Sony website passkey error while Bitwarden does nothing

[Xavron]

Steps To Reproduce

1. ~https://my.account.sony.com/~ https://www.playstation.com
2. sign in (add to Bitwarden if needed)
3. user profile (top right)
4. account settings
5. security
6. sign in with passkey
7. click create a passkey

Expected Result

Bitwarden should do something instead of nothing at all and be preferably that of adding the passkey as its supposed to have passkey support.

Actual Result

Error on Sony's website "A passkey couldn't be created for this device, or you canceled creating a passkey." and nothing from Bitwarden with no popup or anything at all.

Screenshots or Videos

No response

Additional Context

Passkeys are enabled in Bitwarden and confirmed working on another website. (confirmed working for both adding and using on another website.)

Both Firefox and Chrome see this happen.

Disable passkey in Bitwarden and the browser does cause the popup for non-Bitwarden passkey to show.

The non-Bitwarden one working has the appearance that Bitwarden is at fault. It doesn't really make sense for it to be the browser unless the browser was doing something that it wouldn't allow Bitwarden to do or use from the website. The website is obviously working since the non-Bitwarden one shows up.

End result is Bitwarden passkey should be broken here with Sony's new passkey support for whatever reason.

Operating System

Windows

Operating System Version

Windows 11 23H2 build 22631.3155

Web Browser

Chrome, Firefox

Browser Version

latest

Build Version

2024.2.0

Issue Tracking Info

• [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[Adedamola-Aina]

Hi @Xavron

Thank you for your report!

I was able to reproduce this issue, and I have flagged this to our engineering team.

If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time - our engineering team will be happy to review these.

Thanks once again!

[Bennytek]

Hi there, just wanted to drop by to thank you for flagging this with the engineering team - I'm having this problem too!

When I go to generate a passkey, Bitwarden will not react, and the webpage will jump straight to the "A passkey couldn't be created for this device" message (as seen in the image below).

And when I try to sign in using a passkey, Bitwarden will pop up as expected saying that there are no passkeys found (as seen in the image below).

I know you were able to replicate the issue, but I just thought I'd drop by regardless 😅

Thank you so much!

[ZenoBell]

same issue here . Tried additionally with different browsers - firefox/nightly, chrome, edge, brave + from an android device but i couldn't make BW create the key.

[andymerskin]

On Android, for some reason it bypassed Bitwarden (which is my default Passkey provider) and tried using Android's built-in passkey manager. Out of curiosity, I tried it this way and Android's passkey manager was unable to find any passkeys associated with Sony's Playstation app (using their passkey domain / namespace), so I wonder if this may be an issue with Sony not properly implementing this?

[RvdE]

On Android, for some reason it bypassed Bitwarden (which is my default Passkey provider) and tried using Android's built-in passkey manager. Out of curiosity, I tried it this way and Android's passkey manager was unable to find any passkeys associated with Sony's Playstation app (using their passkey domain / namespace), so I wonder if this may be an issue with Sony not properly implementing this?

The Android app doesn't support storing passkeys yet. This is planned though, but AFAIK no ETA yet.

[fabriziobagala]

I also have the same problem. In addition, I have problems with autocomplete via menu that appears in the text box. Does anyone else experience the same problem?

[JaxonWright]

Same issue happens when signing in on an Android phone with Bitwarden as the default password manager. Only way around is to make the default be Google temporarily, store it in there, and sign in with that set as default.

[AlexKalopsia]

Same issue, but found out there is a PR pending that should fix this https://github.com/bitwarden/clients/pull/8153

[sidewinder94]

@AlexKalopsia I might have misunderstood the PR. But AFAICT, the PR is related to the login form being broken.

This issue talks about registering the passkey.

So these are diffferent imho.

[AlexKalopsia]

@AlexKalopsia I might have misunderstood the PR. But AFAICT, the PR is related to the login form being broken.

This issue talks about registering the passkey.

So these are diffferent imho.

My bad, you're right!

[mantasio]

is there a possibility that it's an issue on Sony's end and not Bitwarden?

[sidewinder94]

I successfully managed to create and use a passkey for their website on my phone (so not using bitwarden). So I'd say it is working on their side.

[sidewinder94]

Just to add some details.

Clicking on the Create on this device button triggers a "passkeyRegister" request. In the JSON response there is a "credential_options" field.

At the end of this field I could find those values :

{
  "pubKeyCredParams":[{"type":"public-key","alg":"-7"},{"type":"public-key","alg":"-37"},{"type":"public-key","alg":"-257"}]
}

At the same time, the console for the Bitwarden extension logs a warning :

console-log.service.ts:47 [Fido2Client] No compatible algorithms found, RP requested: 
write @ console-log.service.ts:47
warning @ console-log.service.ts:24
(anonymous) @ fido2-client.service.ts:124
o @ background.js:1
Promise.then (async)
l @ background.js:1
(anonymous) @ background.js:1
ll @ background.js:1
createCredential @ background.js:1
(anonymous) @ runtime.background.ts:273
(anonymous) @ background.js:1
im @ background.js:1
(anonymous) @ runtime.background.ts:271
runWithAbortController @ abort-manager.ts:13
(anonymous) @ runtime.background.ts:269
(anonymous) @ background.js:1
im @ background.js:1
processMessage @ background.js:1
e @ runtime.background.ts:74

And in fido2-client.service.ts lines 108 to 120 can be found :

 let credTypesAndPubKeyAlgs: PublicKeyCredentialParam[];
    if (params.pubKeyCredParams?.length > 0) {
      // Filter out all unsupported algorithms
      credTypesAndPubKeyAlgs = params.pubKeyCredParams.filter(
        (kp) => kp.alg === -7 && kp.type === "public-key",
      );
    } else {
      // Assign default algorithms
      credTypesAndPubKeyAlgs = [
        { alg: -7, type: "public-key" },
        { alg: -257, type: "public-key" },
      ];
    }

If I understood all that correcltly, this means that Bitwarden need to implement new public key algorithms. I don't know enough about js/ts to know why that would fail when bitwarden supports one fo the public key algorithms that sony is asking for.

[JaxonWright]

@sidewinder94 the first set of JSON code you posted is not valid JSON. There should be a colon between "arg" and "-257". If that is what the actual response is from the request, then it seems like Sony's API has a bug in it.

[sidewinder94]

@JaxonWright It's most probably my fault, this is a json inside of a json response, I may have removed a colon with the escaping character that was near it

yeah, just confirmed, the JSON sent by sony IS valid

[SteveGoodenough]

Just to add I get the same issue on Linux (Ubuntu)

[Khameleon05]

To be fair this didn't even work on mobile for a while either, it would let you create a passkey and then when you tried to log on it would say wrong device and there was no way to actually use it. They've fixed that (and their app actually allowing you to login....) so maybe it's Sony being Sony...

[bmeulmeester]

Can confirm all the above, I have the exact same issue and diagnosis. Eagerly awaiting a fix. Any updates @Adedamola-Aina ?

[DanForever]

This happens for me as well on Firefox. I tried using a different firefox profile without the bitwarden extension and it appeared to work ok

[llwwns]

@sidewinder94 The code checked kp.alg against number but the alg fields in the JSON are strings.

[mbestavros]

Unclear if it's the exact same issue, but I'm seeing very similar behavior when attempting to add a passkey using the Bitwarden browser extension on the Yubico passkey playground:

[sidewinder94]

@mbestavros Can't reproduce with extension version 2024.2.1 on a chromium browser (Brave).

To check if it's the same issue, you'd need to check if there was any error message in the extension JS console.

[Xavron]

To be fair this didn't even work on mobile for a while either, it would let you create a passkey and then when you tried to log on it would say wrong device and there was no way to actually use it. They've fixed that (and their app actually allowing you to login....) so maybe it's Sony being Sony...

That's a different issue but that's okay :)

Actually, passkeys, I don't know how its even working with the behind the scenes drama it has. This is the result with broken stuff everywhere :\

[Khameleon05]

To be fair this didn't even work on mobile for a while either, it would let you create a passkey and then when you tried to log on it would say wrong device and there was no way to actually use it. They've fixed that (and their app actually allowing you to login....) so maybe it's Sony being Sony...

That's a different issue but that's okay :)

Actually, passkeys, I don't know how its even working with the behind the scenes drama it has. This is the result with broken stuff everywhere :\

Yes it was a problem with their Chrome utilization but it was something Sony did wrong when they added their passkey support which could imply this is also on their side, was my only point.

[Moenmyna]

Just wanted to add that I tried to create a passkey for my account just now using the Firefox extension, version 2024.3.1 and was able to successfully do so!

I was also able to log-in with the newly created passkey as expected.

For reference, this was done on Firefox 124.0.2, on Windows 11 with the Bitwarden extension version being 2024.3.1 as previously mentioned.

[sidewinder94]

I can confirm this now works : extension version 2024.2.1 on Brave