Can't login, unable to authenticate yubikey: "An error has occurred. Two-step token is invalid. Try again."

[Opening-Button-8988]

Steps To Reproduce

1. Insert yubikey via USB-C.
2. Open the app
3. Enter email address and password. "Login with master password"
4. Page opens "Authenticate WebAuthn...Continue to complete WebAuthn verification".
5. Click "Launch WebAuthn"
6. Default browser opens vault.bitwarden.com with FIDO2 WebAuthn. Click "Authenticate WebAuthn".
7. Google Passkeys prompt opens. It says "There aren't any passkeys for vault.bitwarden.com on this device" (this is expected). Click "Use a different device".
8. If yubikey is connected in the USB-C port, simply touch the yubikey. Otherwise click "NFC security key" and touch the back of the phone with yubikey.
9. I get switched back to the app, error: "An error has occurred. Two-step token is invalid. Try again."

Expected Result

I expect to be logged in as soon as I authenticate with my yubikey.

Actual Result

Error "An error has occurred. Two-step token is invalid. Try again."

Screenshots or Videos

No response

Additional Context

Issue occurs with F-Droid and Google Playstore (via Aurora Store) builds, and with Vanadium browser and Brave browser. Javascript JIT is enabled.

I'm able to login using the same yubikey on desktop.

Passkey integration over the last few years has negatively impacted the flow for hardware keys. It used to be possible to login with your hardware keys without the Google stack being involved at all - I didn't need to even install Google Services Framework. But ever since Passkeys were introduced, I've experienced nothing but problems when using my hardware keys, more especially on Android but desktop too.

I looked at similar issues on the bitwarden community forum. My phone's time is synced properly, I've rebooted my phone, and no other devices are logged into my account. None of my yubikeys are marked "Migrated from FIDO" under Settings → Security → Two-step login → FIDO2 WebAuthn → “Manage”. I last successfully logged into Bitwarden with this phone in June 2024 (I rarely login to this account).

Build Version

2025.1.2

What server are you connecting to?

US

Self-host Server Version

No response

Environment Details

Pixel 7, Android 15.
GrapheneOS build 2025021100 using secondary profile.

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[bitwarden-bot]

Thank you for your report! We've added this to our internal board for review.
ID: PM-18695

[jvroutak]

I seem to have nearly identical issue:

Background:

• Bitwarden on Android working fine for years
• Android app version 2025.1.2, installed via Play Store
• Samsung S22 (Android 14, last updated February 22, security level 1. Feb 2025)
• 2FA with Yubikey
• US server

Steps:

• An application tries to authenticate using passkey in Bitwarden (https://play.google.com/store/apps/details?id=fi.kansalliskirjasto.ekirjasto&hl=fi for what it's worth). This has worked earlier.
• Passkey authentication fails
• I'm forced to log into Bitwarden app again (which is unusual as there hasn't been an update)
• Login fails with similar (but not identical) error: 'Tapahtui virhe. Pyyntöäsi ei voitu käsitellä. Yritä uudelleen tai ota meihin yhteyttä' (translates to 'An error occurred. Your request could not be processed. Try again or contact us'.
• After this, I can't log in to the app
• Retried many times, one time got as far as authenticating with Yubikey NFC, but that failed too even though the Yubikey flow seemed to work
• Clearing app cache didn't help
• Clearing app local storage didn't help
• Reinstalling app didn't help
• Reboot didn't help

Remarks:

• Logging into clean web browser extension works fine (using the same Yubikey)

[jvroutak]

Update: Problem seems to have resolved by itself after waiting a few hours.