Biometrics error while using Passkeys

[just5ky]

Discussed in https://github.com/dani-garcia/vaultwarden/discussions/4652

^{Originally posted by **just5ky** June 18, 2024} ### Subject of the issue Since yesterday, I have been experiencing biometrics error in the browser extension while using Passkeys on websites. It was working fine before that, I have not made any changes to the server/config. It has previously never asked for biometrics either. Happening on both Mac and Windows. I am able to unlock the vault (desktop app and browser extension) using biometrics without any issues. ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.30.5 * Web-vault version: v2024.1.2b * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.44.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page)

Show Running Config

**Environment settings which are overridden:** ```json { "_duo_akey": "***", "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***************", "domain_origin": "*****://***************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "warn", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "****************", "smtp_from_name": "Vaultwarden", "smtp_host": "*******************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "****************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": true, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```

* vaultwarden version: 1.30.5 * Install method: Docker * Clients used: - Desktop app both windows & mac - Browser extension on Brave browser (both device) * Reverse proxy and version: Traefik v3.0.2 * MySQL/MariaDB or PostgreSQL version: No * Other relevant details: ### Steps to reproduce Login to any website and use Passkey stored in Vaultwarden as MFA ### Expected behaviour Should be able to authenticate normally ### Actual behaviour Getting biometrics error. ### Troubleshooting data   ```yml vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden restart: unless-stopped networks: - proxy environment: - WEBSOCKET_ENABLED=true - SIGNUPS_ALLOWED=false - ADMIN_TOKEN=$VAULTWARDEN_ADMIN_TOKEN - DOMAIN=$DOMAIN - LOG_FILE=/data/vaultwarden.log - EXTENDED_LOGGING=true - LOG_LEVEL=warn - USE_SYSLOG=true - SMTP_HOST=$SMTP_HOST - SMTP_PORT=587 - SMTP_SECURITY=starttls - SMTP_FROM=$SMTP_FROM - SMTP_USERNAME=$SMTP_USERNAME - SMTP_PASSWORD=$SMTP_PASSWORD - PUSH_ENABLED=true - PUSH_INSTALLATION_ID=$PUSH_INSTALLATION_ID - PUSH_INSTALLATION_KEY=$PUSH_INSTALLATION_KEY volumes: - $DOCKERDIR/bitwarden:/data labels: traefik.enable: true traefik.http.routers.vaultwarden.rule: Host(`$PASSWORD_MANAGER`) traefik.http.routers.vaultwarden.entryPoints: https traefik.http.services.vaultwarden.loadbalancer.server.port: 80 traefik.http.routers.vaultwarden.service: vaultwarden ``` Browser extension info 

[BlackDex]

Any logs in Vaultwarden? I doubt it's an issue in the server side.

[just5ky]

docker logs vaultwarden
/--------------------------------------------------------------------\
|                        Starting Vaultwarden                        |
|                           Version 1.30.5                           |
|--------------------------------------------------------------------|
| This is an *unofficial* Bitwarden implementation, DO NOT use the   |
| official channels to report bugs/features, regardless of client.   |
| Send usage/configuration questions or feature requests to:         |
|   https://github.com/dani-garcia/vaultwarden/discussions or        |
|   https://vaultwarden.discourse.group/                             |
| Report suspected bugs/issues in the software itself at:            |
|   https://github.com/dani-garcia/vaultwarden/issues/new            |
\--------------------------------------------------------------------/

[INFO] Using saved config from `data/config.json` for configuration.

[2024-06-19 13:56:50.532][vaultwarden::auth][ERROR] Token has expired
[2024-06-19 13:56:50.536][auth][ERROR] Unauthorized Error: Invalid claim
[2024-06-19 13:56:50.536][vaultwarden::api::core::accounts::_][WARN] Request guard `Headers` failed: "Invalid claim".

Any logs in Vaultwarden? I doubt it's an issue in the server side.

Nothing that stands out

[BlackDex]

I think it is linked to this PR https://github.com/bitwarden/clients/pull/8746

In that case, it's not something we can fix. Maybe you can check some settings if that might help.

[just5ky]

Hmm, it seems to be working fine in MS Edge, will test with other browsers too

[BlackDex]

Try to logout, and back in using your password. Not sure if you use the Biometrics functionally, but i have some strange issues on my Windows 11 system. It doesn't popup the biometrics window at all anymore. Maybe related.

But, try to logout and back in using your password and see if that helps.

[just5ky]

That's the strange thing, it's also happening on my MAC too

[BlackDex]

But what happens if you fully logout and back in again using a password?

[just5ky]

But what happens if you fully logout and back in again using a password? Nothing.

Im going to remove and reinstall the extension, seems to only be happening in Brave, on both Win and Mac Works fine on Edge

[BlackDex]

Is the extension installed via the chrome store? Or does brave have there own store and thus maybe a different extension id?

That could be an issue then maybe.

[just5ky]

Brave uses Chrome Web Store. Edge too

[BlackDex]

Edge has there own store, including a different Bitwarden app id, so it's not a default for edge, at least not anymore.

[foux]

Have the same issue on Chrome on macOS

[just5ky]

Have the same issue on Chrome on macOS

Glad to see that I'm not the only one. That rules out any configurations on the server side.

Does anyone know if there's a way to check browser extension changelogs. Does bitwarden even publish that?

[foux]

All the clients changelogs (including browser extensions) are here : https://github.com/bitwarden/clients/releases

[just5ky]

All the clients changelogs (including browser extensions) are here : https://github.com/bitwarden/clients/releases

Thanks @foux i think this might be the culprit.

https://github.com/bitwarden/clients/releases/tag/browser-v2024.6.0

Added user verification to passkey flows when required by website

[foux]

THis one was reverted, but not sure if the reverted commit is in production yet. The revert-commit wwas merged two days ago, but as there's nothing related to it in the latests changelog, I suspect it's not deployed yet.

[just5ky]

Can you try creating a demo passkey at https://www.passkeys.io/ When i tried to do it, it fails with the same error.

[just5ky]

You are right it was reverted, but seems it is the one still causing issues Tested on https://webauthn.io/ as revert PR https://github.com/bitwarden/clients/pull/9734

User Verification: Discouraged

User Verification: Preferred

Browser extension version 2024.6.2

[foux]

It can't be in 2024.6.2, as it was released before the rollback.

[Kitchigo]

Hello, same error, only on Google Chrome extension, with Mozilla work fine...

[bin101]

Same for me on Google Chrome extension installed via chrome store.

Debug console reports this: Error: Could not establish connection. Receiving end does not exist.

[BlackDex]

To be clear. This is a client issue as far as I can tell. There is nothing on the server-side it looks like which might cause these issues. If someone who has these issues could verify this with a vault.bitwarden.com or .eu account, that would great.

[just5ky]

Created an account on Bitwarden.com and did the same as my last comment

Encryption Preferred

Desktop App version

Moving the issue to official Bitwarden Repo, since its also happening with an account on Bitwarden.com

[just5ky]

Someone has already done it https://github.com/bitwarden/clients/issues/9795

[BlackDex]

Closing this here since it's not something we can fix.