mirror of
https://github.com/bitwarden/android.git
synced 2026-03-14 06:04:20 -05:00
Unknown error with FIDO and security key on Android #1348
Closed
opened 2025-11-26 22:45:44 -06:00 by GiteaMirror
·
21 comments
No Branch/Tag Specified
main
pm-33356/policy-changed-push-sync
premium-upgrade/PM-33508-billing-api-service
PM-30130-remove-archive-feature-flag
sdlc/sdk-update
tooling/improve-review-workflow
PM-32663/update-vault-migration-screens
llm/add-resolving-sdk-updates-skill
QA-1523/sanity-test-saucelabs
release/2026.3-rc48
PM-24380/flight-recorder-redact-hostname
PM-26577-app-links-support
PM-26896-autofill-fix
release/2026.2-rc47
PM-32714/fallback-to-web-vault-host
pr-6572
PM-28834/setting-app-layout-horizonos
vvolkgang/process-release-notes-v2
release/2026.2-rc46
release/2026.1-rc45
PM-30644/added-logs-for-debug
PM-30644/quicktile-nav-not-showing-migration
minor-gradle-updates
release/2026.1-rc42
release/2026.1-rc44
release/2026.1-rc43
PM-28834/set-landscape-on-horizonos-devices
context-rules
devclarity/update-code-review-command
PM-20026/force-ltr-passwords-and-codes
release/2025.12-rc41
cmcg/testCoverage
claude-skill/creating-feature-flags
PM-29014/talkback-support-for-passwords
release/2025.12-rc40
BRE-1305/publish_test
accept-user-certs
autofill-permissions
release/2025.11-rc39
PM-22479/check-all-certificates-validate-asset-links
release/2025.10-rc38
agalles/android-latest
optimize-test-workflows
tier2-test-sharding
retro-agent
PM-27001/skip-account-selection-only-one-exists-cxp
release/2025.10-rc37
agalles/test-1118
release/2025.10-rc36
PM-20593-token-refresh
QA-1126b/adding-native-sanity-test
release/2025.9-rc35
pm-25933/sdk-update-password
release/2025.9-rc34
release/2025.8-rc33
agalles/20250821-release
debug-release-issues
pm-24249-allow-automated-prs-for-sdk-updates
release/2025.8-rc32
release/WORKFLOW-TEST-2025.8-rc28
agalles/20250807release
release/2025.07-rc25
release/hotfix-v2025.7.0-bwa
pm-23311/export-vault-policy-bypass
release/2025.07-rc24
authenticator-pm-sync-flags-issue
ps/implement-sdk-repository-example
release/hotfix-v2025.6.0-bwpm
release/2025.06-rc21
agalles/automate-android-fastlane-patch
release/2025.05-rc20
release/2025.04-rc19
languages/basque
release/2025.03-rc19
update-readme
qrcode/feature
innovation/archive/pm-19153-archive-items
qrcode/2-ui-fields
qrcode/1-page
hold-on-biometric-prompt-alternative
release-notes-process
release/2025.02-rc16
bwa-monorepo
PM-8223/new-device-verification-ux-improvements
pm-18451/exempt-from-policies
test-bwa
cs-workaround-linked-0-copy
release/2025.01-rc15
release/2025.01-rc14
release/2024.12-rc13
pm-16670/sync-leave-notice
821
PM-16695/backport-lean-more-new-device-verification
km/15084-testing
release/hotfix-v2024.11.7
release/2024.11-rc1
pm-11304/collection-add-item-button
PM-14241/disabling-logs-app-crash
poc/offline-editing
new-version-calc
pm-11649/expired-link-services
pm-6702/add-feature-flag
pm-6702/email-verification-feature
pm-9933/marketing-copy-update
pm-6702/registration-flows
update-templates
pm-6701/email-verification-selfhost-registration
v2026.2.1-bwpm
v2026.2.1-bwa
v2026.2.0-bwpm
v2026.2.0-bwa
v2026.1.1-bwa
v2026.1.1-bwpm
temp-test
v2026.1.0-bwpm
v2026.1.0-bwa
v2025.12.1-bwa
v2025.12.1-bwpm
v2025.12.0-bwa
v2025.12.0-bwpm
v2025.11.1-bwpm
v2025.11.1-bwa
v2025.11.0-bwpm
v2025.11.0-bwa
v2025.10.1-bwa
v2025.10.1-bwpm
v2025.10.0-bwa
v2025.10.0-bwpm
v2025.9.1-bwa
v2025.9.1-bwpm
v2025.9.0-bwa
v2025.9.0-bwpm
v2025.8.1-bwa
v2025.8.1-bwpm
v2025.8.0-bwa
v2025.8.0-bwpm
v2025.7.2-bwa
v2025.7.2-bwpm
v2025.7.1-bwa
v2025.7.1-bwpm
v2025.7.0-bwa
v2025.7.0-bwpm
v2025.6.1-bwpm
v2025.6.0-bwa
v2025.6.0-bwpm
v2025.1.0-bwa
v2025.5.0-bwa
v2025.5.0-bwpm
v2025.5.999
2025.4.0
v2025.4.0
untagged-4731eaadac73f3dfbbb8
v2025.3.0
v2025.2.0
untagged-815a165c5d70ffe75bc7
v2025.1.2
v2025.1.1
v2025.1.0
v2024.12.0
untagged-5a76b6392a4c8998c63a
v2024.11.7
v2024.11.6
v2024.11.5
v2024.11.4
v2024.11.3
v2024.11.2
v2024.11.1
v2024.11.0
v2024.10.2
v2024.10.1
v2024.10.0
v2024.9.0
v2024.8.1
v2024.8.0
v2024.7.3
v2024.7.2
v2024.7.1
v2024.7.0
v2024.6.1
v2024.6.0
v2024.5.1
v2024.4.1
v2024.4.2
v2024.4.0
v2024.3.3
v2024.3.1
v2024.3.0
v2024.2.1
v2024.2.0
v2024.1.1
v2024.1.0
v2023.12.0
v2023.10.0
v2023.9.2
maui-single-project-android
v2023.9.1
v2023.9.0
v2023.8.0
v2023.7.0
v2023.5.0
v2023.4.0
v2023.3.2
v2023.3.1
v2023.3.0
v2023.2.0
v2023.1.0
v2022.11.0
v2022.10.0
v2022.9.1
v2022.9.0
v2022.8.0
v2022.6.2
v2022.6.1
v2022.6.0
v2022.05.0
v2.18.0
v2.17.0
v2.16.4
v2.16.3
v2.16.2
v2.16.1
v2.15.0
v2.14.2
v2.14.1
v2.14.0
v2.13.0
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.0
v2.9.1
v2.9.0
v2.8.2
v2.8.1
v2.8.0
v2.7.2
v2.7.0
v2.6.1
v2.6.0
v2.5.6
v.2.5.5
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.1
v2.3.0
v2.2.8
v2.2.7
v2.2.6
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.0
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.22.1
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.1
v1.18.0
v1.17.0
v1.16.0
v1.15.2
v1.15.1
v1.15.0
v1.14.4
v1.14.1
v1.14.0
v1.13.0
v1.12.2
v1.12.1
v1.12.0
v1.11.1
v1.11.0
v1.10.0
v1.9.0
v1.8.1
v1.8.0
v1.7.0
v1.6.5
v1.6.1
v1.6.0
v1.5.1
v1.5.0
v1.4.4
v1.4.3
v1.4.0
v1.3.0
v1.2.1
v1.2.0
v1.1.0
v1.0.0
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/android#1348
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Raul6469 on GitHub (Sep 24, 2021).
Originally assigned to: @mpbw2 on GitHub.
Steps To Reproduce
Prerequisites: have a security key setup on the account (I have a Yubico Security Key)
Expected Result
You get redirected to the app, and login is successful
Actual Result
I get redirected to the app, but still on the "FIDO2 WebAuth" screen, and I get an alert "An error occured". I can retry, but the bug still persists
Screenshots or Videos
No response
Additional Context
I had my YubiKey "migrated from FIDO", maybe that's some relevant information?
My issue reproduces on Firefox and Chrome
Operating System
Android
Operating System Version
7.1.1
Device
Samsung Galaxy J5 2016
Build Version
2.13.0
Beta
@mpbw2 commented on GitHub (Sep 24, 2021):
Hi @Raul6469 , we just started seeing this on another device in-house. We also discovered the same error was returned when using the key outside of the app, using the mobile browser to login to the web vault. Can you check if that happens for you as well?
@Raul6469 commented on GitHub (Sep 25, 2021):
Hi @mportune-bw, I checked and I don't get an error. Instead, it continuously asks for the Yubikey. When I scan it, it immediately reopens the Android prompt for the security key, without logging me in. Is it the same behaviour for you? (I tested on Chrome and Firefox)
@mpbw2 commented on GitHub (Sep 27, 2021):
@Raul6469 Thanks for the confirmation - that's exactly what we're seeing too. It seems like some devices don't like the migration key for some reason. If you re-add the key everything should work properly. (You can add the key before deleting the migrated key so you won't have any gaps in 2FA coverage). Let me know if that works.
@schlidel commented on GitHub (Sep 27, 2021):
Just want to report that I'm having similar issues with Yubikey 5c using USB. I've confirmed with other users on Reddit and Bitwarden Community they are having the same "authentication loop" problem.
For us when using Yubikey USB C after tapping "Use security key with USB" in the Google prompts if we don't immediately tap the gold plate on Yubikey we are pushed back to the blue button "Authenticate WebAuthn" page.
This loop will happen indefinitely if you don't tap the Yubikey plate quick enough.
I've removed all Yubikeys from BitWarden and re-added. Problem persists.
@mpbw2 commented on GitHub (Sep 27, 2021):
@schlidel Thanks for the links to the discussions, lots of good info there. The problem you're experiencing seems to be between the browser and its implementation with Google Play Services (which I believe you mentioned you're already aware).
Just FYI you don't have to select the interface type (NFC/USB) when presented with the options. You can just tap or insert/tap and the system will figure it out. I don't experience the same issue with USB that you describe, but perhaps you can bypass it by not selecting USB before inserting the key? Let me know if that changes the behavior for you. If not, it might be worth making sure you're running the latest [everything], including Google Play Services.
@schlidel commented on GitHub (Sep 27, 2021):
@mportune-bw
If I don't select interface type and just tap Yubikey plate I'm prompted about turning Bluetooth on. I have Yubikey 5c so no Bluetooth or NFC. I think Yubikey is attempting to enter Yubico OTP at that point and it's just registering the return key and Bluetooth is the first of the options. I could try disabling Yubico OTP interface and see if that works but that wouldn't be a long time solution for me.
When I select "Use security key with USB" my Yubikey starts rapidly flashing awaiting my input. Before I select interface type it's probably still in keyboard mode.
I must tap use USB and then immediately tap YubiKey. It's the only way for me to get it to work.
Google Play Services: 21.36.14
Chrome: 93.0.4577.82
@Raul6469 commented on GitHub (Sep 28, 2021):
@mportune-bw Re-adding the key into my account worked perfectly, thank you! 👍
@schlidel commented on GitHub (Sep 28, 2021):
@mportune-bw
I'm now able to tap on my Yubikey without pre-selecting the interface option (BT, NFC, etc) as you suggested by waiting to insert my Yubikey until after I've tapped "get started." If my key is already inserted when I tap "get started" the previous mentioned comment from above occurs and the Yubikey is treated as a keyboard until I make the USB selection.
This non selection method makes even it more difficult to log in however. I actually wasn't able to login that way. The method that works consistently well is to plug the Yubikey before tapping Authenticate WebAuthn and then be prepared to go through the authentication steps as fast as possible. If I take my time it never authenticates. Always back to the blue Authenticate WebAuthn page.
Is there a short timeout between hitting "Authenticate WebAuthn" and entering my FIDO credentials that I seem to be in a race against? If I can click Authenticate WebAuthn, Get Started, Use USB security key, and finally tap Yubikey in under 4-5 seconds it works perfect everytime.
Edit: I've actually practiced enough times logging in it doesnt even seem an issue any longer. But if I take a more casual/normal pace it still loops or times out. Newer users will run into this just slowing down enough to read the prompts.
@mpbw2 commented on GitHub (Sep 28, 2021):
It sure sounds like it, though it's not intentional and I'm not sure why we don't see the same thing. On my test devices I have a good 30 seconds to take action before it times out.
Does your key have a modified configuration or is it still factory-fresh? I'm thinking maybe the key is sending a character immediately upon activation that is canceling the process before you have time to touch the contact. (I don't know if that's even a thing, but your description makes me think of a HID keyboard sending an unexpected event) For reference I'm using a 5C NFC and the only customization is disabling OTP on the NFC channel per our help docs.
@schlidel commented on GitHub (Sep 28, 2021):
I attempted disabling OTP interface to see if that fixed it. It was one of the earlier suggestions from someone on Reddit.
Curiously, someone posted the new BitWarden blog article about mobile FIDO 2 support today and the screenshot of the WebAuthn page does not look like mine.
In the screenshot there is remember me, cancel, continue, and use another two-step login method below the blue WebAuthn button.
For me, all I have is the blue WebAuthn button. Is that normal?
Here is mine:
And this is what's in the blog article:
@mpbw2 commented on GitHub (Sep 28, 2021):
Is that the only customization on your key?
That's normal; the article screenshot is from the web vault. For mobile, the other controls are in the app, while only the auth button is used to start the webauthn flow.
@schlidel commented on GitHub (Sep 28, 2021):
Ok, I apologize, it's not clear it's the web vault in the article because it is titled, "FIDO2 Security Key Support Enabled for Mobile Clients" and it seems to be published in response to the newly updated mobile clients.
I do see "remember me" and use "alternative 2FA options" in the interstitial app screen. So all functionality appears to be present.
I use static password in slot 2, but disabling OTP interface disables that as well. And while disabled the USB authentication loop problem is persistent.
Honestly, I'm no longer really worried about it. It functions well enough so I'll stop bugging you about it.
Thank you for developing this great service.
@tgreer-bw commented on GitHub (Oct 6, 2021):
@mportune-bw we may want to leave this open if possible, seems others may still have issues:
https://community.bitwarden.com/t/webauthn-fido-authentication-glitch-with-latest-android-app-update/33807/5
@mpbw2 commented on GitHub (Oct 8, 2021):
I've managed to reproduce this on one of my test devices, though not consistently. In the failure cases, the browser is showing
Navigation blockedin the debug console after successful hardware key validation. Some preliminary research confirms it is indeed a timing issue with user interaction. Some context: This is why the web-basedAuthenticate WebAuthnbutton is required (to prove that a human started the process). After some time has passed, that button press no longer "counts", and the browser blocks the javascript-based navigation needed to return to the app. As to why the timing seems to be inconsistent, I haven't a clue.The only consistent workaround I'm seeing is adding a subsequent page to web connector flow containing a button a human can press if the javascript-based navigation fails. Here's an example referenced by others encountering the same issue: https://appauth.demo-app.io/oauth2redirect
I'll give that a whirl and keep this issue updated.
@yourfishes commented on GitHub (May 16, 2022):
Hi,
I have this issue now.
Phone: Samsung S22
Android version: 12
I have tried to reinstall the app, re-add the yubikey and all different browsers with the same result.
If I try the login on my old samsung s21, I have no issues with the login. The login also works perfect in web vault.
@figadore commented on GitHub (Jun 9, 2022):
Same problem on my Pixel 6, in both the browser and Bitwarden appI've tried doing the process quickly, but no luck. It looks like a loop with no errors at first, but when you go 'back' when the loop starts over, you see some errorsThe symptoms seem the same as above, but since the original issue was closed as fixed, should I create a new issue?Edit: I had to remove the webauthn key that had the "migrated from FIDO" text and re-add it
@ImprovingRigmarole commented on GitHub (Jul 30, 2022):
Hi,
I'm recently switched to using webauthn,
and I'm experiencing the exact same on Android 12, Samsung A71.
I'm having the exact same flow of things and errors as https://github.com/bitwarden/mobile/issues/1548#issuecomment-1128076636 and https://github.com/bitwarden/mobile/issues/1548#issuecomment-1151700348.
I also tried many browsers on android, and it always comes back to this
An unexpected error has occured.when using NFC.Concerning USB, it seems that the Google Play Services prompt actually never tries to read the key, the led blinks really fast for about 1s, and whatever timing I press the button, it always stays stuck on the push the button now screen...
I also tried on https://webauthn.io/ which gives the exact same errors, so it might be caused by Google Play Services thing on Android 12...
@LeonNamowitz commented on GitHub (Sep 21, 2022):
Hey,
I'm having excatly the same problem on my Galaxy S10 running Android 10.
https://webauthn.io/ spits out errors as well here..
@rayone commented on GitHub (Sep 29, 2022):
I have the exact same environment and issues as yourfishes commented on 17 May
Is there a work around?
@andmalc commented on GitHub (Oct 4, 2022):
The solution posted earlier in this thread removing and readding keys marked "migrated from FIDO" worked for me.
@Mag1cByt3s commented on GitHub (Nov 22, 2022):
Since today i have the same issue on my oneplus 8 pro running android 12.
I am running vaultwarden on my local server tho.
I have no idea why this is happening or how to fix it. It only seems to affect my smartphone. On the computer everything works as expected.