Possible bugs with multiple passkey logins when logging into https://vault.bitwarden.com/#/login using Edge, which also affects FIDO2/WebAuthn authentication.

reachnet2 commented 2 months ago

Steps To Reproduce

This issue may affect other browsers - haven't tested.

Make sure you have previously saved at least one YubiKey OTP Key to a YubiKey before proceeding with the steps below, otherwise you may get completely locked out of the Vault.

Steps to reproduce.

No encryption on Vault.

FIDO2/WebAuthn keys previously created for both devices mentioned below.

Login to https://vault.bitwarden.com/#/login (in my case using Edge) using FIDO2/WebAuthn previously setup for the device, (in my case Windows 11 Pro). Create a login passkey for the currently logged in device. Logout. Login again with the passkey. All going well, login should be ok. Logout. Login to https://vault.bitwarden.com/#/login (in my case using Edge) using FIDO2/WebAuthn previously setup for the device, (in my case Windows 10 Home). Create a 2nd login passkey for the currently logged in device. Logout. Try logging in again with the login passkey on the 2nd device using passkey. Fails with Invalid Passkey. Try logging in again with the login passkey on the 2nd device using Master Password/FIDO2 WebAuthn. Enter local Windows Hello PIN. Windows prompts for Security Key (no option presented for FIDO2/WebAuthn authentication). Try logging in again with the login Master Password/Passkey on the 1st device using passkey. Succeeds. Try logging in again using Master Password/FIDO2 WebAuthn on the 1st device - the option to enter the local Windows Hello PIN for the passkey isn't displayed, only the options to use the passkey from iPhone, iPad or Android Device or Security Key.

I appreciate Vault based Web login using passkeys is currently in beta and therefore a work in progress. For the moment I've decided not to use passkey Web Vault logins and just use Master Password/FIDO2 WebAuthn instead.

Steps taken to revert back to previously working state.

Login to https://vault.bitwarden.com/#/login on the 1st device and choose the security key option when prompted. Login should succeed. Delete both passkeys for both devices previously created. Remove both FIDO2/WebAuthn keys for both devices previously created and recreate key for the 1st device, logout. Login to https://vault.bitwarden.com/#/login on the 2nd device using the security key when prompted. Login should succeed. Recreate the FIDO2/WebAuthn key for the 2nd device.

All going well, we should now be back at the previously working state.

Hope that helps.

Expected Result

https://vault.bitwarden.com/#/login passkey logins should work for multiple devices. At present they don't seem to.

Actual Result

https://vault.bitwarden.com/#/login passkey logins/FIDO2/WebAuthn fails for multiple devices.

Screenshots or Videos

No response

Additional Context

Both PCs fully updated. Edge fully updated on both PCs - Version Version 124.0.2478.80.

Operating System

Windows

Operating System Version

both Windows 10 Home/Windows 11 Pro

Web Browser

Microsoft Edge

Browser Version

Version 124.0.2478.80

Build Version

(Official build) (64-bit)

Issue Tracking Info

[X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

sammbw commented 2 months ago

Hi there,

I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

reachnet2 commented 2 months ago

Hi,

Thanks for getting back to me.

I don't really think I can add anything further than what I have already reported.

All I really can say is that currently it is definitely an issue for me. I've been through the above process twice with the same results each time.

Perhaps when the issue is escalated, the issue can be reproduced.

Thanks again.

Regards, Gary

reachnet2 commented 2 months ago

Hi,

Just a few further thoughts, although I don't see how these are relevant, but I guess you never know.

I have previously also setup Bitwarden with the following:

Microsoft Authenticator as an Authenticator app. A FIDO2/WebAuthn 2 step login key for an Android Smartphone.

Cheers.

micahblut commented 2 weeks ago

I'm having a little trouble following the replication steps, but it occurs to me that perhaps this is just another instance of this issue presenting itself. Passkeys on Windows 10 are known to have issues, and we have yet to investigate this issue substantially. It sounds, from your replication steps, like the passkey stored in windows hello on Windows 10 is the issue, not the one stored in Windows Hello on Windows 11 nor the webauthn credential you have on Android.

reachnet2 commented 2 weeks ago

Thanks for getting back to me. I agree the issue seems to be with Windows 10/Hello/Passkeys only. Since I reported the issue, I pretty much haven't used passkeys to login to the Bitwarden Web Vault. Simply using Master Password/WebAuthn. As the issue doesn't appear to be a "show-stopper", I'm quite happy not using passkeys at the moment (although I'd obviously prefer to). Knowing the issue is in the pipeline to be investigated at some future point is fine with me. All the best m8.

bitwarden / clients