Why can't i add second Yubikey to Bitwarden

I added my first Yubikey (usb c) successfully but now I have another Yubikey(NFC) that I need to add. The instructions are to select first empty slot and touch the key. When I do that for my new NFC Yubikey it does nothing. If i touch my old key, it enters text into slot. But, first key is already there. Why am I not able to add a second key. The new NFC key works fine on other sites. Is that a bug in bitwarden? I even tried removing old key from usb c port and just inserting new Yubikey NFC into usb port but no luck

My Yubikeys ‘ding’ when I pull them out and the new one dings when I plug it in. If that isn’t happening I would suspect that the USB port is not working correctly on hardware removal detection. Do you have a second USB port that you could use. (by the way, always pull the registered Yubikey before you plug in the new one!)

The usual suspect is you bought non-OTP Yubikey but trying to set up Yubikey OTP.
Try to set up Webauthn instead.

It dings and lights up. I added this key to my other accounts. Just the bitwarden is not adding. I don’t have another port.

Are the two keys exactly the same? The reason I asked is the point raised by Sugianto. There are different versions of Yubikey. If you are using the OTP, then the cheaper security will not work.

Second one is blue NFC USB A key. First was USB C

Hmm… The NFC USB A is most likely not a security key. Are you using some sort of USB C to A converter?

This may be a dumb question, the USB A is one sided, so you are sure that the metal contact is touching the metal contact. I once wasn’t paying attention and plug the USB A facing the wrong direction. Since it’s not a typical USB plug, it possible to do that.

Blue Yubikey does not support OTP. You should use Webauthn for your new key.

OK, I was wrong, there is a NFC version of the security key. So Yubikey comes in different types:

  1. The full key that includes things like OTP
  1. The security key that only include u2f/fido and not the OTP

Notice that there is a price difference of about $20-$25. The security key cannot be use with OTP.

But as @sugianto has stated twice now, the OP can still setup the Security Key using Webauthn:

https://bitwarden.com/help/article/setup-two-step-login-fido/

However, note that not all BW clients support Webauthn, such as the desktop app on MacOS, mobile apps.

Yeah, really sucks that the blue key doesn’t support OTP. I used Webauthn and added. Wish i knew this before ordering. Not sure it’s weaker that OTP version so just a matter of using another protocol ?

Yubikey 5 (and 4, possibly others too) support Yubico OTP. It is a somewhat old protocol though it still has its uses.

The Security Key supports FIDO2 and U2F, which allow access to most of Bitwarden, though with the exceptions others have mentioned.

Fido, U2f is stronger than OTP. If you want a cheap version, check around ebay. You can get a Yubico 4 that are about the same prices as a security key. However, I would just get the 5 for future proofing.

Webauthn is the strongest of all protocols and cannot be phished. All other methods can be phished. The only down side is that Webauthn does not work on mobile yet. It was scheduled for Q1/Q2 this year, but got moved to Q3. Soon

Now I have a NFC capable yubikey setup but can’t use it to log on to Bitwarden on my NFC capable phone since i can only set it up as Webauthn. Useless:-(

As useless as a baby. Mobile frameworks and libraries didn’t even support webauthn until 2021. Have some patience. I’ve been waiting for years. Webauthn is only 1-2 years old. Last year Firefox broke Webauthn for several months. It’s very much bleeding edge.

I wish sites correctly implements Yubikey. Vanguard for example added Yubikey, but if you login using a non-supporting client, it will revert back to the SMS. When I complain about this, Vanguard told me that it was because they were worry about recovery. I pointed out to them that due to the fallback, it’s as secure as sms.

1 Like

Have they replied on this?

Vanguard’s response is that they will bring this up with their higher ups, which probably means it will end up on the junk pile until there is a massive break-in due to sms. Vanguard like most financial services are more concern with password recovery than security.