I use a Yubico key (several actually) to allow a second factor for when I log on to Bitwarden. One of the keys has a firmware which allows me to look at the credentials stored on the key with the command
ykman fido credentials list
and this shows only credentials for my logon to Microsoft (RP ID login.microsoft.com) and nothing for Bitwarden
Does the method of registering a FIDO2/WebAuthn key in Bitwarden not require a credential to be stored on the key itself?
Apologies if this is a noob question. My understanding of FIDO2 in general isn’t great (other than it’s a good thing )
Thanks for looking
How do you have a Yubikey which has additional firmware on it? You can’t even update the default firmware to its newest iteration on a Yubikey for security.
I assume you have registered your Yubikey under WebAuthn and not on Yubikey OTP in the BW 2FA settings?
It is quite possible.
I have 4 Yubikeys, I’m a huge GPG user (yubikeys make an excellent OpenPGP card)
Each of my yubikeys has a different firmware revision.
You’re correct in that the firmware can’t be updated but Yubico are developing it and ship later keys with later firmare revision.
Earlier firmware didn’t let you see the FIDO credentials. OP must have a newish key.
I have 3 Yubico keys and 1 Security Key. 1 of the keys - Yubikey 5 NFC - comes with Firmware 5.2.4 which allows you to see the credentials. None of the others do and give a
ERROR: Authenticator does not support Credential Management
message when you try and view credentials.
Yes, each key is registered under WebAuthn only.
Thinking aloud, I suppose the credentials I see on the key are for ‘true’ passwordless logon to Microsoft, whereas the logon to Bitwarden isn’t passwordless (still have to provide email and either master password or ‘sign in on device’ and only then does it ask for the key for WebAuthn). Maybe the HWID of the key alone is all BitWarden is after?
I don’t have any credentials for BW on my key either and I just used it to login to BW so this issue is not affecting only you.
So I just registered my key with the test site WebAuthn.io which one would assume is implemented very well and that doesn’t store any credentials on the key either.
I thought the credentials were the public key of the site you are registering with. If the key doesn’t save credentials, then how does it know it is authenticating with the correct site?
Same here DoctorB. Just did same test.
That test actually says “You just logged in using Web Authentication. Instead of using a traditional, shared-key password, you used a piece of secure hardware to create a strong, attested, and scoped credential that is virtually unphishable!”
So it mentions a credential.
And unlike BitWarden I can ‘passwordlessly’ logon to that site once registered.
The mystery deepens
Under PIV > Credentials? I have a later firmware version than yours on my keys. If this is where you are looking, my keys also contain no credentials even though I use WebAuthn on a few sites.
That site also successfully authenticated me and no credentials were visibly stored.
Although the command is now slightly different, just follow this video to see the stored credentials.
I wonder if it’s U2F as per
" Credential Management
Credential Management allows the WebAuthn Client to display the credentials that reside on the YubiKey with firmware 5.2.3 and above so that the user can act upon them. The client can display each credential’s relying party information and credential descriptor, as well as the number of discoverable credentials on the authenticator. Credential management does not have the capability to display non-discoverable keys (including U2F based credentials) as that information is not stored on the authenticator in any fashion."
Thanks. I will hunt down a Mac version of this and check.
After a bit of digging, I found an article to shine some light.
It is fine to use WebAuthn without storing a credential on the key if you are using it for 2FA and so BitWarden register your key with the
requireResidentKey property set to false. This means BW do not store a credential on your key but it is still WebAuthn.
If you want 1FA (just the key with no username) which BW do not support yet then
requireResidentKey property will need to be set to true and then a credential WILL be stored on your yubikey. This must be what Microsoft are doing.
Good find. Every day is a school day as they say.