mirror of
https://github.com/bitwarden/android.git
synced 2026-06-10 00:28:29 -05:00
[GH-ISSUE #6295] [PM-30137] Fails to add/use FIDO2 passkey when PIN unlock is enabled under swipe-only device lock #77511
Closed
opened 2026-05-19 14:23:05 -05:00 by GiteaMirror
·
13 comments
No Branch/Tag Specified
main
overlay-nav-screen
PM-38808/support-optional-cipher-name
renovate/gh-minor
release/2026.5-rc55
PM-37255/fill-assist-network-layer
release/2026.5-rc53
renovate/major-googlebilling
renovate/fastlane-2.x
release/2026.5-rc54
PM-37255/fill-assist-integration
PM-37255/fill-assist-data-layer
premium-upgrade/pm-37287-totp-premium-cta
PM-37255/consume-fill-assist-rules-data
renovate/lock-file-maintenance
PM-26896-autofill-fix
release/hotfix-v2026.4.1-bwpm
target-sdk-37
agalles/fdroid-only
BWA-99/show-next-totp
BWA-99/add-preview-next-totp-code-setting
sync-min-sdk
release/2026.4-rc51
related-origin-passkey-creation
release/2026.4-rc50
platform/android-breaking-change-detection
innovation-sprint-2026-send-folder
release/2026.3-rc49
PM-34193-vault-lockout
android-collections
llm/add-resolving-sdk-updates-skill
QA-1523/sanity-test-saucelabs
release/2026.3-rc48
release/2026.2-rc47
pr-6572
release/2026.2-rc46
release/2026.1-rc45
PM-30644/added-logs-for-debug
PM-30644/quicktile-nav-not-showing-migration
minor-gradle-updates
release/2026.1-rc42
release/2026.1-rc44
release/2026.1-rc43
PM-28834/set-landscape-on-horizonos-devices
PM-28468/validate-and-navigate-to-vault-migration
PM-20026/force-ltr-passwords-and-codes
release/2025.12-rc41
cmcg/testCoverage
PM-29014/talkback-support-for-passwords
release/2025.12-rc40
BRE-1305/publish_test
accept-user-certs
autofill-permissions
release/2025.11-rc39
PM-22479/check-all-certificates-validate-asset-links
release/2025.10-rc38
agalles/android-latest
retro-agent
PM-27001/skip-account-selection-only-one-exists-cxp
release/2025.10-rc37
agalles/test-1118
release/2025.10-rc36
PM-20593-token-refresh
QA-1126b/adding-native-sanity-test
release/2025.9-rc35
pm-25933/sdk-update-password
release/2025.9-rc34
release/2025.8-rc33
agalles/20250821-release
debug-release-issues
pm-24249-allow-automated-prs-for-sdk-updates
release/2025.8-rc32
release/WORKFLOW-TEST-2025.8-rc28
agalles/20250807release
release/2025.07-rc25
release/hotfix-v2025.7.0-bwa
pm-23311/export-vault-policy-bypass
release/2025.07-rc24
authenticator-pm-sync-flags-issue
release/hotfix-v2025.6.0-bwpm
release/2025.06-rc21
agalles/automate-android-fastlane-patch
release/2025.05-rc20
release/2025.04-rc19
languages/basque
release/2025.03-rc19
update-readme
qrcode/feature
innovation/archive/pm-19153-archive-items
qrcode/2-ui-fields
qrcode/1-page
hold-on-biometric-prompt-alternative
release-notes-process
release/2025.02-rc16
bwa-monorepo
PM-8223/new-device-verification-ux-improvements
pm-18451/exempt-from-policies
test-bwa
release/2025.01-rc15
release/2025.01-rc14
release/2024.12-rc13
pm-16670/sync-leave-notice
821
PM-16695/backport-lean-more-new-device-verification
release/hotfix-v2024.11.7
release/2024.11-rc1
pm-11304/collection-add-item-button
PM-14241/disabling-logs-app-crash
poc/offline-editing
new-version-calc
pm-11649/expired-link-services
pm-6702/add-feature-flag
pm-6702/email-verification-feature
pm-9933/marketing-copy-update
pm-6702/registration-flows
update-templates
pm-6701/email-verification-selfhost-registration
v2026.5.0-bwpm
v2026.5.0-bwa
v2026.4.2-bwpm
v2026.4.1-bwa
v2026.4.1-bwpm
v2026.4.0-bwa
v2026.4.0-bwpm
v2026.3.1-bwa
v2026.3.1-bwpm
v2026.3.0-bwpm
v2026.3.0-bwa
v2026.2.1-bwpm
v2026.2.1-bwa
v2026.2.0-bwpm
v2026.2.0-bwa
v2026.1.1-bwa
v2026.1.1-bwpm
temp-test
v2026.1.0-bwpm
v2026.1.0-bwa
v2025.12.1-bwa
v2025.12.1-bwpm
v2025.12.0-bwa
v2025.12.0-bwpm
v2025.11.1-bwpm
v2025.11.1-bwa
v2025.11.0-bwpm
v2025.11.0-bwa
v2025.10.1-bwa
v2025.10.1-bwpm
v2025.10.0-bwa
v2025.10.0-bwpm
v2025.9.1-bwa
v2025.9.1-bwpm
v2025.9.0-bwa
v2025.9.0-bwpm
v2025.8.1-bwa
v2025.8.1-bwpm
v2025.8.0-bwa
v2025.8.0-bwpm
v2025.7.2-bwa
v2025.7.2-bwpm
v2025.7.1-bwa
v2025.7.1-bwpm
v2025.7.0-bwa
v2025.7.0-bwpm
v2025.6.1-bwpm
v2025.6.0-bwa
v2025.6.0-bwpm
v2025.1.0-bwa
v2025.5.0-bwa
v2025.5.0-bwpm
v2025.5.999
2025.4.0
v2025.4.0
untagged-4731eaadac73f3dfbbb8
v2025.3.0
v2025.2.0
untagged-815a165c5d70ffe75bc7
v2025.1.2
v2025.1.1
v2025.1.0
v2024.12.0
untagged-5a76b6392a4c8998c63a
v2024.11.7
v2024.11.6
v2024.11.5
v2024.11.4
v2024.11.3
v2024.11.2
v2024.11.1
v2024.11.0
v2024.10.2
v2024.10.1
v2024.10.0
v2024.9.0
v2024.8.1
v2024.8.0
v2024.7.3
v2024.7.2
v2024.7.1
v2024.7.0
v2024.6.1
v2024.6.0
v2024.5.1
v2024.4.1
v2024.4.2
v2024.4.0
v2024.3.3
v2024.3.1
v2024.3.0
v2024.2.1
v2024.2.0
v2024.1.1
v2024.1.0
v2023.12.0
v2023.10.0
v2023.9.2
maui-single-project-android
v2023.9.1
v2023.9.0
v2023.8.0
v2023.7.0
v2023.5.0
v2023.4.0
v2023.3.2
v2023.3.1
v2023.3.0
v2023.2.0
v2023.1.0
v2022.11.0
v2022.10.0
v2022.9.1
v2022.9.0
v2022.8.0
v2022.6.2
v2022.6.1
v2022.6.0
v2022.05.0
v2.18.0
v2.17.0
v2.16.4
v2.16.3
v2.16.2
v2.16.1
v2.15.0
v2.14.2
v2.14.1
v2.14.0
v2.13.0
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.0
v2.9.1
v2.9.0
v2.8.2
v2.8.1
v2.8.0
v2.7.2
v2.7.0
v2.6.1
v2.6.0
v2.5.6
v.2.5.5
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.1
v2.3.0
v2.2.8
v2.2.7
v2.2.6
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.0
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.22.1
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.1
v1.18.0
v1.17.0
v1.16.0
v1.15.2
v1.15.1
v1.15.0
v1.14.4
v1.14.1
v1.14.0
v1.13.0
v1.12.2
v1.12.1
v1.12.0
v1.11.1
v1.11.0
v1.10.0
v1.9.0
v1.8.1
v1.8.0
v1.7.0
v1.6.5
v1.6.1
v1.6.0
v1.5.1
v1.5.0
v1.4.4
v1.4.3
v1.4.0
v1.3.0
v1.2.1
v1.2.0
v1.1.0
v1.0.0
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/android#77511
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @eclairevoyant on GitHub (Dec 23, 2025).
Original GitHub issue: https://github.com/bitwarden/android/issues/6295
Steps To Reproduce
Expected Result
Passkey is successfully added
Actual Result
BW shows the error "An error has occurred / Credential operation failed because user could not be verified."
Screenshots or Videos
No response
Additional Context
I tried with typing both the PIN and the master password into that field - neither work.
The same issue also occurs when trying to use the passkey.
This only occurs when PIN unlock is enabled. When I disable it, I can type in my password in the password field and the passkey is successfully added - but this is an onerous workaround.
Build Version
2025.12.0
What server are you connecting to?
Self-host
Self-host Server Version
No response
Environment Details
Issue Tracking Info
@bitwarden-bot commented on GitHub (Dec 23, 2025):
Thank you for your report! We've added this to our internal board for review.
ID: PM-30137
@pamperer562580892423 commented on GitHub (Dec 23, 2025):
What is your server version?
@eclairevoyant commented on GitHub (Dec 23, 2025):
The server's irrelevant as this is an issue with the client.
@pamperer562580892423 commented on GitHub (Dec 23, 2025):
The server and the clients also interact. (and there are some recent issues, where that played a role)
I just tried to reproduce your issue. On my end, it works. (2025.12.0, Android 15, BW cloud, tried it on Brave now, and also deactivated biometrics in the BW app to only use the PIN)
BTW, which browser did you use?
@eclairevoyant commented on GitHub (Dec 23, 2025):
For testing purposes, I have disabled my vpn (where my server is located), so the client app cannot even connect to the server - and tested by trying to use an existing passkey. I promise you the server is unrelated.
The browser also does not matter as the authentication step happens within the client.
The site also doesn't matter, as I tried this across multiple sites that use completely different software stacks.
Let's not go in circles here when I've laid out more than enough info to reproduce this - providing irrelevant information will only make it more difficult to find a solution.
@pamperer562580892423 commented on GitHub (Dec 23, 2025):
I can understand that you don't want to reveal you're using Vaultwarden.
But this doesn't help anyone. You know you would have to try to reproduce this with an official Bitwarden server for Bitwarden to accept a bug report - Vaultwarden also informs about that (https://github.com/dani-garcia/vaultwarden/wiki/Bitwarden-clients-troubleshooting).
@eclairevoyant commented on GitHub (Dec 23, 2025):
Please read my prior statement carefully instead of making assumptions!
When PIN unlock is enabled, I cannot add or use passkeys.
When PIN unlock is disabled, I can add and use passkeys.
Hence, the problem is the underlying auth mechanism/interaction between PIN unlock and however the BW client tries to protect passkeys.
Although I laid this out earlier quite clearly, so I assume you're trolling at this point, and I'll wait someone who is actually familiar with this codebase to respond.
@rmcdowell-bitwarden commented on GitHub (Dec 23, 2025):
Hi there,
I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below.
I do want to note that @pamperer562580892423 was asking for the server version you are using, as we have had more recent reports from users contacting us who are self-hosting a Vaultwarden server. Vaultwarden's team requests that all users who are experiencing issues to contact them and not use Bitwarden's official support channels: https://github.com/dani-garcia/vaultwarden?tab=readme-ov-file#get-in-touch
Thanks!
@eclairevoyant commented on GitHub (Dec 23, 2025):
Again, this has nothing to do with the server, I do ask that you read my messages carefully rather than making invalid assumptions. After skimming over the relevant code/PRs, it does not seem like FIDO2 user verification has anything to do with the server as it's just performing local auth.
After testing on another (PIN-unlock) device against the same server that somehow worked, I identified one other difference. The non-working device uses only "swipe" as screen lock, not an actual pin/password to lock the device.
If PIN unlock + swipe screen lock is not a supported usecase, IMO the BW app should provide a better error message.
@eclairevoyant commented on GitHub (Dec 23, 2025):
It seems adding a device pin and restarting makes the passkeys work again - hence, to reiterate:
If PIN unlock + swipe (i.e. not PIN/password/pattern/...) screen lock is not a supported usecase with FIDO2 auth, IMO the BW app should provide a better error message.
@SaintPatrck commented on GitHub (Dec 29, 2025):
Hi @eclairevoyant
Thanks for reporting the issue and providing details. This is related to a recent change in our SDK. It is fixed in https://github.com/bitwarden/sdk-internal/pull/628. The fix will be included in an upcoming release of the mobile apps. Apologies for the inconvenience.
@eclairevoyant commented on GitHub (Dec 29, 2025):
Thank you for the update and the details!
@eclairevoyant commented on GitHub (Feb 3, 2026):
Passkey + vault PIN unlock + swipe device lock works as of app version 2026.1.0 - closing. Thanks again.