Adding a Yubikey that has not been uploaded to Yubico Servers

[k3anton]

User scenario:

1) A user buys a Yubikey. 2) The user decides to regenerate OTP identity but doesn't realize that the new identity has to be uploaded to a Yubico server (this is really Yubico lack of information) 3) The user login to Bitwarden to add this new Yubikey to be able to use it for 2FA OTP. 4) The user tries to add the OTP but gets "Invalid Key".

Suggestion: Help the user by perhaps including information about having to upload the new key to Yubico servers or point to the demo.yubico.com to allow the user to validate the OTP. The current error information is not helpful and could be improved.

Kind regards,

[Crocmagnon]

The key doesn't need to be "uploaded to yubico servers", the website at demo.yubico.com are only here to help you diagnose your key and demo the usage. You don't need to use your key there before using it anywhere else.

[k3anton]

@Crocmagnon, Hmm. Are you sure? The way that Yubico presents it, it seems as if the Yubikey has to be uploaded to the Yubico Authentication servers before being used.

I guess it could be tested easily: Wipe slot 1 and slot 2, regenerate a new key for both. Try adding it to Bitwarden. In my experience, this led to "Invalid key".

[Crocmagnon]

The way that Yubico presents it

where did you read something like this ?

I guess it could be tested easily: Wipe slot 1 and slot 2, regenerate a new key for both. Try adding it to Bitwarden. In my experience, this led to "Invalid key".

When I received my second and third Yubikey, I did not have to use the demo website to "activate" the key or anything, it worked perfectly in BW. Though wiping both slots might not work indeed, you'll have to enable the right mode on the first slot if you want to use it. But you don't have to "upload" anything anywhere to do that.

[k3anton]

The way that Yubico presents it

where did you read something like this ?

So using the Yubikey Personalization User Guide, performing the Quick Setup for OTP, it actually has a step that involves uploading the file to Yubico servers. This is also mentioned in the step-by-step instructions.

I guess it could be tested easily: Wipe slot 1 and slot 2, regenerate a new key for both. Try adding it to Bitwarden. In my experience, this led to "Invalid key".

When I received my second and third Yubikey, I did not have to use the demo website to "activate" the key or anything, it worked perfectly in BW. Though wiping both slots might not work indeed, you'll have to enable the right mode on the first slot if you want to use it. But you don't have to "upload" anything anywhere to do that.

Yubico also informs that only the factory generated key starting with cc may work with certain services. And that any key starting with vv could be removed without notice and reason.

Note: It can take up to 15 minutes for an uploaded identity to become valid on our validation servers. 'vv' prefix credentials are not guaranteed to have the same availability as production 'cc' prefix credentials. Yubico reserves the right to revoke any 'vv' prefix credential on the Yubico validation service (YubiCloud) at any time, for any reason, including if abuse is detected or if the credential is loaded onto a counterfeit YubiKey.

The only way I was able to get my new vv prefixed key to work, was to upload it to Yubicos server, otherwise Bitwarden would give me "Invalid key".

[allella]

I've also seen the "Invalid Key" error message using a test Yubikey 4. These devices work fine on the Yubikey demo site and when tested against Github.

There's debate on this thread about if information needs to be registered with YubiCloud, which I've not had to do for previous clients.

Can anybody assist? Uploading keys to a YubiCloud server feels like a really gross idea.

I've posted additional debugging info on the related issue https://github.com/bitwarden/browser/issues/942#issuecomment-623638172

[allella]

I had the same experience on a client's Yubikey 4 (firmware 4.3.7).

The production OTP on slot 1, beginning with a cccccc, is used and will return the error invalid key error.

I've setup other clients with Yubikey 4 with the same firmware version using the production OTP slot 1 without an issue.

It is possible slot 1 OTP was reprogrammed on these Yubikey, but the OTP has a ccccc prefix and works when tested against other services, like GitHub.

Also, as @k3anton said, when I generated a new OTP on slot 2, not uploading the key to Yubicloud, it returns the invalid key error in Bitwarden.

I then generated a new OTP, starting with vv, on slot 2 and uploaded it to Yubicloud and it worked with Bitwarden immediately.

[Q-efx]

I have the same issue.

I get invalid length, even with C&P...

today at 11:26 AM [2020-05-29 09:26:05][response][INFO] PUT /api/two-factor/yubikey (activate_yubikey_put) => 400 Bad Request today at 11:27 AM [2020-05-29 09:27:08][request][INFO] PUT /api/two-factor/yubikey today at 11:27 AM [2020-05-29 09:27:08][error][ERROR] Invalid Yubikey OTP provided. today at 11:27 AM [CAUSE] DecodeError( today at 11:27 AM InvalidLength, today at 11:27 AM )

My issue was a sign after the "key" from yubikey api. The error message should be a bit clearer there?

[bitwarden-bot]

Hi @k3anton, We're cleaning up our repositories in preparation for a major reorganization. Issues from last year will be marked as stale and closed after two weeks. If you still need help, comment to let us know and we'll look into it. Thanks!

[lyndsysimon]

TL;DR: Yubikeys using anything other than the secret that shipped with it appear to require uploading to the Yubico Cloud before Bitwarden accepts them.

---

I'm very late here, but I had the same issue just now.

I had previously used Duo, along with FIDO U2F provided by an older device. I temporarily removed all MFA from my Bitwarden account, then tried to set up both of my Yubikeys.

The first was a Yubikey 5C Nano. It was brand new, fresh out of the box, and worked as intended.

The second was an older key, a Yubikey NEO-n. It hadn't been used in a few years, so I first opened YubiKey Manager and removed all of the old configuration, and created a new short-press configuration using Yubico OTP. I did not upload the key to the Yubico Cloud.

I verified both keys in Neovim. The new 5C Nano was generating codes beginning with cccc. The Neo-N was generating codes beginning with vvcccc. Note that I had not manually configured the 5C Nano at all.

Bitwarden accepted the key from the 5C Nano without issue, but threw an error on the Neo-N. Reconfiguring the Neo-N and choosing the "Upload" option resolved the issue and allowed me to add both to my account.