Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to authenticate with FIDO2 #2922

Closed
1 task
Keeblo opened this issue Dec 30, 2023 · 12 comments
Closed
1 task

Unable to authenticate with FIDO2 #2922

Keeblo opened this issue Dec 30, 2023 · 12 comments
Labels
bug

Comments

@Keeblo
Copy link

Keeblo commented Dec 30, 2023

Steps To Reproduce

  1. Configure BitWarden.com account to use FIDO2 on a Yubikey 5 as a second factor.
  2. Install BitWarden from the F-Droid repository on a Pixel 6a running GrapheneOS with Google Play Services sandboxed.
  3. Attempt to sign into a BitWarden.com vault using the BitWarden application.
  4. When prompted, swipe your Yubikey over your phone's NFC reader.

Expected Result

I expect to be signed into my BitWarden account :-)

Actual Result

I'm not signed into my BitWarden account :-(

Instead, I get this error:

An error has occurred.
Please make sure your default browser supports WebAuthn and try again.

NotReadableError: An unknown error occurred while talking to the credential manager.

Screenshots or Videos

Google_Play_Services_permissions
Error_from_BitWarden

Additional Context

  1. Google Play Services are installed and sandboxed.
  2. I'm using the default Vanadium browser.
  3. BitWarden was installed using F-Droid, not Google Play (the Google Play version has Microsoft telemetry enabled last I checked).
  4. I think that I've enabled Storage Scopes for Google Play as mentioned here ( https://discuss.grapheneos.org/d/1274-how-to-use-fido2-security-keys/4 ).
  5. I'm pretty sure that my BitWarden account is configure to use FIDO or FIDO2, not Yubico's proprietary Yubikey OTP service.
  6. I contacted GrapheneOS about this issue, and I was told that it's probably an issue related to the BitWarden application in the F-Droid repository not implementing a FIDO2 library: BitWarden unable to authenticate with WebAuthn in Vanadium GrapheneOS/os-issue-tracker#2974

If the theory posited in item number 6 is correct, perhaps there should be a more descriptive error message to alert the user that the F-Droid version of BitWarden doesn't support FIDO2.

Thank you for your time and hard work!

P.S. I'm filling in the "Build Version" as "2023.12.0" since that's the version shown in F-Droid. I cannot check the version in the app since tapping the "Settings" button (circle with two dots in the upper right of the log-in page) results in a screen flicker but no menu.

Operating System

Android

Operating System Version

14

Device

Pixel 6a

Build Version

2023.12.0

Beta

  • Using a pre-release version of the application.
@Keeblo Keeblo added the bug label Dec 30, 2023
@netboy3
Copy link

netboy3 commented Jan 5, 2024

Its actually a general Android issue where Android currently doesn't support CTAP2. See bitwarden/mobile#1594 (comment)

@rafaelazvdo
Copy link

This error is likely due to Google Play Services, as it provides WebAuth support on Android.

@SergeantConfused
Copy link

Hi @Keeblo,

Thank you for this report. Could you please let me know if you're able to log into your Bitwarden account via the Web App (https://vault.bitwarden.com/#/) using the mobile browser on that device? I'd like to check if that environment supports FIDO2 WebAuthn.

Thank you in advance,

@alexandre-k
Copy link

Hi @Keeblo,

Thank you for this report. Could you please let me know if you're able to log into your Bitwarden account via the Web App (https://vault.bitwarden.com/#/) using the mobile browser on that device? I'd like to check if that environment supports FIDO2 WebAuthn.

Thank you in advance,

Hello @SergeantConfused,

Since I have the same environment on my Pixel and the last comment is now 2 weeks old, please allow me to reply.
It does not work either with the web application.
I did a research to get further insights, and there is a related issue for Chromium-based browsers:
GrapheneOS/Vanadium#61
Apparently the CredentialProviderService for FIDO2 should be used:
https://developer.android.com/reference/androidx/credentials/provider/CredentialProviderService

Additionally for anyone looking at this issue, the work-around I have found is adding an OTP in the vault so that I can get the code through my laptop and enter it on the Bitwarden app on the smartphone (inconvenient at first but after that, we can use the fingerprint or pin to authenticate).

@netboy3
Copy link

netboy3 commented Jan 25, 2024

Additionally for anyone looking at this issue, the work-around I have found is adding an OTP in the vault so that I can get the code through my laptop and enter it on the Bitwarden app on the smartphone (inconvenient at first but after that, we can use the fingerprint or pin to authenticate).

As I stated in my previous comment, Android currently has issues with CTAP2 support and does not fail-over to U2F. There's a much more functional workaround: Use ykman to disable FIDO2 on the NFC interface in your Yubikey (make sure to keep U2F enabled). This will allow Bitwarden to use U2F with your Yubikey. I've done this a while back and my Yubikey 5 works just fine for Bitwarden 2FA using NFC on my GrapheneOS Pixel 8 pro.

@alexandre-k
Copy link

Additionally for anyone looking at this issue, the work-around I have found is adding an OTP in the vault so that I can get the code through my laptop and enter it on the Bitwarden app on the smartphone (inconvenient at first but after that, we can use the fingerprint or pin to authenticate).

As I stated in my previous comment, Android currently has issues with CTAP2 support and does not fail-over to U2F. There's a much more functional workaround: Use ykman to disable FIDO2 on the NFC interface in your Yubikey (make sure to keep U2F enabled). This will allow Bitwarden to use U2F with your Yubikey. I've done this a while back and my Yubikey 5 works just fine for Bitwarden 2FA using NFC on my GrapheneOS Pixel 8 pro.

I see. Just tried, it didn't work for me on my Pixel 6a / GrapheneOS / Android 14. The services I enabled:

ykman config nfc -l      
FIDO U2F
OATH
PIV
OpenPGP
YubiHSM Auth

My test browser is Vanadium, chromium based browser.

Did you enable Google Play services?

@netboy3
Copy link

netboy3 commented Jan 26, 2024

I have Google-Play-Services/GSF sandboxed installed and use Brave as default browser (so WebAuthn redirects through Brave).

@alexandre-k
Copy link

I see. I don't have it installed. Is Google play a mandatory dependency? I thought it was not.
On KeepassDX an external driver available on Gitlab is used to make it work with a Yubikey (and potentially other keys, apparently the Solokey). It works well, just tried it.

@netboy3
Copy link

netboy3 commented Jan 27, 2024
edited
Loading

It shouldn't but I can't verify if there's a dependency as I have to run a few apps that require GSF/Play (unfortunately). Other than that, it works well (just used it this morning). I might be able to setup a new profile over the weekend without GSF and see if it works.

@netboy3
Copy link

netboy3 commented Jan 27, 2024

I just tested it out in a new profile and unfortunately it depends on GSF/Play. Without it, both Vanadium and Brave break on trying to authenticate on webauthn.io. Once the Sandboxed services are installed, both Vanadium and Brave work flawlessly on both webauthn.io and (setup as default browser respectively) on WebAuthn redirect from the Bitwarden app.

@alexandre-k
Copy link

@netboy3
I see, thank you for your feedback. So conclusion:

  • With Google Play Service: OK
  • Without Google Play Service: Not implemented

Therefore it doesn't work properly, given that Google Play Services is not a mandatory dependency (F-Droid version)

@vvolkgang
Copy link
Member

Issue migrated to bitwarden/mobile#2922

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@alexandre-k @vvolkgang @netboy3 @Keeblo @SergeantConfused @rafaelazvdo