Unknown error with FIDO and security key on Android

[w65ESxJ2bq7eEt0PLMqGhZrtjROuST7zqnLLWh3]

Steps To Reproduce

Prerequisites: have a security key setup on the account (I have a Yubico Security Key)

1. Login through the Android app with username and password
2. The mobile browser opens automatically, tap "Authenticate WebAuthn"
3. Use NFC to detect the security key

Expected Result

You get redirected to the app, and login is successful

Actual Result

I get redirected to the app, but still on the "FIDO2 WebAuth" screen, and I get an alert "An error occured". I can retry, but the bug still persists

Screenshots or Videos

No response

Additional Context

I had my YubiKey "migrated from FIDO", maybe that's some relevant information? My issue reproduces on Firefox and Chrome

Operating System

Android

Operating System Version

7.1.1

Device

Samsung Galaxy J5 2016

Build Version

2.13.0

Beta

• [ ] Using a pre-release version of the application.

[mpbw2]

Hi @Raul6469 , we just started seeing this on another device in-house. We also discovered the same error was returned when using the key outside of the app, using the mobile browser to login to the web vault. Can you check if that happens for you as well?

[w65ESxJ2bq7eEt0PLMqGhZrtjROuST7zqnLLWh3]

Hi @mportune-bw, I checked and I don't get an error. Instead, it continuously asks for the Yubikey. When I scan it, it immediately reopens the Android prompt for the security key, without logging me in. Is it the same behaviour for you? (I tested on Chrome and Firefox)

[mpbw2]

@Raul6469 Thanks for the confirmation - that's exactly what we're seeing too. It seems like some devices don't like the migration key for some reason. If you re-add the key everything should work properly. (You can add the key before deleting the migrated key so you won't have any gaps in 2FA coverage). Let me know if that works.

[duoQD3j4cZ2udAJcj2AcBZY911r4EjssebCykQK]

Just want to report that I'm having similar issues with Yubikey 5c using USB. I've confirmed with other users on Reddit and Bitwarden Community they are having the same "authentication loop" problem.

For us when using Yubikey USB C after tapping "Use security key with USB" in the Google prompts if we don't immediately tap the gold plate on Yubikey we are pushed back to the blue button "Authenticate WebAuthn" page.

This loop will happen indefinitely if you don't tap the Yubikey plate quick enough.

I've removed all Yubikeys from BitWarden and re-added. Problem persists.

[mpbw2]

@schlidel Thanks for the links to the discussions, lots of good info there. The problem you're experiencing seems to be between the browser and its implementation with Google Play Services (which I believe you mentioned you're already aware).

Just FYI you don't have to select the interface type (NFC/USB) when presented with the options. You can just tap or insert/tap and the system will figure it out. I don't experience the same issue with USB that you describe, but perhaps you can bypass it by not selecting USB before inserting the key? Let me know if that changes the behavior for you. If not, it might be worth making sure you're running the latest [everything], including Google Play Services.

[duoQD3j4cZ2udAJcj2AcBZY911r4EjssebCykQK]

@mportune-bw

If I don't select interface type and just tap Yubikey plate I'm prompted about turning Bluetooth on. I have Yubikey 5c so no Bluetooth or NFC. I think Yubikey is attempting to enter Yubico OTP at that point and it's just registering the return key and Bluetooth is the first of the options. I could try disabling Yubico OTP interface and see if that works but that wouldn't be a long time solution for me.

When I select "Use security key with USB" my Yubikey starts rapidly flashing awaiting my input. Before I select interface type it's probably still in keyboard mode.

I must tap use USB and then immediately tap YubiKey. It's the only way for me to get it to work.

Google Play Services: 21.36.14 Chrome: 93.0.4577.82

[w65ESxJ2bq7eEt0PLMqGhZrtjROuST7zqnLLWh3]

@mportune-bw Re-adding the key into my account worked perfectly, thank you! 👍

[duoQD3j4cZ2udAJcj2AcBZY911r4EjssebCykQK]

@mportune-bw

I'm now able to tap on my Yubikey without pre-selecting the interface option (BT, NFC, etc) as you suggested by waiting to insert my Yubikey until after I've tapped "get started." If my key is already inserted when I tap "get started" the previous mentioned comment from above occurs and the Yubikey is treated as a keyboard until I make the USB selection.

This non selection method makes even it more difficult to log in however. I actually wasn't able to login that way. The method that works consistently well is to plug the Yubikey before tapping Authenticate WebAuthn and then be prepared to go through the authentication steps as fast as possible. If I take my time it never authenticates. Always back to the blue Authenticate WebAuthn page.

Is there a short timeout between hitting "Authenticate WebAuthn" and entering my FIDO credentials that I seem to be in a race against? If I can click Authenticate WebAuthn, Get Started, Use USB security key, and finally tap Yubikey in under 4-5 seconds it works perfect everytime.

Edit: I've actually practiced enough times logging in it doesnt even seem an issue any longer. But if I take a more casual/normal pace it still loops or times out. Newer users will run into this just slowing down enough to read the prompts.

[mpbw2]

Is there a short timeout between hitting "Authenticate WebAuthn" and entering my FIDO credentials that I seem to be in a race against?

It sure sounds like it, though it's not intentional and I'm not sure why we don't see the same thing. On my test devices I have a good 30 seconds to take action before it times out.

Does your key have a modified configuration or is it still factory-fresh? I'm thinking maybe the key is sending a character immediately upon activation that is canceling the process before you have time to touch the contact. (I don't know if that's even a thing, but your description makes me think of a HID keyboard sending an unexpected event) For reference I'm using a 5C NFC and the only customization is disabling OTP on the NFC channel per our help docs.

[duoQD3j4cZ2udAJcj2AcBZY911r4EjssebCykQK]

I attempted disabling OTP interface to see if that fixed it. It was one of the earlier suggestions from someone on Reddit.

Curiously, someone posted the new BitWarden blog article about mobile FIDO 2 support today and the screenshot of the WebAuthn page does not look like mine.

In the screenshot there is remember me, cancel, continue, and use another two-step login method below the blue WebAuthn button.

For me, all I have is the blue WebAuthn button. Is that normal?

Here is mine:

And this is what's in the blog article:

[mpbw2]

I attempted disabling OTP interface to see if that fixed it. It was one of the earlier suggestions from someone on Reddit.

Is that the only customization on your key?

all I have is the blue WebAuthn button. Is that normal?

That's normal; the article screenshot is from the web vault. For mobile, the other controls are in the app, while only the auth button is used to start the webauthn flow.

[duoQD3j4cZ2udAJcj2AcBZY911r4EjssebCykQK]

Ok, I apologize, it's not clear it's the web vault in the article because it is titled, "FIDO2 Security Key Support Enabled for Mobile Clients" and it seems to be published in response to the newly updated mobile clients.

I do see "remember me" and use "alternative 2FA options" in the interstitial app screen. So all functionality appears to be present.

I use static password in slot 2, but disabling OTP interface disables that as well. And while disabled the USB authentication loop problem is persistent.

Honestly, I'm no longer really worried about it. It functions well enough so I'll stop bugging you about it.

Thank you for developing this great service.

[MFpDp4KmkiUVDYcnE8vSW7M3sMQSfscRKGn63Jt]

@mportune-bw we may want to leave this open if possible, seems others may still have issues:

https://community.bitwarden.com/t/webauthn-fido-authentication-glitch-with-latest-android-app-update/33807/5

[mpbw2]

I've managed to reproduce this on one of my test devices, though not consistently. In the failure cases, the browser is showing Navigation blocked in the debug console after successful hardware key validation. Some preliminary research confirms it is indeed a timing issue with user interaction. Some context: This is why the web-based Authenticate WebAuthn button is required (to prove that a human started the process). After some time has passed, that button press no longer "counts", and the browser blocks the javascript-based navigation needed to return to the app. As to why the timing seems to be inconsistent, I haven't a clue.

The only consistent workaround I'm seeing is adding a subsequent page to web connector flow containing a button a human can press if the javascript-based navigation fails. Here's an example referenced by others encountering the same issue: https://appauth.demo-app.io/oauth2redirect

I'll give that a whirl and keep this issue updated.

[L4odChikLazzPqWag3onMgcE0bMiWlP9jn7NwQX]

Hi, I have this issue now.

Phone: Samsung S22 Android version: 12

1. Enter username and password
2. Phone automaticly opens Bitwarden WebAuthn site
3. Click "Authenticate WebAuthn"
4. Promted by google to "Get started"
5. Choose option "Use security key with NFC"
6. Scan key
7. Choose option "Return to app"
8. In bitwarden i get "An error has occured"

I have tried to reinstall the app, re-add the yubikey and all different browsers with the same result. If I try the login on my old samsung s21, I have no issues with the login. The login also works perfect in web vault.

[RQcxO19MTwZvXB8ljdKvdMJRRDwxNypDKincgN5]

~Same problem on my Pixel 6, in both the browser and Bitwarden app~ ~I've tried doing the process quickly, but no luck. It looks like a loop with no errors at first, but when you go 'back' when the loop starts over, you see some errors~

~The symptoms seem the same as above, but since the original issue was closed as fixed, should I create a new issue?~

Edit: I had to remove the webauthn key that had the "migrated from FIDO" text and re-add it

[1gBCa2jWjXr49fIqnJnLQpCiCGSaSN4M7wisldy]

Hi, I'm recently switched to using webauthn, and I'm experiencing the exact same on Android 12, Samsung A71. I'm having the exact same flow of things and errors as https://github.com/bitwarden/mobile/issues/1548#issuecomment-1128076636 and https://github.com/bitwarden/mobile/issues/1548#issuecomment-1151700348.

I also tried many browsers on android, and it always comes back to this An unexpected error has occured. when using NFC. Concerning USB, it seems that the Google Play Services prompt actually never tries to read the key, the led blinks really fast for about 1s, and whatever timing I press the button, it always stays stuck on the push the button now screen...

I also tried on https://webauthn.io/ which gives the exact same errors, so it might be caused by Google Play Services thing on Android 12...

[pUAbQXY7KnptkajABOeLLNWQxyZBtVrcMmwiksY]

Hey, I'm having excatly the same problem on my Galaxy S10 running Android 10. https://webauthn.io/ spits out errors as well here..

[N1Ro3bHQ0oeyjeBXaK1kebAsV81OoTH7fPQ4sZ3]

I have the exact same environment and issues as yourfishes commented on 17 May

Is there a work around?

[bHjaiYhutODyQIkr8WkfcwXK3SwMR8UfzEA2Ie9]

The solution posted earlier in this thread removing and readding keys marked "migrated from FIDO" worked for me.

[mV28CdXIQ3CREpSA2uI7Vecvyl5wAHWynfCaDIm]

Since today i have the same issue on my oneplus 8 pro running android 12.

I am running vaultwarden on my local server tho.

I have no idea why this is happening or how to fix it. It only seems to affect my smartphone. On the computer everything works as expected.