I have the latest Android app that supports FIDO2! Woohoo! I’ve been excited to receive this feature as well as have many others. Thank you.
However… there’s a minor glitch that I’ve determined that comes down to timing.
Here’s the login flow I experience on the Android BitWarden app using WebAuthn with a Yubikey 5c via USB.
- I enter my username and password.
- Tap the blue “Authenticate WebAuthn” button.
- Tap the blue “Get started” button.
- Tap “Use security key with USB.”
- Prompt comes up asking to “Allow Google Play Services to access Yubikey OTP+FIDO+CCID?” Tap OK. (this doesn’t always pop up. Probably outside of BitWarden’s control)
- Tap gold plate on Yubikey.
Now this is where the glitch happens… Normally, I should now be logged into BitWarden but depending on how quickly I tap the Yubikey in step 6 I might be kicked back to step 2 and potentially inserted into an endless loop never to be logged in.
After tapping “Use security key with USB” there is a tone played. If I tap my Yubikey after this brief tone has played I always go back to step 2 to enter the loop again. I’ve tested this and I got up to nearly 10 loops before performing the other timing option. The other timing option is to tap the Yubikey immediately after tapping “Use security key with USB” before or at the very start of the tone. This method will immediately login into BitWarden seemingly without fail.
I’ve confirmed with at least one other Reddit user here that there is a bug with the implementation of USB keys that doesn’t seem to be present when trying to utilize NFC.
When I very first tried logging into BitWarden (excitedly) using the WebAuthn updated app I thought it was broken, but then I tried again and it worked. Tried again and the same thing happened went back to step 2. It’s a loop. I tried my Samsung phone same thing. Posted on Reddit found someone else that could duplicate the issue. Continued tinkering and discovered that it’s all about the timing.
So if you have a FIDO2 USB security key and the updated Android app that now supports it please experiment with and let me know how it goes. Take a real slow, long pause, before tapping the key… Do you enter the loop? Back on step 2? Tap the key immediately after selecting “Use security key with USB.” It should log you on no problem. Did it? Experiment with timing. If I tap Yubikey immediately it always logs me in. Otherwise, loop.
There seems to be a timeout glitch of some form or function. I would really like to see WebAuthn for Android fully polished and I’d be a happy guy.
Thanks for the help! And I hope I make sense.