WebAuthn/FIDO Authentication Glitch With Latest Android App Update

I have the latest Android app that supports FIDO2! Woohoo! I’ve been excited to receive this feature as well as have many others. Thank you.

However… there’s a minor glitch that I’ve determined that comes down to timing.

Here’s the login flow I experience on the Android BitWarden app using WebAuthn with a Yubikey 5c via USB.

  1. I enter my username and password.
  2. Tap the blue “Authenticate WebAuthn” button.
  3. Tap the blue “Get started” button.
  4. Tap “Use security key with USB.”
  5. Prompt comes up asking to “Allow Google Play Services to access Yubikey OTP+FIDO+CCID?” Tap OK. (this doesn’t always pop up. Probably outside of BitWarden’s control)
  6. Tap gold plate on Yubikey.

Now this is where the glitch happens… Normally, I should now be logged into BitWarden but depending on how quickly I tap the Yubikey in step 6 I might be kicked back to step 2 and potentially inserted into an endless loop never to be logged in.

After tapping “Use security key with USB” there is a tone played. If I tap my Yubikey after this brief tone has played I always go back to step 2 to enter the loop again. I’ve tested this and I got up to nearly 10 loops before performing the other timing option. The other timing option is to tap the Yubikey immediately after tapping “Use security key with USB” before or at the very start of the tone. This method will immediately login into BitWarden seemingly without fail.

I’ve confirmed with at least one other Reddit user here that there is a bug with the implementation of USB keys that doesn’t seem to be present when trying to utilize NFC.

When I very first tried logging into BitWarden (excitedly) using the WebAuthn updated app I thought it was broken, but then I tried again and it worked. Tried again and the same thing happened went back to step 2. It’s a loop. I tried my Samsung phone same thing. Posted on Reddit found someone else that could duplicate the issue. Continued tinkering and discovered that it’s all about the timing.

So if you have a FIDO2 USB security key and the updated Android app that now supports it please experiment with and let me know how it goes. Take a real slow, long pause, before tapping the key… Do you enter the loop? Back on step 2? Tap the key immediately after selecting “Use security key with USB.” It should log you on no problem. Did it? Experiment with timing. If I tap Yubikey immediately it always logs me in. Otherwise, loop.

There seems to be a timeout glitch of some form or function. I would really like to see WebAuthn for Android fully polished and I’d be a happy guy. :grinning:

Thanks for the help! And I hope I make sense.

Same problem here. Most of the time, I get in the endless loop you describe. However if I am quick and hit the Yubikey contacts immediately, sometimes I get the authentication process to kick in.

I have another problem though that authentication then fails with a “An error has occurred. 2-step token is invalid”.

I’ll try re-registering my Yubikey and see if that fixes is.

EDIT: That fixed the authentication failure. The infinite loop problem remains.

Thanks for confirming that the endless authentication loop is there for you as well. That’s at least three of us who have confirmed it. I’m new here and if we actually want this to be fixed I’m not sure where to post it. In the meantime it’s working decent enough if I just remember to tap quickly.

Thanks everyone for continuing the conversation! We have an open item for this on GitHub, too:

1 Like

@Tgreer: The topic is closed on github and I really don’t think it should be closed. “Schlidel” may be able to log in with a bit of practice, but I cannot do so reliably. More often than not, I get into the endless loop with no authentication happening.

That we can frig this to work maybe 1 time in 3, by getting the timing just right and not reading the prompts, is not reliable and is I suggest not really an acceptable solution.

Please can you continue to investigate this because as it stands, it’s not workable. I’d be happy to provide whatever further info you may need.

Thanks

1 Like

@RonWeasley

Are you using USB C on Android as well?

I agree with you the ticket should not have been closed until it has actually been fixed. “Practicing” to get it to work is not a real solution.

I wasn’t expecting them to close the ticket I just kind of gave up because the person assigned the ticket couldn’t replicate. You, me, multiple others on Reddit, GitHub have this problem. It exists. I’ve tried on multiple phones with multiple Android versions.

It’s a shame when developers can’t replicate because it almost insures it won’t be fixed.

BitWarden… The WebAuthn Android boot loop problem is real… And annoying

Thanks @RonWeasley and @schlidel - I’ll toss a note on the issue.

1 Like

@schlidel Yes, USB C on Android. Exactly the same symptoms.

I would do a screen recording to show it but unfortunately (and correctly!) BW prevents screen recording.

@RonWeasley I had the same thought. I wanted to do screen recording of it, but rightfully so we can’t.

I’ve tried three phones on two versions of Android with and without OTP on yubikey enabled.

I’ve read comments from people here, Reddit, and GitHub with same issue.

It’s only Bitwarden I have WebAuthN issues with. Not GitHub, Google, Dropbox, Gemini, Boxcryptor anything. Only Bitwarden.

I don’t think there’s much more troubleshooting isolation we can do.

:man_shrugging:

Thanks for the recap and info!

Matt reopened the issue so we can keep tabs on it while we try to reproduce consistently.

@RonWeasley Not sure if you’re subscribed to the GitHub thread. Thought I post this here. Looks like MPortune was able to recreate the issue.