I have the latest Android app that supports FIDO2! Woohoo! I’ve been excited to receive this feature as well as have many others. Thank you.
However… there’s a minor glitch that I’ve determined that comes down to timing.
Here’s the login flow I experience on the Android BitWarden app using WebAuthn with a Yubikey 5c via USB.
I enter my username and password.
Tap the blue “Authenticate WebAuthn” button.
Tap the blue “Get started” button.
Tap “Use security key with USB.”
Prompt comes up asking to “Allow Google Play Services to access Yubikey OTP+FIDO+CCID?” Tap OK. (this doesn’t always pop up. Probably outside of BitWarden’s control)
Tap gold plate on Yubikey.
Now this is where the glitch happens… Normally, I should now be logged into BitWarden but depending on how quickly I tap the Yubikey in step 6 I might be kicked back to step 2 and potentially inserted into an endless loop never to be logged in.
After tapping “Use security key with USB” there is a tone played. If I tap my Yubikey after this brief tone has played I always go back to step 2 to enter the loop again. I’ve tested this and I got up to nearly 10 loops before performing the other timing option. The other timing option is to tap the Yubikey immediately after tapping “Use security key with USB” before or at the very start of the tone. This method will immediately login into BitWarden seemingly without fail.
I’ve confirmed with at least one other Reddit user here that there is a bug with the implementation of USB keys that doesn’t seem to be present when trying to utilize NFC.
When I very first tried logging into BitWarden (excitedly) using the WebAuthn updated app I thought it was broken, but then I tried again and it worked. Tried again and the same thing happened went back to step 2. It’s a loop. I tried my Samsung phone same thing. Posted on Reddit found someone else that could duplicate the issue. Continued tinkering and discovered that it’s all about the timing.
So if you have a FIDO2 USB security key and the updated Android app that now supports it please experiment with and let me know how it goes. Take a real slow, long pause, before tapping the key… Do you enter the loop? Back on step 2? Tap the key immediately after selecting “Use security key with USB.” It should log you on no problem. Did it? Experiment with timing. If I tap Yubikey immediately it always logs me in. Otherwise, loop.
There seems to be a timeout glitch of some form or function. I would really like to see WebAuthn for Android fully polished and I’d be a happy guy.
Thanks for confirming that the endless authentication loop is there for you as well. That’s at least three of us who have confirmed it. I’m new here and if we actually want this to be fixed I’m not sure where to post it. In the meantime it’s working decent enough if I just remember to tap quickly.
@Tgreer: The topic is closed on github and I really don’t think it should be closed. “Schlidel” may be able to log in with a bit of practice, but I cannot do so reliably. More often than not, I get into the endless loop with no authentication happening.
That we can frig this to work maybe 1 time in 3, by getting the timing just right and not reading the prompts, is not reliable and is I suggest not really an acceptable solution.
Please can you continue to investigate this because as it stands, it’s not workable. I’d be happy to provide whatever further info you may need.
I agree with you the ticket should not have been closed until it has actually been fixed. “Practicing” to get it to work is not a real solution.
I wasn’t expecting them to close the ticket I just kind of gave up because the person assigned the ticket couldn’t replicate. You, me, multiple others on Reddit, GitHub have this problem. It exists. I’ve tried on multiple phones with multiple Android versions.
It’s a shame when developers can’t replicate because it almost insures it won’t be fixed.
BitWarden… The WebAuthn Android boot loop problem is real… And annoying
Briefly, and yes I was able to log in, but it is far from “seemless” and throws up an error before finally letting me in.
For me the whole process is a mess:
First, I enter my password - straigthforward enough.
Then we get the new Authenticate WebAuthn screen and button, which I press.
Then a “Use your security key with vault.bitwarden.com” screen and a “Get Started” button, which I press.
Then another screen saying "Choose how to use your security key screen, asking whether I want Bluetooth or NFC or USB.
(If I wait too long (as I have done, just typing this) then after about a minute, another screen pops up with a button that says “undefined” - this looks like a bug. And if I press that, then I get “An error has occurred - please make sure your default browser supports WebAuthn and try again …”
Anyway, we can ignore this, because typically I would respond to the Bluetooth/NFC/USB question in less than 1 minute)
Then another prompt saying “Allow using your security key”
Then I get two popups, one after another - One saying something about whether I want to let Yubikey Authenticator use my Yubkey, to which I reply NO, and another saying do I want to let Google Play Services use my Yubikey, to which I reply Yes.
I touch the Yubkiey and the 50% of the time (or more) I get the “Undefined” button above, but bizarrely although it looks like it’s failed, it lets me in.
It’s a mess. I don’t know how many of these dialogue steps are forced upon us by Android, but here’s what I would LIKE to see as a process:
Enter your password
Get a prompt asking you to “use” your Yubikey.
Insert / touch / do whatever needed by the particular Yubikey
Everything else is clutter. As I say, maybe some of it is unavoidable clutter, but it would be good if the process could be streamlined as much as possible, and also, actually work reliably. For me I am afraid it is still unusable. (Sorry!)
I am definitely experiencing this problem with Android 10 on NFC plus a Yubi. I have used this method for years but now it doesn’t work. I don’t want to have to fight with it. Unfortunately I just drop down in security and login with my Authy TOTP (thank God I made it as a backup way in).
Please make sure to let us know when this gets repaired.
I’m getting the same behavior as FrankN, Android 11 on a Samsung Galaxy S10+. I never had a problem with WebAuthn with my YubiKey 5 on Android before, but lately it gives me a vague An error has occurred. I’ve tried disabling OTP on the key, and tried both NFC and USB, to no effect. Thankfully I’m still able to use OTP instead, but it’s not what I’d prefer.
I’m also getting the “Allow Google Play Services to access Yubikey” prompt, and sometimes a prompt to select which app to use to open (Bitwarden is not an option).