FIDO2 in Android app is not working

[numeratorjik]

Steps To Reproduce

Version 2.13.0 of Android app. Installed on Google Pixel 5 running current Android 12 beta. The app now prompts me for YubiKey login but it doesn't work. First I see this:

I tap "Authenticate WebAuthn" and I see this:

I tap "GET STARTED" and I see this:

When I hold my key up to the back of the phone, the app switches back to the screen shown in the first screenshot above and this page opens in my browser:

Other apps on my phone that use WebAuthn work just fine with my YubiKey. I am able to authenticate to Bitwarden with my YubiKey in my browser on the desktop.

Expected Result

I expect the app to authenticate successfully with my YubiKey.

Actual Result

It's not working.

Screenshots or Videos

See above.

Additional Context

No response

Operating System

Android

Operating System Version

Android 12 beta

Device

Pixel 5

Build Version

2.13.0

Beta

• [ ] Using a pre-release version of the application.

[mpbw2]

You have to disable your YubiKey's OTP-over-NFC option. Check out the "Troubleshooting YubiKey NFC" section from our help page at https://bitwarden.com/help/article/setup-two-step-login-fido/

[numeratorjik]

That may be a workaround, but like I said, other apps which I authenticate to using my YubiKey work just fine over NFC on my phone, so even if there is a workaround then it would seem that there is something wrong with the Bitwarden implementation of this.

[numeratorjik]

Furthermore, when I run Yubikey Manager on macOS and insert my Yubikey NEO and go to the Interfaces screen, it does not show NFC interfaces, so apparently I can't disable OTP over NFC for my Yubikey.

Y'all need to rethink something here.

[numeratorjik]

Please reopen this issue until you have figured out how to make WebAuthn work on Android for Yubikey NEO users.

[mpbw2]

@numeratorjik I agree it's not ideal, but I was unable to find a way to prevent Android's default NDEF scan behavior during my time working on this feature. Can you provide some examples of apps that are able to do it? I'm happy to look into it if it's possible.

[numeratorjik]

1Password, for one. Also Google itself. The problem isn't so much that scanning my YubiKey loads the Yubico demo OTP page; that happens with 1Password too. The problem is that however apps like 1Password are doing things enables them to complete the FIDO2 / WebAuthn authentication before the demo OTP page is loaded, whereas the Bitwarden app doesn't.

[mpbw2]

Reopening to continue research into handling secondary scan.

[mderazon]

@mportune-bw in response to https://community.bitwarden.com/t/u2f-support-over-nfc/611/53?u=miked I am not sure my problem is the same, I have a fido u2f key (non yubikey) that generally work with webauthn everywhere (and has NFC) I am going through the same flow, getting the OS screen (Choose how to use your security key) and after I authenticate, focus goes back to the app and I see a generic error dialog saying

An error has occurred

I would be happy to record the flow, but Bitwarden has screen capturing protection and can't find a way to disable it

Might be related https://github.com/bitwarden/clients/issues/2803

[project-eutopia]

I have this same problem as well. I tried disabling OTP over NFC (ykman config nfc --disable OTP), confirmed it was disabled using the ykman info command, and then tried authenticating with my Yubikey over NFC on Android but still get the same "An error has occurred." dialog. The only difference after disabling OTP is that now it doesn't immediately try to open a browser after I tap my Yubikey to my phone for NFC. I am on Android 12, and the newest Android version of Bitwarden 2.14.0.

[mpbw2]

@project-eutopia That sounds like a different issue. Can you try deleting and re-adding your Yubikey via the web vault settings, then try logging in again on Android?

[project-eutopia]

@mportune-bw Thank you for your follow up, that seems to have worked!

[mpbw2]

@mderazon I agree it might be related to that web issue as that particular error is generated from our web connector and returned to the app for display. I'm keeping an eye on it.

[zaneselvans]

I'm having what seems like the same issue on a Pixel 5a with a Yubikey NEO. I see now that the ... in the upper right hand corner of the screen offers other 2FA options, including using a Yubikey NEO, rather than getting dumped directly to WebAuthn. These other 2FA options should be much more prominent in the flow somehow -- let folks choose which 2FA method to use explicitly. It took me an hour or more of messing around with this before I figured out there were other options.

[DonRohan]

@mportune-bw in response to https://community.bitwarden.com/t/u2f-support-over-nfc/611/53?u=miked I am not sure my problem is the same, I have a fido u2f key (non yubikey) that generally work with webauthn everywhere (and has NFC) I am going through the same flow, getting the OS screen (Choose how to use your security key) and after I authenticate, focus goes back to the app and I see a generic error dialog saying

An error has occurred

I would be happy to record the flow, but Bitwarden has screen capturing protection and can't find a way to disable it

Might be related bitwarden/clients#2803

I'm having the same Issue with a Yubikey 5 NFC and a Solokey Type-C. Webauthn doesnt work with the Bitwarden-App. Even after disabling OTP.

[ImprovingRigmarole]

I'm having the exact same issue on Android 12, impossible to use a yubikey via FIDO2 (OTP is disabled) :

• via NFC : gives the An error has occurred popup
• via USB : the OS screen asks for authorization to use USB with the yubikey, asks to press the button, but the led blinks really fast for like 200ms and after this, nothing, and the press the button screen stays forever

Any update on this ?

[kevinjbeattie]

I opened a bug regarding WebView on Android here: https://issuetracker.google.com/issues/249758200

[k3a]

It also didn't work for me with Solo NFC key. Additionally there was no option to select a different 2FA like Authenticator. Such option was available while logging in to the Bitwarden web. I had to disable Solo NFC key in account settings to be able to log in from the Android app.

[BrendanxP]

I have the exact same issue and I already unchecked OTP. Bought 5 YubiKey's all with NFC, some with USB-C, but not one works properly on Android. USB makes the light blink for 200ms and it stops thereafter. No matter if I spam the button instantly or wait a little bit, the key is not picked up. Via NFC it tells me that it succeeded, but then nothing happens. And if i click all windows away the login will give an error. Tried clearing everything from the key and reenabling the FIDO2 auth multiple times. I have no idea what is going wrong here.

[Sparticuz]

I've got the same problem as @improving-rigmarole. The led blinks quickly, as if it's failing a handshake or something, then I get this error after a number of seconds. Using default chrome as the webview

[RZR7332]

I've got the same problem as @improving-rigmarole. The led blinks quickly, as if it's failing a handshake or something, then I get this error after a number of seconds. Using default chrome as the webview

Exact same problem I am facing as well.

[mderazon]

Please see this screencast

https://user-images.githubusercontent.com/717076/217385177-a9256b72-9d67-4313-a1f1-3b7824e71749.mp4

Cannot sign in. Unfortunately, Bitwarden has screen capture protection on by default so the flow starts in the video in black screen from the app, where it goes to the browser and back to the app with failure

[Jademalo]

I need to add myself to the voices having problems here, but I think the issue is much bigger than just Bitwarden. Any FIDO2 supporting application is giving me trouble.

To hopefully shed a bit of light on the situation here, after a lot of research and testing it seems that Android's implementation of WebAuthn does not correctly implement CTAP2, and only really implements CTAP1 (U2F).

If the device tries to authenticate with Anrdoid using the FIDO2 CTAP2 protocol, it will fail. Due to this, Android flat out cannot handle any situation with Discoverable credentials (formerly called Resident credentials), and it cannot request a hardware set PIN. In addition, Android WebView also does not support WebAuthn, and you need to make sure your default browser supports it.

Since Bitwarden's implementation of FIDO2 does not request a pin and can only be used as a 2FA key with a username and password, it theoretically should work on Android. However, it will only work if the FIDO U2F interface is enabled in the YubiKey Manager. I assume this is because a 2FA only request that does not require a PIN can fall back to CTAP1/U2F and correctly authenticate. EDIT: Just for further detail, signing in to Google with a Discoverable FIDO2 key registered doesn't seem to be able to fall back to U2F in a 2FA situation where you provide a username and password, even if it works on PC in the same way without a PIN. I assume this is because a Discoverable credential cannot fall back to U2F in any situation. This reddit post was what tipped me off to the reasoning, and this google groups post had information about Android not implementing CTAP2.

With FIDO U2F disabled, both Firefox and Chrome give errors, though different.

Chrome gives the error;

An error has occurred. Please make sure your default browser supports WebAuthn and try again.

NotReadableError: An Unknown error occured while talking to the credential manager.

Firefox gives the error;

An error has occurred. Please make sure your default browser supports WebAuthn and try again.

NotReadableError: The operation failed for an unknown transient reason.

To summarise;

• Android does not implement CTAP2, and only implements CTAP1.
• The only FIDO2 keys that work on Android are Non-Discoverable keys with requests that don't require a PIN, therefore allowing them to fall back to CTAP1/U2F.
• In order to resolve the issue for Bitwarden, for either USB or NFC you need to make sure at least FIDO U2F is enabled. FIDO2 does not need to be enabled, but it doesn't seem to affect things if it is.

[phil-w]

Same NotAllowedError from the Bitwarden app.

I'd add that if I use my same default browser (Brave) to access the Bitwarden website itself from Android 13, the FIDO2 2FA also fails in the same way. => I can't use Bitwarden with 2fa via Android, although it works fine from Windows.

[AlmAck]

Exact same problem, on android (Pixel5) was working just fine, I had to change the KDF iteration and after that I can't login anymore with the NFC key on my phone. I tried to used also firefox, switch network, reinstall... still nothing. On desktop linux works fine. Android: 13 Bitwarden app: 2023.5.0

EDIT: I fixed my problem by removing the FIDO key as 2 factor authentication and adding it back. My FIDO was marked as (migrated) in the vault configuration panel, that could be the issue. I got the idea from this issue: https://github.com/bitwarden/clients/issues/2803

[smury]

I had the same issue (Android 13, Pixel 6a) and also recently changed my KDF iteration (though I think my keys (Yubico Security key) were already marked as migrated from FIDO before that). Anyway, @AlmAck's fix worked for me.

[phil-w]

As per @AlmAck my keys were marked "migrated" as I'd followed Bitwarden's request to change my "KDF iteration" also. That fix worked for my Android 10 tablet, on which I can now login via browser (Brave, shields up). So at least I can get a password that way.

However... the App still fails as before on my Android 13 phone, and using the same Brave browser also fails there, shields up or down. The symptom is the same - it hangs after the NFC read and if you "back" a few times, you can get back to the web page with the errors in red boxes.

Ah well, so removing then re-adding the keys (a) clears the "migrated" marking, and (b) fixes my Android 10 browser at least. So some progress... that's at least one thing needs to be added to the "increase your KDF Iteration" instructions, which is that once you've done it, you need to remove and re-add all FIDO2 keys or they're "migrated", which means "broken".

[mderazon]

Bitwarden TWO-STEP LOGIN FIDO2 WebAuthn screens mentiones this warning:

WARNING Due to platform limitations, WebAuthn cannot be used on all Bitwarden applications. You should set up another two-step login provider so that you can access your account when WebAuthn cannot be used. Supported platforms:

• Web vault and browser extensions on a desktop/laptop with a WebAuthn supported browser (Chrome, Opera, Vivaldi, or Firefox with FIDO U2F turned on).

Does that mean that the feature is not supported in mobile at all ?

If I am using this website on the same phone with the same key and same browser it works fine: https://www.token2.com/tools/fido2-demo

Problem is that since Bitwarden is a critical system for many people, you want to have good security on it, and physical keys are the best security possible. Without the mobile support, you cannot enable physical only based auth

[fliespl]

I just stumbled across this one and failed after 30 minutes to use yubikey 5 nfc. Always reverted to try again screen.

[callit]

I was having this problem all day today. I tried a bunch of things, and some combination of the below finally worked. Here's what I did:

1. Log out of Bitwarden Android app
2. Clear Bitwarden app data
3. Set Chrome as your default browser app for the time being
4. Before you proceed, I recommend setting up a standard 6-digit OTP authenticator in case something goes awry. You can turn it back off when done if you're satisfied.
5. Using the YubiKey Manager desktop app, disable OTP via NFC as suggested in Bitwarden's troubleshooting document

I believe one of these steps was the actual solution:

7. I had both YubiKey OTP and WebAuthn enabled - Disable YubiKey OTP completely from your two step settings if you have it enabled
8. WebAuthn - My YubiKey NFC had a "Migrated from FIDO" note. Remove that and re-add your hardware token.
9. Open Bitwarden android app and authenticate with your master password, you'll be prompted for your authenticator - the time it worked for me, instead of authenticating right away, I clicked the menu in the upper right corner and selected "Open In Browser" - the page re-opened in Chrome, and I authenticated with NFC there. I held it until the screen said "you're all set". It sent me back to the app which was still waiting for the token, so I hit the authenticate button again, and held the NFC to the back of the phone again.

After all of that, it finally let me through. My suspicion is that it was some combination of the YubiKey OTP being enabled and/or having the "Migrated from FIDO" token, but the double authentication in the last step could have something to do with it as well.

Hopefully this helps someone.