Open Tarj2xKye0GF3hvSrfJf5NKOk6WI3AgugA7Ehwu opened 10 months ago
Its actually a general Android issue where Android currently doesn't support CTAP2. See https://github.com/bitwarden/mobile/issues/1594#issuecomment-1566522529
This error is likely due to Google Play Services, as it provides WebAuth support on Android.
Hi @Keeblo,
Thank you for this report. Could you please let me know if you're able to log into your Bitwarden account via the Web App (https://vault.bitwarden.com/#/) using the mobile browser on that device? I'd like to check if that environment supports FIDO2 WebAuthn.
Thank you in advance,
Hi @Keeblo,
Thank you for this report. Could you please let me know if you're able to log into your Bitwarden account via the Web App (https://vault.bitwarden.com/#/) using the mobile browser on that device? I'd like to check if that environment supports FIDO2 WebAuthn.
Thank you in advance,
Hello @SergeantConfused,
Since I have the same environment on my Pixel and the last comment is now 2 weeks old, please allow me to reply. It does not work either with the web application. I did a research to get further insights, and there is a related issue for Chromium-based browsers: https://github.com/GrapheneOS/Vanadium/issues/61 Apparently the CredentialProviderService for FIDO2 should be used: https://developer.android.com/reference/androidx/credentials/provider/CredentialProviderService
Additionally for anyone looking at this issue, the work-around I have found is adding an OTP in the vault so that I can get the code through my laptop and enter it on the Bitwarden app on the smartphone (inconvenient at first but after that, we can use the fingerprint or pin to authenticate).
Additionally for anyone looking at this issue, the work-around I have found is adding an OTP in the vault so that I can get the code through my laptop and enter it on the Bitwarden app on the smartphone (inconvenient at first but after that, we can use the fingerprint or pin to authenticate).
As I stated in my previous comment, Android currently has issues with CTAP2 support and does not fail-over to U2F. There's a much more functional workaround: Use ykman to disable FIDO2 on the NFC interface in your Yubikey (make sure to keep U2F enabled). This will allow Bitwarden to use U2F with your Yubikey. I've done this a while back and my Yubikey 5 works just fine for Bitwarden 2FA using NFC on my GrapheneOS Pixel 8 pro.
Additionally for anyone looking at this issue, the work-around I have found is adding an OTP in the vault so that I can get the code through my laptop and enter it on the Bitwarden app on the smartphone (inconvenient at first but after that, we can use the fingerprint or pin to authenticate).
As I stated in my previous comment, Android currently has issues with CTAP2 support and does not fail-over to U2F. There's a much more functional workaround: Use ykman to disable FIDO2 on the NFC interface in your Yubikey (make sure to keep U2F enabled). This will allow Bitwarden to use U2F with your Yubikey. I've done this a while back and my Yubikey 5 works just fine for Bitwarden 2FA using NFC on my GrapheneOS Pixel 8 pro.
I see. Just tried, it didn't work for me on my Pixel 6a / GrapheneOS / Android 14. The services I enabled:
ykman config nfc -l
FIDO U2F
OATH
PIV
OpenPGP
YubiHSM Auth
My test browser is Vanadium, chromium based browser.
Did you enable Google Play services?
I have Google-Play-Services/GSF sandboxed installed and use Brave as default browser (so WebAuthn redirects through Brave).
I see. I don't have it installed. Is Google play a mandatory dependency? I thought it was not. On KeepassDX an external driver available on Gitlab is used to make it work with a Yubikey (and potentially other keys, apparently the Solokey). It works well, just tried it.
It shouldn't but I can't verify if there's a dependency as I have to run a few apps that require GSF/Play (unfortunately). Other than that, it works well (just used it this morning). I might be able to setup a new profile over the weekend without GSF and see if it works.
I just tested it out in a new profile and unfortunately it depends on GSF/Play. Without it, both Vanadium and Brave break on trying to authenticate on webauthn.io. Once the Sandboxed services are installed, both Vanadium and Brave work flawlessly on both webauthn.io and (setup as default browser respectively) on WebAuthn redirect from the Bitwarden app.
@netboy3 I see, thank you for your feedback. So conclusion:
Therefore it doesn't work properly, given that Google Play Services is not a mandatory dependency (F-Droid version)
Steps To Reproduce
Expected Result
I expect to be signed into my BitWarden account :-)
Actual Result
I'm not signed into my BitWarden account :-(
Instead, I get this error:
Screenshots or Videos
Additional Context
If the theory posited in item number 6 is correct, perhaps there should be a more descriptive error message to alert the user that the F-Droid version of BitWarden doesn't support FIDO2.
Thank you for your time and hard work!
P.S. I'm filling in the "Build Version" as "2023.12.0" since that's the version shown in F-Droid. I cannot check the version in the app since tapping the "Settings" button (circle with two dots in the upper right of the log-in page) results in a screen flicker but no menu.
Operating System
Android
Operating System Version
14
Device
Pixel 6a
Build Version
2023.12.0
Beta