github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-03-22 12:32:53 -05:00
Code Issues 144 Packages Projects Releases 118 Wiki Activity

Webauthn 2FA not working in Android app #2209

New Issue
Open
opened 2025-11-26 23:11:50 -06:00 by GiteaMirror · 20 comments
GiteaMirror commented 2025-11-26 23:11:50 -06:00
Owner
Copy Link

Originally created by @GuidoCHLM on GitHub (Apr 9, 2025).

Steps To Reproduce

  1. Provide Master Password and Login
  2. For 2FA select webauthn
  3. Choose NFC device to get key (Yubikey 5C in my case)
  4. Place the NFC key on the back on the phone
  5. Continue to auth 2FA
  6. You get an error "An error has occurred"

Bitwarden: 2025.3.0
Android 14
Device Oneplus 9 Pro

Same Yubikey works perfectly fine for 2FA webauthn on Windows client

Expected Result

Webauthn 2FA working on Android device

Image

Actual Result

Webauthn 2FA not working on latest Android client

Screenshots or Videos

No response

Additional Context

No response

Build Version

2025.3.0

What server are you connecting to?

US

Self-host Server Version

No response

Environment Details

No response

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
Originally created by @GuidoCHLM on GitHub (Apr 9, 2025). ### Steps To Reproduce 1. Provide Master Password and Login 2. For 2FA select webauthn 3. Choose NFC device to get key (Yubikey 5C in my case) 4. Place the NFC key on the back on the phone 5. Continue to auth 2FA 6. You get an error "An error has occurred" Bitwarden: 2025.3.0 Android 14 Device Oneplus 9 Pro Same Yubikey works perfectly fine for 2FA webauthn on Windows client ### Expected Result Webauthn 2FA working on Android device ![Image](https://github.com/user-attachments/assets/8f76b756-2a9b-4cb5-869d-e30af332ff20) ### Actual Result Webauthn 2FA not working on latest Android client ### Screenshots or Videos _No response_ ### Additional Context _No response_ ### Build Version 2025.3.0 ### What server are you connecting to? US ### Self-host Server Version _No response_ ### Environment Details _No response_ ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
GiteaMirror added the bug-passkeyapp:password-managerbug labels 2025-11-26 23:11:50 -06:00
GiteaMirror commented 2025-11-26 23:11:51 -06:00
Author
Owner
Copy Link

@S-Kakar commented on GitHub (Apr 9, 2025):

Thank you for your report! We've added this to our internal board for review.
ID: PM-20049

@S-Kakar commented on GitHub (Apr 9, 2025): Thank you for your report! We've added this to our internal board for review. ID: PM-20049
GiteaMirror commented 2025-11-26 23:11:51 -06:00
Author
Owner
Copy Link

@GuidoCHLM commented on GitHub (Apr 9, 2025):

Thank you, in case of any help to track the error Chrome version is 135.0.7049.38

@GuidoCHLM commented on GitHub (Apr 9, 2025): Thank you, in case of any help to track the error Chrome version is 135.0.7049.38
GiteaMirror commented 2025-11-26 23:11:51 -06:00
Author
Owner
Copy Link

@abergs commented on GitHub (Apr 9, 2025):

I'll take a look. Did it work on the previous version of the android app for you?

@abergs commented on GitHub (Apr 9, 2025): I'll take a look. Did it work on the previous version of the android app for you?
GiteaMirror commented 2025-11-26 23:11:51 -06:00
Author
Owner
Copy Link

@GuidoCHLM commented on GitHub (Apr 9, 2025):

Hey, thanks for looking into this.

No, it didn't work with previous version either. I even tried installing ver 2024.10 using the apk and that one didn't work neither.

@GuidoCHLM commented on GitHub (Apr 9, 2025): Hey, thanks for looking into this. No, it didn't work with previous version either. I even tried installing ver 2024.10 using the apk and that one didn't work neither.
GiteaMirror commented 2025-11-26 23:11:51 -06:00
Author
Owner
Copy Link

@tinfever commented on GitHub (Apr 10, 2025):

I've been having the same issue for at least several weeks.

Steps to reproduce:

  1. Enter Master Password and click "Log in with master passsword"
  2. Authenticate WebAuthn window appears. Click "Launch WebAuthn"
  3. Vault.bitwarden.com FIDO2 WebAuthn page opens in browser. Click button for "Authenticate WebAuthn"
  4. Nothing happens but now the button that used to say "Authenticate WebAuthn" says "Return to app".
  5. Click "Return to app"
  6. Sometimes it takes me back to step 2 with no error. Sometimes it says "An error has occurred. We were unable to process your request. Please try again or contact us."

Pixel 7 Pro
GrapheneOS
Bitwarden App Version: 2025.3.0
Android 15

@tinfever commented on GitHub (Apr 10, 2025): I've been having the same issue for at least several weeks. Steps to reproduce: 1. Enter Master Password and click "Log in with master passsword" 2. Authenticate WebAuthn window appears. Click "Launch WebAuthn" 3. Vault.bitwarden.com FIDO2 WebAuthn page opens in browser. Click button for "Authenticate WebAuthn" 4. Nothing happens but now the button that used to say "Authenticate WebAuthn" says "Return to app". 5. Click "Return to app" 6. Sometimes it takes me back to step 2 with no error. Sometimes it says "An error has occurred. We were unable to process your request. Please try again or contact us." Pixel 7 Pro GrapheneOS Bitwarden App Version: 2025.3.0 Android 15
GiteaMirror commented 2025-11-26 23:11:52 -06:00
Author
Owner
Copy Link

@abergs commented on GitHub (Apr 11, 2025):

@GuidoCHLM @tinfever Thanks for your participation in this. I could repro this on Android 14 yesterday, but after allowing over night automatic updates (especially on chrome), the flow works without a hitch.

I'm on Chrome 135.0.7049.79. Running an older chrome, e.g. 122 does still produce a similar error to what you are reporting.

@abergs commented on GitHub (Apr 11, 2025): @GuidoCHLM @tinfever Thanks for your participation in this. I could repro this on Android 14 yesterday, but after allowing over night automatic updates (especially on chrome), the flow works without a hitch. I'm on Chrome 135.0.7049.79. Running an older chrome, e.g. 122 does still produce a similar error to what you are reporting.
GiteaMirror commented 2025-11-26 23:11:52 -06:00
Author
Owner
Copy Link

@GuidoCHLM commented on GitHub (Apr 11, 2025):

Hi @abergs ,

I updated to Chrome 135.0.7049.79, but still seeing the issue. Will keep an eye on it.

I additionally tried authenticating directly from phone's Chrome (135.0.7049.79) and it also failed. Still with a slightly different error:

Image

@GuidoCHLM commented on GitHub (Apr 11, 2025): Hi @abergs , I updated to Chrome 135.0.7049.79, but still seeing the issue. Will keep an eye on it. I additionally tried authenticating directly from phone's Chrome (135.0.7049.79) and it also failed. Still with a slightly different error: ![Image](https://github.com/user-attachments/assets/3d9a42ff-523f-4f2f-8579-96bb698262d5)
GiteaMirror commented 2025-11-26 23:11:52 -06:00
Author
Owner
Copy Link

@Ryan0188 commented on GitHub (Apr 13, 2025):

I was also having this issue. I needed to update either or both "Security update" and Google Play system update" via Security and privacy>Updates. Bitwarden also needs to be on in General management>Passwords, passkeys and autofill. After entering my master password I now get the passkey pop up where I can touch More saved sign-ins>Show QR code>NFC security key.

Galaxy S21 5G
One UI 6.1
Android 14
Google Play system update 1 March 2025
Android security patch level 1 February 2025
Chrome 135.0.7049.79
Bitwarden App Version: 2025.3.0

@Ryan0188 commented on GitHub (Apr 13, 2025): I was also having this issue. I needed to update either or both "Security update" and Google Play system update" via Security and privacy>Updates. Bitwarden also needs to be on in General management>Passwords, passkeys and autofill. After entering my master password I now get the passkey pop up where I can touch More saved sign-ins>Show QR code>NFC security key. Galaxy S21 5G One UI 6.1 Android 14 Google Play system update 1 March 2025 Android security patch level 1 February 2025 Chrome 135.0.7049.79 Bitwarden App Version: 2025.3.0
GiteaMirror commented 2025-11-26 23:11:52 -06:00
Author
Owner
Copy Link

@tinfever commented on GitHub (Apr 13, 2025):

@abergs Thank you! I installed Chrome (135.0.7049.79), set it as my default browser, and was able to get my Yubikey to work for 2FA.

@tinfever commented on GitHub (Apr 13, 2025): @abergs Thank you! I installed Chrome (135.0.7049.79), set it as my default browser, and was able to get my Yubikey to work for 2FA.
GiteaMirror commented 2025-11-26 23:11:53 -06:00
Author
Owner
Copy Link

@matt8833 commented on GitHub (Apr 14, 2025):

Same issue for me with a S23 Ultra. Chrome/Google Play was already up-to-date. What worked was the Chrome/Bitwarden autofill setting as noted above. But now, each time, I need to select the QR code option first (for some reason) before I get offered the NFC/USB key prompt as previous. Definitely seems like something changed in Android/Chrome that Bitwarden needs to adapt to.

@matt8833 commented on GitHub (Apr 14, 2025): Same issue for me with a S23 Ultra. Chrome/Google Play was already up-to-date. What worked was the Chrome/Bitwarden autofill setting as noted above. But now, each time, I need to select the QR code option first (for some reason) before I get offered the NFC/USB key prompt as previous. Definitely seems like something changed in Android/Chrome that Bitwarden needs to adapt to.
GiteaMirror commented 2025-11-26 23:11:53 -06:00
Author
Owner
Copy Link

@kimdre commented on GitHub (May 31, 2025):

I also have this issue with the latest version.
OnePlus 12 with Android 15
WebAuthn neither works with Chrome, nor with Brave Browser.
I'm completely locked out of my Bitwarden account on my phone right now. Please fix this ASAP.

@kimdre commented on GitHub (May 31, 2025): I also have this issue with the latest version. OnePlus 12 with Android 15 WebAuthn neither works with Chrome, nor with Brave Browser. I'm completely locked out of my Bitwarden account on my phone right now. Please fix this ASAP.
GiteaMirror commented 2025-11-26 23:11:53 -06:00
Author
Owner
Copy Link

@Agenda5347 commented on GitHub (Jun 5, 2025):

Same problem here. Using bitwarden and yubikey on Pixel 6a. Tried updating the pixel's security updates and google play store but still getting the error. Am able to get in using my authenticator app as a backup for now but trying to use webauthn with the yubikey fails through webauthn. FYI I am using firefox focus browser as default.

@Agenda5347 commented on GitHub (Jun 5, 2025): Same problem here. Using bitwarden and yubikey on Pixel 6a. Tried updating the pixel's security updates and google play store but still getting the error. Am able to get in using my authenticator app as a backup for now but trying to use webauthn with the yubikey fails through webauthn. FYI I am using firefox focus browser as default.
GiteaMirror commented 2025-11-26 23:11:53 -06:00
Author
Owner
Copy Link

@gstegm commented on GitHub (Jun 7, 2025):

I also have this issue. WebAuthn does work with device biometrics but not with the Yubikey.
OnePlus 9 Pro
Android 14
Chrome 137.0.7151.72 (default browser)
Bitwarden 2025.5.0

The error message I get is "An error has occurred. NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client"

@gstegm commented on GitHub (Jun 7, 2025): I also have this issue. WebAuthn does work with device biometrics but not with the Yubikey. OnePlus 9 Pro Android 14 Chrome 137.0.7151.72 (default browser) Bitwarden 2025.5.0 The error message I get is "An error has occurred. NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client"
GiteaMirror commented 2025-11-26 23:11:53 -06:00
Author
Owner
Copy Link

@fg-cfh commented on GitHub (Jun 7, 2025):

Confirmed for Fairphone 4, Android 13, Chrome 137.0.71251.72, Bitwarden 2025.5.0. Was always unstable on that platform, now not working at all any more.

@fg-cfh commented on GitHub (Jun 7, 2025): Confirmed for Fairphone 4, Android 13, Chrome 137.0.71251.72, Bitwarden 2025.5.0. Was always unstable on that platform, now not working at all any more.
GiteaMirror commented 2025-11-26 23:11:54 -06:00
Author
Owner
Copy Link

@abergs commented on GitHub (Jun 7, 2025):

We're looking in to this, but it's not an easy one to replicate.

Just adding a bit of context: I know that for Android 14 it' optional for the OEM to support third party passkey providers, while on Android 15 it's mandatory. Perhaps there is something similar going on with fido2 / security key support that might come in to play in some of these scenarios, but not sure.

@abergs commented on GitHub (Jun 7, 2025): We're looking in to this, but it's not an easy one to replicate. Just adding a bit of context: I know that for Android 14 it' optional for the OEM to support third party passkey providers, while on Android 15 it's mandatory. Perhaps there is something similar going on with fido2 / security key support that might come in to play in some of these scenarios, but not sure.
GiteaMirror commented 2025-11-26 23:11:54 -06:00
Author
Owner
Copy Link

@davrot commented on GitHub (Jun 19, 2025):

I have also the NotAllowedError error message. Both with USB-C and NFC on an Ulefone Armor Pad 4 Ultra. Is there a way to help debugging?

I tried my USB-A Yubikey too but this sends me to a Yubikey-Website?

@davrot commented on GitHub (Jun 19, 2025): I have also the NotAllowedError error message. Both with USB-C and NFC on an Ulefone Armor Pad 4 Ultra. Is there a way to help debugging? I tried my USB-A Yubikey too but this sends me to a Yubikey-Website?
GiteaMirror commented 2025-11-26 23:11:54 -06:00
Author
Owner
Copy Link

@roberto-sartori-gl commented on GitHub (Jul 2, 2025):

Same issue on Android 15 here, I can't use my Yubikey but the mail 2FA works (but it's less secure, I had to enable it for my phone only).

@roberto-sartori-gl commented on GitHub (Jul 2, 2025): Same issue on Android 15 here, I can't use my Yubikey but the mail 2FA works (but it's less secure, I had to enable it for my phone only).
GiteaMirror commented 2025-11-26 23:11:54 -06:00
Author
Owner
Copy Link

@zsrv commented on GitHub (Jul 9, 2025):

I also have the NotAllowedError error message on Android 15 (and now 16, after having upgraded) with a YubiKey 5C NFC and a SoloKey 2. Google Play Services crashed with an error message (see https://github.com/GrapheneOS/os-issue-tracker/issues/5740):

osVersion: google/bluejay/bluejay:15/BP1A.250505.005/2025062700:user/release-keys
userType: full.secondary
package: com.google.android.gms:251833035, targetSdk 36
sharedUid: com.google.uid.shared
process: com.google.android.gms.ui
processUptime: 1241098 + 245 ms
installer: app.grapheneos.apps
GmsCompatConfig version: 158

java.lang.IllegalArgumentException: Short encoding mandated, but APDU has more than 255 bytes of data
	at bhyb.a(:com.google.android.gms@251833035@25.18.33 (260400-756823100):147)
	at bhxz.d(:com.google.android.gms@251833035@25.18.33 (260400-756823100):1)
	at bhux.h(:com.google.android.gms@251833035@25.18.33 (260400-756823100):225)
	at bhux.g(:com.google.android.gms@251833035@25.18.33 (260400-756823100):1)
	at bhux.i(:com.google.android.gms@251833035@25.18.33 (260400-756823100):11)
	at bjbc.run(:com.google.android.gms@251833035@25.18.33 (260400-756823100):123)
	at ayaz.c(:com.google.android.gms@251833035@25.18.33 (260400-756823100):50)
	at ayaz.run(:com.google.android.gms@251833035@25.18.33 (260400-756823100):70)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:651)
	at aygn.run(:com.google.android.gms@251833035@25.18.33 (260400-756823100):8)
	at java.lang.Thread.run(Thread.java:1119)
	Suppressed: fqwa:
@zsrv commented on GitHub (Jul 9, 2025): I also have the NotAllowedError error message on Android 15 (and now 16, after having upgraded) with a YubiKey 5C NFC and a SoloKey 2. Google Play Services crashed with an error message (see https://github.com/GrapheneOS/os-issue-tracker/issues/5740): ``` osVersion: google/bluejay/bluejay:15/BP1A.250505.005/2025062700:user/release-keys userType: full.secondary package: com.google.android.gms:251833035, targetSdk 36 sharedUid: com.google.uid.shared process: com.google.android.gms.ui processUptime: 1241098 + 245 ms installer: app.grapheneos.apps GmsCompatConfig version: 158 java.lang.IllegalArgumentException: Short encoding mandated, but APDU has more than 255 bytes of data at bhyb.a(:com.google.android.gms@251833035@25.18.33 (260400-756823100):147) at bhxz.d(:com.google.android.gms@251833035@25.18.33 (260400-756823100):1) at bhux.h(:com.google.android.gms@251833035@25.18.33 (260400-756823100):225) at bhux.g(:com.google.android.gms@251833035@25.18.33 (260400-756823100):1) at bhux.i(:com.google.android.gms@251833035@25.18.33 (260400-756823100):11) at bjbc.run(:com.google.android.gms@251833035@25.18.33 (260400-756823100):123) at ayaz.c(:com.google.android.gms@251833035@25.18.33 (260400-756823100):50) at ayaz.run(:com.google.android.gms@251833035@25.18.33 (260400-756823100):70) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:651) at aygn.run(:com.google.android.gms@251833035@25.18.33 (260400-756823100):8) at java.lang.Thread.run(Thread.java:1119) Suppressed: fqwa: ```
GiteaMirror commented 2025-11-26 23:11:55 -06:00
Author
Owner
Copy Link

@zsrv commented on GitHub (Jul 20, 2025):

Perhaps this is relevant? https://support.nitrokey.com/t/nitrokey-3a-fails-to-work-on-grapheneos-when-using-googles-fido-library/4532

@zsrv commented on GitHub (Jul 20, 2025): Perhaps this is relevant? https://support.nitrokey.com/t/nitrokey-3a-fails-to-work-on-grapheneos-when-using-googles-fido-library/4532
GiteaMirror commented 2025-11-26 23:11:55 -06:00
Author
Owner
Copy Link

@fuchs-julian commented on GitHub (Nov 11, 2025):

On my side a slightly different behaviour occurs.
After entering master password, I click "WebAuthnを起動" and a redirect to chrome inside bitwarden app happens. I guess the blue box should be a button but it is not pressable.
Screenshot_20251111-083250.png

Everything works fine on mobile chrome app and pc as well.

Android 16
security patch: 2025/10
playstore system update: 2025/10
Chrome 142.0.7444.138
Bitwarden Version: 2025.10.1 (20867)
🧱 commit: bitwarden/android/release/2025.10-rc37@74b9a12e19e07b60271a1141d3a95f7919811ea4

@fuchs-julian commented on GitHub (Nov 11, 2025): On my side a slightly different behaviour occurs. After entering master password, I click "WebAuthnを起動" and a redirect to chrome inside bitwarden app happens. I guess the blue box should be a button but it is not pressable. ![Screenshot_20251111-083250.png](https://github.com/user-attachments/assets/942248f9-394e-4b06-9a01-9d6ec64e0c15) Everything works fine on mobile chrome app and pc as well. Android 16 security patch: 2025/10 playstore system update: 2025/10 Chrome 142.0.7444.138 Bitwarden Version: 2025.10.1 (20867) 🧱 commit: bitwarden/android/release/2025.10-rc37@74b9a12e19e07b60271a1141d3a95f7919811ea4
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label app:password-manager bug bug-passkey
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#2209
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?