WebAuthn/FIDO Authentication Glitch With Latest Android App Update

I have the latest Android app that supports FIDO2! Woohoo! I’ve been excited to receive this feature as well as have many others. Thank you.

However… there’s a minor glitch that I’ve determined that comes down to timing.

Here’s the login flow I experience on the Android BitWarden app using WebAuthn with a Yubikey 5c via USB.

  1. I enter my username and password.
  2. Tap the blue “Authenticate WebAuthn” button.
  3. Tap the blue “Get started” button.
  4. Tap “Use security key with USB.”
  5. Prompt comes up asking to “Allow Google Play Services to access Yubikey OTP+FIDO+CCID?” Tap OK. (this doesn’t always pop up. Probably outside of BitWarden’s control)
  6. Tap gold plate on Yubikey.

Now this is where the glitch happens… Normally, I should now be logged into BitWarden but depending on how quickly I tap the Yubikey in step 6 I might be kicked back to step 2 and potentially inserted into an endless loop never to be logged in.

After tapping “Use security key with USB” there is a tone played. If I tap my Yubikey after this brief tone has played I always go back to step 2 to enter the loop again. I’ve tested this and I got up to nearly 10 loops before performing the other timing option. The other timing option is to tap the Yubikey immediately after tapping “Use security key with USB” before or at the very start of the tone. This method will immediately login into BitWarden seemingly without fail.

I’ve confirmed with at least one other Reddit user here that there is a bug with the implementation of USB keys that doesn’t seem to be present when trying to utilize NFC.

When I very first tried logging into BitWarden (excitedly) using the WebAuthn updated app I thought it was broken, but then I tried again and it worked. Tried again and the same thing happened went back to step 2. It’s a loop. I tried my Samsung phone same thing. Posted on Reddit found someone else that could duplicate the issue. Continued tinkering and discovered that it’s all about the timing.

So if you have a FIDO2 USB security key and the updated Android app that now supports it please experiment with and let me know how it goes. Take a real slow, long pause, before tapping the key… Do you enter the loop? Back on step 2? Tap the key immediately after selecting “Use security key with USB.” It should log you on no problem. Did it? Experiment with timing. If I tap Yubikey immediately it always logs me in. Otherwise, loop.

There seems to be a timeout glitch of some form or function. I would really like to see WebAuthn for Android fully polished and I’d be a happy guy. :grinning:

Thanks for the help! And I hope I make sense.

Same problem here. Most of the time, I get in the endless loop you describe. However if I am quick and hit the Yubikey contacts immediately, sometimes I get the authentication process to kick in.

I have another problem though that authentication then fails with a “An error has occurred. 2-step token is invalid”.

I’ll try re-registering my Yubikey and see if that fixes is.

EDIT: That fixed the authentication failure. The infinite loop problem remains.

Thanks for confirming that the endless authentication loop is there for you as well. That’s at least three of us who have confirmed it. I’m new here and if we actually want this to be fixed I’m not sure where to post it. In the meantime it’s working decent enough if I just remember to tap quickly.

Thanks everyone for continuing the conversation! We have an open item for this on GitHub, too:

1 Like

@Tgreer: The topic is closed on github and I really don’t think it should be closed. “Schlidel” may be able to log in with a bit of practice, but I cannot do so reliably. More often than not, I get into the endless loop with no authentication happening.

That we can frig this to work maybe 1 time in 3, by getting the timing just right and not reading the prompts, is not reliable and is I suggest not really an acceptable solution.

Please can you continue to investigate this because as it stands, it’s not workable. I’d be happy to provide whatever further info you may need.

Thanks

1 Like

@RonWeasley

Are you using USB C on Android as well?

I agree with you the ticket should not have been closed until it has actually been fixed. “Practicing” to get it to work is not a real solution.

I wasn’t expecting them to close the ticket I just kind of gave up because the person assigned the ticket couldn’t replicate. You, me, multiple others on Reddit, GitHub have this problem. It exists. I’ve tried on multiple phones with multiple Android versions.

It’s a shame when developers can’t replicate because it almost insures it won’t be fixed.

BitWarden… The WebAuthn Android boot loop problem is real… And annoying

Thanks @RonWeasley and @schlidel - I’ll toss a note on the issue.

1 Like

@schlidel Yes, USB C on Android. Exactly the same symptoms.

I would do a screen recording to show it but unfortunately (and correctly!) BW prevents screen recording.

@RonWeasley I had the same thought. I wanted to do screen recording of it, but rightfully so we can’t.

I’ve tried three phones on two versions of Android with and without OTP on yubikey enabled.

I’ve read comments from people here, Reddit, and GitHub with same issue.

It’s only Bitwarden I have WebAuthN issues with. Not GitHub, Google, Dropbox, Gemini, Boxcryptor anything. Only Bitwarden.

I don’t think there’s much more troubleshooting isolation we can do.

:man_shrugging:

Thanks for the recap and info!

Matt reopened the issue so we can keep tabs on it while we try to reproduce consistently.

@RonWeasley Not sure if you’re subscribed to the GitHub thread. Thought I post this here. Looks like MPortune was able to recreate the issue.

@RonWeasley It’s been fixed. :slight_smile: Just noticed they added a return to app button. You try it out?

1 Like

Briefly, and yes I was able to log in, but it is far from “seemless” and throws up an error before finally letting me in.

For me the whole process is a mess:

  • First, I enter my password - straigthforward enough.
  • Then we get the new Authenticate WebAuthn screen and button, which I press.
  • Then a “Use your security key with vault.bitwarden.com” screen and a “Get Started” button, which I press.
  • Then another screen saying "Choose how to use your security key screen, asking whether I want Bluetooth or NFC or USB.

(If I wait too long (as I have done, just typing this) then after about a minute, another screen pops up with a button that says “undefined” - this looks like a bug. And if I press that, then I get “An error has occurred - please make sure your default browser supports WebAuthn and try again …”

Anyway, we can ignore this, because typically I would respond to the Bluetooth/NFC/USB question in less than 1 minute)

  • Then another prompt saying “Allow using your security key”
  • Then I get two popups, one after another - One saying something about whether I want to let Yubikey Authenticator use my Yubkey, to which I reply NO, and another saying do I want to let Google Play Services use my Yubikey, to which I reply Yes.
  • I touch the Yubkiey and the 50% of the time (or more) I get the “Undefined” button above, but bizarrely although it looks like it’s failed, it lets me in.

It’s a mess. I don’t know how many of these dialogue steps are forced upon us by Android, but here’s what I would LIKE to see as a process:

  1. Enter your password
  2. Get a prompt asking you to “use” your Yubikey.
  3. Insert / touch / do whatever needed by the particular Yubikey

Everything else is clutter. As I say, maybe some of it is unavoidable clutter, but it would be good if the process could be streamlined as much as possible, and also, actually work reliably. For me I am afraid it is still unusable. (Sorry!)

Hi, I’m on a Google Pixel 6 with Android 12 and latest Bitwarden app (as of 14th of November).

I can not login with my FIDO-key any more, this is what happens:

  1. Start BW App
  2. Enter credentials
  3. It forwards to Authenticate WebAuthn page with Start now button
  4. Promt for selection of type (Bluetooth, NFC, USB)
  5. Select USB, enter FIDO-key, press Button
  6. Page with button back to Bitwarden
  7. Bitwarden App says an error occured

Tried it with NFC and USB multiple times - same behavior. Funny that it worked once two weeks ago when I received the Pixel 6.

Any idea how to fix this?

2 Likes

same here, getting error, can’t use yubikey 5 at all with BW

I am definitely experiencing this problem with Android 10 on NFC plus a Yubi. I have used this method for years but now it doesn’t work. I don’t want to have to fight with it. Unfortunately I just drop down in security and login with my Authy TOTP (thank God I made it as a backup way in).

Please make sure to let us know when this gets repaired.

I’m getting the same behavior as FrankN, Android 11 on a Samsung Galaxy S10+. I never had a problem with WebAuthn with my YubiKey 5 on Android before, but lately it gives me a vague An error has occurred. I’ve tried disabling OTP on the key, and tried both NFC and USB, to no effect. Thankfully I’m still able to use OTP instead, but it’s not what I’d prefer.

I’m also getting the “Allow Google Play Services to access Yubikey” prompt, and sometimes a prompt to select which app to use to open (Bitwarden is not an option).

I’m getting the same behavior on OnePlus 7T Pro with Android 11 and Yubikey 5 NFC (using NFC connectivity). Various kinds of errors, mostly time outs.

This is specific to Bitwarden - other apps utilizing Webauthn/FIDO2 do work fine with NFC.

Eventually I ended up configuring Bitwarden’s 2FA with TOTP/Yubico Authenticator but I consider this a workaround.

Similar issue:

Key: SoloKey
Issue: upon taking me to the verification step using my Pixel 6 Pro, I get an error.

Anyone know if this is still being worked on?

Judging by the state of their issues page (open source) I would actually say that this a solokey problem, not Bitwarden.