bitwarden / android

Bitwarden mobile app for Android.
https://bitwarden.com
GNU General Public License v3.0
6.53k stars 817 forks source link

Unable to authenticate with FIDO2 #2922

Closed Keeblo closed 5 months ago

Keeblo commented 10 months ago

Steps To Reproduce

  1. Configure BitWarden.com account to use FIDO2 on a Yubikey 5 as a second factor.
  2. Install BitWarden from the F-Droid repository on a Pixel 6a running GrapheneOS with Google Play Services sandboxed.
  3. Attempt to sign into a BitWarden.com vault using the BitWarden application.
  4. When prompted, swipe your Yubikey over your phone's NFC reader.

Expected Result

I expect to be signed into my BitWarden account :-)

Actual Result

I'm not signed into my BitWarden account :-(

Instead, I get this error:

An error has occurred.
Please make sure your default browser supports WebAuthn and try again.

NotReadableError: An unknown error occurred while talking to the credential manager.

Screenshots or Videos

Google_Play_Services_permissions Error_from_BitWarden

Additional Context

  1. Google Play Services are installed and sandboxed.
  2. I'm using the default Vanadium browser.
  3. BitWarden was installed using F-Droid, not Google Play (the Google Play version has Microsoft telemetry enabled last I checked).
  4. I think that I've enabled Storage Scopes for Google Play as mentioned here ( https://discuss.grapheneos.org/d/1274-how-to-use-fido2-security-keys/4 ).
  5. I'm pretty sure that my BitWarden account is configure to use FIDO or FIDO2, not Yubico's proprietary Yubikey OTP service.
  6. I contacted GrapheneOS about this issue, and I was told that it's probably an issue related to the BitWarden application in the F-Droid repository not implementing a FIDO2 library: https://github.com/GrapheneOS/os-issue-tracker/issues/2974

If the theory posited in item number 6 is correct, perhaps there should be a more descriptive error message to alert the user that the F-Droid version of BitWarden doesn't support FIDO2.

Thank you for your time and hard work!

P.S. I'm filling in the "Build Version" as "2023.12.0" since that's the version shown in F-Droid. I cannot check the version in the app since tapping the "Settings" button (circle with two dots in the upper right of the log-in page) results in a screen flicker but no menu.

Operating System

Android

Operating System Version

14

Device

Pixel 6a

Build Version

2023.12.0

Beta

netboy3 commented 10 months ago

Its actually a general Android issue where Android currently doesn't support CTAP2. See https://github.com/bitwarden/mobile/issues/1594#issuecomment-1566522529

rafaelazvdo commented 10 months ago

This error is likely due to Google Play Services, as it provides WebAuth support on Android.

SergeantConfused commented 10 months ago

Hi @Keeblo,

Thank you for this report. Could you please let me know if you're able to log into your Bitwarden account via the Web App (https://vault.bitwarden.com/#/) using the mobile browser on that device? I'd like to check if that environment supports FIDO2 WebAuthn.

Thank you in advance,

alexandre-k commented 9 months ago

Hi @Keeblo,

Thank you for this report. Could you please let me know if you're able to log into your Bitwarden account via the Web App (https://vault.bitwarden.com/#/) using the mobile browser on that device? I'd like to check if that environment supports FIDO2 WebAuthn.

Thank you in advance,

Hello @SergeantConfused,

Since I have the same environment on my Pixel and the last comment is now 2 weeks old, please allow me to reply. It does not work either with the web application. I did a research to get further insights, and there is a related issue for Chromium-based browsers: https://github.com/GrapheneOS/Vanadium/issues/61 Apparently the CredentialProviderService for FIDO2 should be used: https://developer.android.com/reference/androidx/credentials/provider/CredentialProviderService

Additionally for anyone looking at this issue, the work-around I have found is adding an OTP in the vault so that I can get the code through my laptop and enter it on the Bitwarden app on the smartphone (inconvenient at first but after that, we can use the fingerprint or pin to authenticate).

netboy3 commented 9 months ago

Additionally for anyone looking at this issue, the work-around I have found is adding an OTP in the vault so that I can get the code through my laptop and enter it on the Bitwarden app on the smartphone (inconvenient at first but after that, we can use the fingerprint or pin to authenticate).

As I stated in my previous comment, Android currently has issues with CTAP2 support and does not fail-over to U2F. There's a much more functional workaround: Use ykman to disable FIDO2 on the NFC interface in your Yubikey (make sure to keep U2F enabled). This will allow Bitwarden to use U2F with your Yubikey. I've done this a while back and my Yubikey 5 works just fine for Bitwarden 2FA using NFC on my GrapheneOS Pixel 8 pro.

alexandre-k commented 9 months ago

Additionally for anyone looking at this issue, the work-around I have found is adding an OTP in the vault so that I can get the code through my laptop and enter it on the Bitwarden app on the smartphone (inconvenient at first but after that, we can use the fingerprint or pin to authenticate).

As I stated in my previous comment, Android currently has issues with CTAP2 support and does not fail-over to U2F. There's a much more functional workaround: Use ykman to disable FIDO2 on the NFC interface in your Yubikey (make sure to keep U2F enabled). This will allow Bitwarden to use U2F with your Yubikey. I've done this a while back and my Yubikey 5 works just fine for Bitwarden 2FA using NFC on my GrapheneOS Pixel 8 pro.

I see. Just tried, it didn't work for me on my Pixel 6a / GrapheneOS / Android 14. The services I enabled:

ykman config nfc -l      
FIDO U2F
OATH
PIV
OpenPGP
YubiHSM Auth

My test browser is Vanadium, chromium based browser.

Did you enable Google Play services?

netboy3 commented 9 months ago

I have Google-Play-Services/GSF sandboxed installed and use Brave as default browser (so WebAuthn redirects through Brave).

alexandre-k commented 9 months ago

I see. I don't have it installed. Is Google play a mandatory dependency? I thought it was not. On KeepassDX an external driver available on Gitlab is used to make it work with a Yubikey (and potentially other keys, apparently the Solokey). It works well, just tried it.

netboy3 commented 9 months ago

It shouldn't but I can't verify if there's a dependency as I have to run a few apps that require GSF/Play (unfortunately). Other than that, it works well (just used it this morning). I might be able to setup a new profile over the weekend without GSF and see if it works.

netboy3 commented 9 months ago

I just tested it out in a new profile and unfortunately it depends on GSF/Play. Without it, both Vanadium and Brave break on trying to authenticate on webauthn.io. Once the Sandboxed services are installed, both Vanadium and Brave work flawlessly on both webauthn.io and (setup as default browser respectively) on WebAuthn redirect from the Bitwarden app.

alexandre-k commented 9 months ago

@netboy3 I see, thank you for your feedback. So conclusion:

Therefore it doesn't work properly, given that Google Play Services is not a mandatory dependency (F-Droid version)

vvolkgang commented 5 months ago

Issue migrated to https://github.com/bitwarden/mobile/issues/2922