Yubikey HMAC-SHA1 Challenge-Response?

I just switched to Bitwarden (Premium) from 1Password and now trying to use YubiKey as a 2-step login.
Am I correct that Bitwarden supports Yubikey with OTP only, but not with Challenge-Response?


Bitwarden supports Yubikey OTP and FIDO2 WebAuthn which is also supported by Yubikeys. WebAuthn offers higher security and is not prone to Man in the middle attacks, so you should go with that.

1 Like

Thanks for the suggestion!
I have Yubikey 5 NFC - is there also possibility to use it with Android phone via NFC?

Absolutely! After successfully setting up your YubiKey in the Bitwarden webvault, and enabling WebAuthn for 2FA you will be able to login to the Bitwarden mobile app via NFC.

  1. Login to Bitwarden mobile app, enter your master password and you will get a prompt for WebAuthn 2FA verification.

  2. You will be redirected to the Android security authentication.

  3. Select a supported method to read the key.

  4. Tap the NFC security key to the back of your phone.

  5. 2FA has been verified, select Return to App and you should be logged into the Bitwarden mobile app.

Thanks for the comprehensive answer! Step 1 was Ok - I got into the same web-prompt inside mobile Firefox browser. But after I’ve attached Yubikey via NFC, I was redirected not to the Android security authentication but to Yubikey OTP verification Yubico website.

Do I need some additional steps, apart from installing Bitwarden mobile app and setting up my YubiKey in the Bitwarden webvault (web-site)?

Ahh in that case you may have incidentally set a “default app” when using the YubiKey with NFC. This can be disabled in your Default apps settings for your Android phone, hopefully that helps.

Or, if you do not need Yubikey OTP, You can disable it using the Yubikey Manager software:

Maybe something is wrong with the way Samsung Galaxy behaves with Yubikey and NFC - when I touched the NFC key, the mobile web-interface of Bitwarden suggests me to complete action using web-brousers only (I have 3 installed) and “Samsung Internet”.

By the way I don’t have any Yubikey app installed on the mobile, e.g. Yubico Authentificator - do I need it?

It seems that when I disabled OTP, the long press to the key also stopped to work, but I need it

Ahhh okay, so it sounds as though you get a similar popup for the browser prompt when using NFC.

Basically this will happen no matter if you are trying to sign in to Bitwarden, or are just on your homescreen and tap your YubiKey with NFC to the back of your phone.
The NFC touch will prompt the browser, or Yubico Authenticator app request.

You should not need the Yubico Authenticator app, it is just an easy way to store TOTP codes to a supported YubiKey, as well as can provide the Yubico OTP code if needed.

If you use the Yubico Authenticator app and tap with NFC you will get access to those codes, if you use the browser I believe you will be directed to Yubico’s demo website where you can validate the Yubico OTP codes.

When using the YubiKey to sign in to the Bitwarden mobile app on my phone, when prompted for 2FA you can tap your YubiKey with NFC.
If you are prompted for the browsers as shown here

You can simply press outside of that area, or back out and you will be sent back to the Google Play services to authenticate with your YubiKey for Bitwarden, as described in steps 3-5 in my earlier post.
Hope that works for you.

Thanks for your time!
You are right - if I’m on my home screen and tap Yubikey NFC, the same prompt pops up.
But if I press outside this area, nothing happens. Probably this is a way Samsung implements this behavior. I wonder is it only me who’s struggling with such a problem? :slight_smile:

By the way, do I need to disable something from NFC interface of Yubikey? E.g. OTP.

You can try to disable OTP on NFC, some people report that it works more reliable when turning it off.

Interesting - disabling OTP in NFC seems allowed to move forward. I was able to come into the next page: FIDO2 WebAuthn. The app opened this form in my default Android browser: Firefox. However after touching the phone with Yubikey NFC a popup message appeared:
An error has occurred. Please make sure your default browser supports WebAuthn and try again.”

I found this discussion on Bitwarden Github:

And this one:

P.S. Just enabled FIDO2 WebAuthn on 1Password app - everything works smoothly (on a same Android phone)