FIDO2 WebAuthn in Vanadium + Bitwarden

DeletedUser370

Glacial2 From reading your post, I gather that you want to use a physical security key.

When you get to the prompt for Bitwarden in Vanadium, select 'Weiter' (Continue) and unlock your vault. If you have no passkey for bitwarden.com/.eu saved in Bitwarden (which I assume you haven't), you will then be forwarded to the desired screen.

Glacial2

p338k Are you trying to use a Bitwarden passkey to access your Bitwarden account? I believe Bitwarden disallows that.
DeletedUser370 From reading your post, I gather that you want to use a physical security key.

I'm trying to log into my Bitwarden account using a physical security key as 2FA. Passkeys as login method are disabled for my Bitwarden account.

DeletedUser370 When you get to the prompt for Bitwarden in Vanadium, select 'Weiter' (Continue) and unlock your vault.

I'm trying to unlock my vault with a physical key as 2FA in the first place. Open Bitwarden App -> enter password -> forwarded to WebAuthn -> Prompt to unlock Bitwarden -> select 'Weiter' -> back to Bitwarden App -> enter password -> forwarded to WebAuthn -> ....

Fog-Nearby

Glacial2 Try reversing the steps: log into BitWarden first and then set it as your default password manager in Settings. ETA: Reread your post and see that you did this.

I recently switched to BitWarden and have noticed it displays inside the Android passkey prompt (your first screenshot) anytime I want to use a hardware key. I use Vanadium. I have to click through it and authenticate into BitWarden just for it to tell me that no passkeys are found. Only then, do I get the option for NFC/USB hardware key. It works, albeit with a few unnecessary steps.

DeletedUser370

Glacial2 As stated in my first post that works.

As silly as it may sound to you, that was not at all clear to me.

Fog-Nearby I recently switched to BitWarden and have noticed it displays inside the Android passkey prompt (your second screenshot) anytime I want to use a hardware key.

Bitwarden does not immediately announce to Play Services whether or not it has stored a passkey for the service the user wants to authenticate towards. Only after the authenticator (Bitwarden) announces to Play Services that it has no passkey stored does Play Services redirect the user to a FIDO selection UI. Users of Proton Pass are not seeing this behaviour because Proton chooses to announce the presence of passkeys without the user having to authenticate.

Play Services tends to prioritize cloud synced passkeys. It has a confusing authentication UI.

DeletedUser370

Oh, so you are actually pressing 'Weiter' in the dialogue, which then causes a loop? And you are trying to sign in to the app? Then try disabling Bitwarden in Settings > Passwords, passkeys and autofill and try again.

Glacial2

Glacial2 ... OR Vanadium as default Browser-App and Bitwarden password manager disabled. It lets me choose another device for authentication (e.g. NFC/USB security key).

DeletedUser370 Then try disabling Bitwarden in Settings > Passwords, passkeys and autofill and try again.

As stated in my first post that works. I just think it's hilarious to have to disable my password manager in order to log into my password manager.
Also, this step is unnecessary when using Firefox/Brave/Edge instead of Vanadium.

Fog-Nearby

Glacial2 Is this the expected/intended behavior? Does this also happen with other password managers + Vanadium?

Ran out of time to edit my first post—
I moved to BitWarden from Proton Pass, and Proton Pass did not do this. With Proton Pass as the default password manager, I would get the standard Android passkey prompt (your second screenshot) in Vanadium.

Glacial2

Fog-Nearby With Proton Pass as the default password manager, I would get the standard Android passkey prompt (your second screenshot) in Vanadium.

So it might be Bitwarden instead of Vanadium causing this. Or a combination of both since it works with other browsers =\

Glacial2

DeletedUser370 Bitwarden does not immediately announce to Play Services whether or not it has stored a passkey for the service the user wants to authenticate towards.

But using other browser than vanadium correctly recognize that there is no relevant key (or that bitwarden is unavailable?) and display a prompt to choose another device immediately.

Fog-Nearby

DeletedUser370 Bitwarden does not immediately announce to Play Services whether or not it has stored a passkey for the service the user wants to authenticate towards. Only after the authenticator (Bitwarden) announces to Play Services that it has no passkey stored does Play Services redirect the user to a FIDO selection UI. Users of Proton Pass are not seeing this behaviour because Proton chooses to announce the presence of passkeys without the user having to authenticate.

Play Services tends to prioritize cloud synced passkeys. It has a confusing authentication UI.

Thank you for this information. This explains the behavior, at least in Vanadium. As an aside, also thank you @DeletedUser370 for all your past contributions on this forum regarding hardware keys. Before I switched to GOS, I researched hardware keys extensively as they are very important to me. Your long form post on the subject from several months ago helped tremendously.

DeletedUser370

Glacial2 But using other browser than vanadium correctly recognize that there is no relevant key (or that bitwarden is unavailable?) and display a prompt to

And do these other browsers have third-party passkey manager support? If so, in those other browsers, do you get the Bitwarden passkey prompt when you attempt to sign in with a passkey to a site where you do have a passkey stored in Bitwarden?

Vanadium 123.0.6312.80.1 implemented Chromium's new autofill implementation early, which is what enabled Vanadium to add third-party passkey manager support by default. In contrast to Chrome and likely other Chromium-based browsers, which require the user to change browser flags manually: https://bitwarden.com/help/storing-passkeys/#tab-android-3XutklkReT3Gw0l1qHhBem

What the situation is in Firefox, I don't know.

Glacial2

DeletedUser370 And do these other browsers have third-party passkey manager support?

I just tried enabling it in Brave and indeed I get the same result as with Vanadium going into an endless loop. I didn't know about any of this so thanks for your information so far.

Would this be considered a bug in Bitwarden? Could/Should they selectively announce to Play Services that there is no passkey when trying to log into their own App?

Edit: too slow =)

DeletedUser370

I have now tested this, and I can replicate the behaviour with both Vanadium and Brave (after having set the appropriate flag in Brave to enable third-party passkey manager support). Not tested in other browsers.

Steps:

Have a security key registered for your Bitwarden account
Make sure Bitwarden is selected as the preferred service in Settings > Passwords, passkeys and autofill
Clear data for the Bitwarden app (assuming it is already installed and you are signed in)
Try to sign in to either the Bitwarden app or vault.bitwarden.com/.eu
Observe that you are redirected to the Bitwarden app.

The way I see it, the Chromium autofill implementation is doing exactly what it is designed to do: it is redirecting the user to the preferred passkey manager.

If Play Services had implemented a UI that gave users the additional option of using a security key or a different device, instead of defaulting to on-device and preferred cloud synced passkey managers without any other choice, this behaviour would not occur.

DeletedUser370

Glacial2 Would this be considered a bug in Bitwarden? Could/Should they selectively announce to Play Services that there is no passkey when trying to log into their own App?

That would be a question for Bitwarden support, I imagine. But a feature request may also be beneficially directed towards Google, because the root cause appears to be their silly UI which is lacking in user choice.

Thank you for giving attention to the behaviour. I will be adding this to my FIDO summary text, which I'll be updating anyway, primarily to emphasize that GrapheneOS with Sandboxed Google Play has near-feature parity with stock PixelOS in regards to FIDO.

Fog-Nearby

DeletedUser370 @Glacial2
Wanted to briefly come back to this thread to mention I have updated to the new Bitwarden native Android app and I no longer have to first unlock the Bitwarden vault for it to tell me no passkeys exist. It’s now identical to the UX of when I used Proton Pass as my password manager.
The flow with the new native Bitwarden app, logging into proton.me in Vanadium, as an example:

Bitwarden (v2024.8.1) is set as the default password manager on device
Proton login page loads, BW autofills UID/PWD, tap ‘Sign in’
Hit Proton’s 2FA page, choose security key, tap ‘Authenticate’
The standard Android passkey prompt displays telling me that no passkeys exist on this device, and I’m immediately able to tap ‘Use a different device’
Can then choose either NFC or USB security for my Yubikey

Nice.