. After touching the key, an error message popped up to say that “This security key doesn’t look familiar. Please use another one.”.

I wonder what mistake have i done during the setup.

Thanks.

Nail1684 · January 28, 2026, 11:29pm

@lenkiatleong Welcome to the forum!

What OS are you using (including the version)?

I guess, you’re experiencing a variant of this bug:

github.com/bitwarden/clients

macOS Desktop: WebAuthn "Authentication cancelled" error when Security Key PIN is required

opened 03:31AM - 17 Dec 25 UTC

Vafa-Andalibi

bug desktop

### Steps To Reproduce - Use a FIDO2 Security Key with a **PIN enabled** (User …Verification required). - Ensure a Bitwarden account is configured with Passkey as the primary 2FA method. - Open the Bitwarden macOS Desktop Application. - Enter the primary login credentials (email and master password). - The application displays the "Passkey" prompt for 2FA. - Insert the FIDO2 security key into the Mac's USB port. - Click "Continue" or interact with the prompt to begin the key authentication process. - Tap/touch the security key when prompted by the system. ### Expected Result The Bitwarden macOS client should successfully communicate with the FIDO2 security key, complete the Passkey verification, and log the user into the vault. ### Actual Result After following the steps above, the system may briefly show the security key interaction prompt, but the Bitwarden client immediately displays an error message overlay: > An error has occurred. The authentication was cancelled or took too long. Please try again. ### Screenshots or Videos <img width="588" height="232" alt="Image" src="https://github.com/user-attachments/assets/55f7ddb1-4426-4d7e-b418-e75b1681b3b9" /> ### Additional Context Successful Logins: Authentication via Passkey/FIDO2 works perfectly on: * Bitwarden Web Vault (on the same macOS machine, using the same security key). * Bitwarden Android client. ### Operating System macOS ### Operating System Version macOS Sequoia 15.7.2, also tried on Sonoma ### Installation method Direct Download (from bitwarden.com) ### Build Version 2025.12.0 ### Issue Tracking Info - [x] I understand that work is tracked outside of GitHub. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

(and if you agree, you could add your details there)

lenkiatleong · February 5, 2026, 6:05am

Dear Nail1684,

Thank you for your reply. I did not get notification that you have post a reply here. Sorry for this late reply.
After contacting Token2 supportline, they solved both my problems using Token2 as Biwarden’s 2FA and “passwordless” login.
Token2 as 2FA:
I have to disable always_uv using Token2 companion app. This is Enabled by default. It requires Bitwarden verify the user by asking for the pin. However, the authentication by Bitwarden could not get pass this requirement. That’s why it keeps looping asking user to touch the security key. So, by disabling always_uv, Bitwarden managed to authenticate the Token2 key. Solved.

Token2 as passwordless:
I configured Token2 key into Bitwarden from the master password tab, login as passkey. I faced a problem, i.e., i could not get pass the “set up encryption” as shown below.
The reason is, i’m still using Windows 10 which was known to have probme with PRF. Only Windows 11 OS support PRF and Token2 should be able to set up the encryption in order to enjoy a full passwordless login, i.e., using Token2 key to authenticate and to decrypt the vaults.
So, this is still my problem and i have to upgrade my PC to Windows 11.

In sum, I’m super happy to be able to use Token2 keys as the 2FA and as passkeys to login into Bitwarden (partially because still need to enter the master pass after touching the key). Couldn’t have done so without the amazing support from Token2 supportline.

Thanks.
/Len

Nail1684 · February 6, 2026, 3:16pm

@lenkiatleong Thanks for your comprehensive update!

I just learned, that Token2 updated an info about that on this page of theirs:

Yes, you’re right – Windows 10 doesn’t support PRF, but Windows 11 does. The Bitwarden Help Sites are a bit too vague about this, IMHO, when they say “Additionally, Windows 10 is known to have issues with PRF-capable passkeys.”, as I never was able to create a new PRF-passkey or use an existing PRF-passkey on an older Windows 10 laptop…

Thanks again for your update!

PS: Regarding the Android app… if the Android app currently can’t handle always_uv enabled on security keys, then this should be reported as a bug on GitHub by someone, eventually.