github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-06-10 00:28:29 -05:00
Code Issues 2.2k Packages Projects Releases 127 Wiki Activity

[GH-ISSUE #6295] [PM-30137] Fails to add/use FIDO2 passkey when PIN unlock is enabled under swipe-only device lock #109309

New Issue
Closed
opened 2026-06-06 03:53:55 -05:00 by GiteaMirror · 13 comments
GiteaMirror commented 2026-06-06 03:53:55 -05:00
Owner
Copy Link

Originally created by @eclairevoyant on GitHub (Dec 23, 2025).
Original GitHub issue: https://github.com/bitwarden/android/issues/6295

Steps To Reproduce

  1. Ensure BW app is set as the primary passkey manager
  2. In BW app, enable PIN unlock (Settings > Account security > Unlock with PIN code toggled on)
  3. Navigate to account management page for an already-saved account in a trusted browser, where the site supports passkey login
  4. Tap "add a passkey" on said site, and accept following prompts
  5. Tap on the desired entry to add the passkey to
    • BW app will request you to type in the PIN
  6. Fill in the PIN, press Submit

Expected Result

Passkey is successfully added

Actual Result

BW shows the error "An error has occurred / Credential operation failed because user could not be verified."

Screenshots or Videos

No response

Additional Context

I tried with typing both the PIN and the master password into that field - neither work.

The same issue also occurs when trying to use the passkey.

This only occurs when PIN unlock is enabled. When I disable it, I can type in my password in the password field and the passkey is successfully added - but this is an onerous workaround.

Build Version

2025.12.0

What server are you connecting to?

Self-host

Self-host Server Version

No response

Environment Details

  • Device: Pixel 10 pro
  • OS version: Android 16

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
Originally created by @eclairevoyant on GitHub (Dec 23, 2025). Original GitHub issue: https://github.com/bitwarden/android/issues/6295 ### Steps To Reproduce 1. Ensure BW app is set as the primary passkey manager 1. In BW app, enable PIN unlock (**Settings** > **Account security** > **Unlock with PIN code** toggled on) 1. Navigate to account management page for an already-saved account in a trusted browser, where the site supports passkey login 1. Tap "add a passkey" on said site, and accept following prompts 1. Tap on the desired entry to add the passkey to * BW app will request you to type in the PIN 1. Fill in the PIN, press Submit ### Expected Result Passkey is successfully added ### Actual Result BW shows the error "An error has occurred / Credential operation failed because user could not be verified." ### Screenshots or Videos _No response_ ### Additional Context I tried with typing both the PIN and the master password into that field - neither work. **The same issue also occurs when trying to _use_ the passkey.** This _only_ occurs when PIN unlock is enabled. When I disable it, I can type in my password in the password field and the passkey is successfully added - but this is an onerous workaround. ### Build Version 2025.12.0 ### What server are you connecting to? Self-host ### Self-host Server Version _No response_ ### Environment Details - Device: Pixel 10 pro - OS version: Android 16 ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
GiteaMirror added the app:password-managerbug labels 2026-06-06 03:53:55 -05:00
GiteaMirror commented 2026-06-06 03:53:58 -05:00
Author
Owner
Copy Link

@bitwarden-bot commented on GitHub (Dec 23, 2025):

Thank you for your report! We've added this to our internal board for review.
ID: PM-30137

<!-- gh-comment-id:3685025562 --> @bitwarden-bot commented on GitHub (Dec 23, 2025): Thank you for your report! We've added this to our internal board for review. ID: [PM-30137](https://bitwarden.atlassian.net/browse/PM-30137) [PM-30137]: https://bitwarden.atlassian.net/browse/PM-30137?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
GiteaMirror commented 2026-06-06 03:53:58 -05:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (Dec 23, 2025):

What is your server version?

<!-- gh-comment-id:3685050976 --> @pamperer562580892423 commented on GitHub (Dec 23, 2025): What is your server version?
GiteaMirror commented 2026-06-06 03:53:59 -05:00
Author
Owner
Copy Link

@eclairevoyant commented on GitHub (Dec 23, 2025):

The server's irrelevant as this is an issue with the client.

The same issue also occurs when trying to use the passkey.

This only occurs when PIN unlock is enabled. When I disable it, I can type in my password in the password field and the passkey is successfully added - but this is an onerous workaround.

<!-- gh-comment-id:3685070207 --> @eclairevoyant commented on GitHub (Dec 23, 2025): The server's irrelevant as this is an issue with the client. > The same issue also occurs when trying to _use_ the passkey. > > This _only_ occurs when PIN unlock is enabled. When I disable it, I can type in my password in the password field and the passkey is successfully added - but this is an onerous workaround.
GiteaMirror commented 2026-06-06 03:53:59 -05:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (Dec 23, 2025):

The server's irrelevant as this is an issue with the client.

The server and the clients also interact. (and there are some recent issues, where that played a role)

I just tried to reproduce your issue. On my end, it works. (2025.12.0, Android 15, BW cloud, tried it on Brave now, and also deactivated biometrics in the BW app to only use the PIN)

BTW, which browser did you use?

<!-- gh-comment-id:3685081612 --> @pamperer562580892423 commented on GitHub (Dec 23, 2025): > The server's irrelevant as this is an issue with the client. The server and the clients also interact. (and there are some recent issues, where that played a role) I just tried to reproduce your issue. On my end, it works. (2025.12.0, Android 15, BW cloud, tried it on Brave now, and also deactivated biometrics in the BW app to only use the PIN) BTW, which browser did you use?
GiteaMirror commented 2026-06-06 03:54:00 -05:00
Author
Owner
Copy Link

@eclairevoyant commented on GitHub (Dec 23, 2025):

For testing purposes, I have disabled my vpn (where my server is located), so the client app cannot even connect to the server - and tested by trying to use an existing passkey. I promise you the server is unrelated.

The browser also does not matter as the authentication step happens within the client.

The site also doesn't matter, as I tried this across multiple sites that use completely different software stacks.

Let's not go in circles here when I've laid out more than enough info to reproduce this - providing irrelevant information will only make it more difficult to find a solution.

<!-- gh-comment-id:3685090885 --> @eclairevoyant commented on GitHub (Dec 23, 2025): For testing purposes, I have disabled my vpn (where my server is located), so the client app cannot even connect to the server - and tested by trying to _use_ an existing passkey. I _promise_ you the server is unrelated. The browser also does not matter as the authentication step happens within the client. The site also doesn't matter, as I tried this across multiple sites that use completely different software stacks. Let's not go in circles here when I've laid out more than enough info to reproduce this - providing irrelevant information will only make it more difficult to find a solution.
GiteaMirror commented 2026-06-06 03:54:00 -05:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (Dec 23, 2025):

Let's not go in circles here when I've laid out more than enough info to reproduce this - providing irrelevant information will only make it more difficult to find a solution.

I can understand that you don't want to reveal you're using Vaultwarden.

But this doesn't help anyone. You know you would have to try to reproduce this with an official Bitwarden server for Bitwarden to accept a bug report - Vaultwarden also informs about that (https://github.com/dani-garcia/vaultwarden/wiki/Bitwarden-clients-troubleshooting).

<!-- gh-comment-id:3685115449 --> @pamperer562580892423 commented on GitHub (Dec 23, 2025): > Let's not go in circles here when I've laid out more than enough info to reproduce this - providing irrelevant information will only make it more difficult to find a solution. I can understand that you don't want to reveal you're using Vaultwarden. But this doesn't help anyone. You know you would have to try to reproduce this with an official Bitwarden server for Bitwarden to accept a bug report - Vaultwarden also informs about that (https://github.com/dani-garcia/vaultwarden/wiki/Bitwarden-clients-troubleshooting).
GiteaMirror commented 2026-06-06 03:54:01 -05:00
Author
Owner
Copy Link

@eclairevoyant commented on GitHub (Dec 23, 2025):

Please read my prior statement carefully instead of making assumptions!

For testing purposes, I have disabled my vpn ... so the client app cannot even connect to the server

When PIN unlock is enabled, I cannot add or use passkeys.
When PIN unlock is disabled, I can add and use passkeys.

Hence, the problem is the underlying auth mechanism/interaction between PIN unlock and however the BW client tries to protect passkeys.

Although I laid this out earlier quite clearly, so I assume you're trolling at this point, and I'll wait someone who is actually familiar with this codebase to respond.

<!-- gh-comment-id:3685122992 --> @eclairevoyant commented on GitHub (Dec 23, 2025): Please read my prior statement carefully instead of making assumptions! > For testing purposes, I have disabled my vpn ... so the client app cannot even connect to the server When PIN unlock is enabled, I **cannot** add or use passkeys. When PIN unlock is disabled, I **can** add and use passkeys. Hence, the problem is the underlying auth mechanism/interaction between PIN unlock and however the BW client tries to protect passkeys. Although I laid this out earlier quite clearly, so I assume you're trolling at this point, and I'll wait someone who is actually familiar with this codebase to respond.
GiteaMirror commented 2026-06-06 03:54:01 -05:00
Author
Owner
Copy Link

@rmcdowell-bitwarden commented on GitHub (Dec 23, 2025):

Hi there,

I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below.

I do want to note that @pamperer562580892423 was asking for the server version you are using, as we have had more recent reports from users contacting us who are self-hosting a Vaultwarden server. Vaultwarden's team requests that all users who are experiencing issues to contact them and not use Bitwarden's official support channels: https://github.com/dani-garcia/vaultwarden?tab=readme-ov-file#get-in-touch

Thanks!

<!-- gh-comment-id:3685505909 --> @rmcdowell-bitwarden commented on GitHub (Dec 23, 2025): Hi there, I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below. I do want to note that @pamperer562580892423 was asking for the server version you are using, as we have had more recent reports from users contacting us who are self-hosting a Vaultwarden server. Vaultwarden's team requests that all users who are experiencing issues to contact them and not use Bitwarden's official support channels: https://github.com/dani-garcia/vaultwarden?tab=readme-ov-file#get-in-touch Thanks!
GiteaMirror commented 2026-06-06 03:54:01 -05:00
Author
Owner
Copy Link

@eclairevoyant commented on GitHub (Dec 23, 2025):

Again, this has nothing to do with the server, I do ask that you read my messages carefully rather than making invalid assumptions. After skimming over the relevant code/PRs, it does not seem like FIDO2 user verification has anything to do with the server as it's just performing local auth.

After testing on another (PIN-unlock) device against the same server that somehow worked, I identified one other difference. The non-working device uses only "swipe" as screen lock, not an actual pin/password to lock the device.

If PIN unlock + swipe screen lock is not a supported usecase, IMO the BW app should provide a better error message.

<!-- gh-comment-id:3685515724 --> @eclairevoyant commented on GitHub (Dec 23, 2025): Again, this has nothing to do with the server, I do ask that you read my messages carefully rather than making invalid assumptions. After skimming over the relevant code/PRs, it does not seem like FIDO2 user verification has anything to do with the server as it's just performing local auth. After testing on another (PIN-unlock) device _against the same server_ that somehow worked, I identified one other difference. The non-working device uses only "swipe" as screen lock, not an actual pin/password to lock the device. If PIN unlock + swipe screen lock is _not_ a supported usecase, IMO the BW app should provide a better error message.
GiteaMirror commented 2026-06-06 03:54:02 -05:00
Author
Owner
Copy Link

@eclairevoyant commented on GitHub (Dec 23, 2025):

It seems adding a device pin and restarting makes the passkeys work again - hence, to reiterate:

If PIN unlock + swipe (i.e. not PIN/password/pattern/...) screen lock is not a supported usecase with FIDO2 auth, IMO the BW app should provide a better error message.

<!-- gh-comment-id:3685581804 --> @eclairevoyant commented on GitHub (Dec 23, 2025): It seems adding a device pin and restarting makes the passkeys work again - hence, to reiterate: **If PIN unlock + swipe (i.e. not PIN/password/pattern/...) screen lock is not a supported usecase with FIDO2 auth, IMO the BW app should provide a better error message.**
GiteaMirror commented 2026-06-06 03:54:02 -05:00
Author
Owner
Copy Link

@SaintPatrck commented on GitHub (Dec 29, 2025):

Hi @eclairevoyant

Thanks for reporting the issue and providing details. This is related to a recent change in our SDK. It is fixed in https://github.com/bitwarden/sdk-internal/pull/628. The fix will be included in an upcoming release of the mobile apps. Apologies for the inconvenience.

<!-- gh-comment-id:3697010212 --> @SaintPatrck commented on GitHub (Dec 29, 2025): Hi @eclairevoyant Thanks for reporting the issue and providing details. This is related to a recent change in our SDK. It is fixed in https://github.com/bitwarden/sdk-internal/pull/628. The fix will be included in an upcoming release of the mobile apps. Apologies for the inconvenience.
GiteaMirror commented 2026-06-06 03:54:02 -05:00
Author
Owner
Copy Link

@eclairevoyant commented on GitHub (Dec 29, 2025):

Thank you for the update and the details!

<!-- gh-comment-id:3697391439 --> @eclairevoyant commented on GitHub (Dec 29, 2025): Thank you for the update and the details!
GiteaMirror commented 2026-06-06 03:54:02 -05:00
Author
Owner
Copy Link

@eclairevoyant commented on GitHub (Feb 3, 2026):

Passkey + vault PIN unlock + swipe device lock works as of app version 2026.1.0 - closing. Thanks again.

<!-- gh-comment-id:3838801413 --> @eclairevoyant commented on GitHub (Feb 3, 2026): Passkey + vault PIN unlock + swipe device lock works as of app version 2026.1.0 - closing. Thanks again.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label app:password-manager bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#109309
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?