Firefox extension and Yubico key token "invalid"

[edalcin]

The Firefox extension does not recognize the string generated by my yubico key, and say:

"Two-step token is invalid. Please, try again"

The same key works fine on browse/web page access.

[kspearrin]

Can you check the dev tools network call. Is it adding any extra or removing characters for some reason?

[allella]

I'm experiencing the "Invalid Key" issue on a test for a client with a Yubikey 4.

Using F12 dev tools shows the length of the input string is the same as the length when viewed in a text editor.

The same key works in the Yubico demo site and on a Github test.

Any thoughts / help on this issue?

[allella]

I tested with a "working" Yubikey 4 and I see there's the following network calls:

• A successful POST to https://vault.bitwarden.com/identity/connect/token
• A successful PUT to https://vault.bitwarden.com/api/two-factor/yubikey

On the failed attempts (the first three network calls), there's only a failed PUT returning a 400 error from https://vault.bitwarden.com/api/two-factor/yubikey.

[allella]

@kspearrin forgot to ping you on my last comment, which includes the debugging info you requested from an earlier user.

[allella]

I tried another batch of Yubikey 4 and they worked for a client's account. The "invalid key" batch have cccccc prefixes, but it's possible the person I got them from reprogrammed them.

However, it should be noted that all of the Yubikey 4 were validated on the Yubico demo website and worked other services, like GitHub, so they only failed on Bitwarden in my testing.

I was able to reprogram slot 2 of the OTP on one of the "bad" batch, but it was necessary to upload the keys to YubiCloud, as mentioned in #945.

[andrewtackett]

This problem still exists and causes 2FA to consistently fail. It appears that the firefox extension is cutting off the last character or two. Getting the Yubikey code into a text editor then copying and pasting it consistently works so this must be an error on the input field mangling the data.

[csantoyo]

I had this same issue today. Doing what @andrewtackett mentioned work. Will this be fixed? I'm using Firefox v81.0 on Ubuntu.

This was not while using the extension but rather when using the browser interface to log in

[569258yin]

I had this same issue today. I'm using chrome: 98.0.4758.80 bitwarden plugin: 1.55.0

Failed to load resource: net::ERR_INTERNET_DISCONNECTED https://bitwarden.xxxx.com/identity/connect/token

[569258yin]

I temporarily log in with a pin code, close the option to log in with master password when the browser restarts

[credfeto]

Same issue today on FF100.0.2 bitwarden plugin 1.58.0

as above using another auth method works

[allella]

@credfeto the Invalid token is often the result of the Yubikey's OTP slot being regenerated and not uploaded to Yubikey's server.

Other websites seem to accept a Yubikey with a regenerated token, starting with 'vvvvvv', even if it's not been uploaded to Yubikey.

Bitwarden checks if regenerated OTP tokens / keys (i.e. a new token which replaces the factory 'cccccc' prefixed values) have be uploaded to Yubikey's server. Bitwarden will show "Invalid token" if it has not been uploaded to Yubikey's public server.

This Github issue may have been a different root cause, and it's probably been resolved, so if you purchased an unsealed Yubikey, or regenerated the OTP slot, then the solution is usually a tool like the Yubikey Personalization Tool to upload the OTP to their server.