2FA via Email or WebAuthn fails on new app #1063

New Issue

MrUnknownDE · 2026-04-06T01:34:12+02:00

MrUnknownDE commented

2026-04-06 01:34:12 +02:00

Originally created by @fabicodes on 7/8/2024

Subject of the issue

The new native app has problems with the 2FA methods Email and WebAuthn (via Yubikey)

Deployment environment

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.30.5-fda77afc
Web-vault version: v2024.5.1
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Environment settings overridden: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Database type: SQLite
Database version: 3.45.0
Clients used: New Native Beta on Android 15
Reverse proxy and version: nginx/1.24.0
Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********",
  "domain_origin": "*****://**********",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 524288,
  "org_creation_users": "***",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 500000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "**************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 180,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 524288,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": "50791",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Steps to reproduce

Try to log in using the new native app on Android. First, select WebAuthn where your Yubikey is enrolled. Firefox starts and says it cannot find a passkey for that site, select Security Key via NFC and follow the steps. Then it'll ask you in which app to continue (native or old) - choose native - it'll fail.
Then try the Email 2FA Method, it fails at creating the request to send it

Expected behaviour

2FA works

Actual behaviour

2FA fails

Troubleshooting data

[2024-07-08 20:34:37.025][request][INFO] GET /api/accounts/revision-date
[2024-07-08 20:34:37.040][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2024-07-08 20:34:47.926][vaultwarden::api::notifications][INFO] Closing WS connection from my-ip-address
[2024-07-08 20:35:11.341][request][INFO] GET /api/config
[2024-07-08 20:35:11.349][response][INFO] (config) GET /api/config => 200 OK
[2024-07-08 20:36:17.878][request][INFO] GET /notifications/hub?access_token=access-token-was-here
[2024-07-08 20:36:17.878][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from my-ip-address
[2024-07-08 20:36:17.879][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2024-07-08 20:36:17.980][request][INFO] GET /api/accounts/revision-date
[2024-07-08 20:36:17.989][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2024-07-08 20:36:25.021][request][INFO] GET /api/devices/knowndevice
[2024-07-08 20:36:25.030][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2024-07-08 20:36:44.256][request][INFO] POST /identity/accounts/prelogin
[2024-07-08 20:36:44.271][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2024-07-08 20:36:44.565][request][INFO] POST /identity/connect/token
[2024-07-08 20:36:44.929][error][ERROR] 2FA token not provided
[2024-07-08 20:36:44.930][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-08 20:36:50.364][request][INFO] GET /api/config
[2024-07-08 20:36:50.364][response][INFO] (config) GET /api/config => 200 OK
[2024-07-08 20:37:18.907][request][INFO] POST /identity/connect/token
[2024-07-08 20:37:19.320][error][ERROR] Webauthn.
[CAUSE] InvalidRPIDHash
[2024-07-08 20:37:19.321][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-08 20:37:47.661][request][INFO] POST /identity/connect/token
[2024-07-08 20:37:48.212][vaultwarden::api::core::two_factor::webauthn][ERROR] Can't recover login challenge
[2024-07-08 20:37:48.213][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-08 20:38:04.028][request][INFO] POST /identity/connect/token
[2024-07-08 20:38:04.396][vaultwarden::api::core::two_factor::yubikey][ERROR] Invalid Yubikey OTP length
[2024-07-08 20:38:04.398][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-07-08 20:38:20.667][request][INFO] POST /api/two-factor/send-email-login
[2024-07-08 20:38:20.673][vaultwarden::api::core::two_factor::email::_][WARN] Data guard `Json < SendEmailLoginData >` failed: Parse("{\"DeviceIdentifier\":\"device-uuid-replacement\",\"Email\":\"my.email@address.com\",\"MasterPasswordHash\":\"master-password-hash-replacement"}", Error("missing field `email`", line: 1, column: 154)).
[2024-07-08 20:38:20.675][response][INFO] (send_email_login) POST /api/two-factor/send-email-login => 422 Unprocessable Entity
[2024-07-08 20:38:24.696][request][INFO] POST /api/two-factor/send-email-login
[2024-07-08 20:38:24.697][vaultwarden::api::core::two_factor::email::_][WARN] Data guard `Json < SendEmailLoginData >` failed: Parse("{\"DeviceIdentifier\":\"device-uuid-replacement\",\"Email\":\"my.email@address.com\",\"MasterPasswordHash\":\"master-password-hash-replacement"}", Error("missing field `email`", line: 1, column: 154)).
[2024-07-08 20:38:24.697][response][INFO] (send_email_login) POST /api/two-factor/send-email-login => 422 Unprocessable Entity
[2024-07-08 20:39:44.657][request][INFO] GET /api/config
[2024-07-08 20:39:44.657][response][INFO] (config) GET /api/config => 200 OK
[2024-07-08 20:40:31.589][vaultwarden::api::core::two_factor][INFO] User my.email@address.com did not complete a 2FA login within the configured time limit. IP: 46.223.163.248

*Originally created by @fabicodes on 7/8/2024*  ### Subject of the issue The new native app has problems with the 2FA methods Email and WebAuthn (via Yubikey) ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.30.5-fda77afc * Web-vault version: v2024.5.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.45.0 * Clients used: New Native Beta on Android 15 * Reverse proxy and version: nginx/1.24.0 * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**********", "domain_origin": "*****://**********", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": 524288, "org_creation_users": "***", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 500000, "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "************************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "**************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 180, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": 524288, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": "50791", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Steps to reproduce Try to log in using the new native app on Android. First, select WebAuthn where your Yubikey is enrolled. Firefox starts and says it cannot find a passkey for that site, select Security Key via NFC and follow the steps. Then it'll ask you in which app to continue (native or old) - choose native - it'll fail. Then try the Email 2FA Method, it fails at creating the request to send it ### Expected behaviour 2FA works ### Actual behaviour 2FA fails ### Troubleshooting data ``` [2024-07-08 20:34:37.025][request][INFO] GET /api/accounts/revision-date [2024-07-08 20:34:37.040][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2024-07-08 20:34:47.926][vaultwarden::api::notifications][INFO] Closing WS connection from my-ip-address [2024-07-08 20:35:11.341][request][INFO] GET /api/config [2024-07-08 20:35:11.349][response][INFO] (config) GET /api/config => 200 OK [2024-07-08 20:36:17.878][request][INFO] GET /notifications/hub?access_token=access-token-was-here [2024-07-08 20:36:17.878][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from my-ip-address [2024-07-08 20:36:17.879][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2024-07-08 20:36:17.980][request][INFO] GET /api/accounts/revision-date [2024-07-08 20:36:17.989][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2024-07-08 20:36:25.021][request][INFO] GET /api/devices/knowndevice [2024-07-08 20:36:25.030][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2024-07-08 20:36:44.256][request][INFO] POST /identity/accounts/prelogin [2024-07-08 20:36:44.271][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2024-07-08 20:36:44.565][request][INFO] POST /identity/connect/token [2024-07-08 20:36:44.929][error][ERROR] 2FA token not provided [2024-07-08 20:36:44.930][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-08 20:36:50.364][request][INFO] GET /api/config [2024-07-08 20:36:50.364][response][INFO] (config) GET /api/config => 200 OK [2024-07-08 20:37:18.907][request][INFO] POST /identity/connect/token [2024-07-08 20:37:19.320][error][ERROR] Webauthn. [CAUSE] InvalidRPIDHash [2024-07-08 20:37:19.321][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-08 20:37:47.661][request][INFO] POST /identity/connect/token [2024-07-08 20:37:48.212][vaultwarden::api::core::two_factor::webauthn][ERROR] Can't recover login challenge [2024-07-08 20:37:48.213][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-08 20:38:04.028][request][INFO] POST /identity/connect/token [2024-07-08 20:38:04.396][vaultwarden::api::core::two_factor::yubikey][ERROR] Invalid Yubikey OTP length [2024-07-08 20:38:04.398][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-07-08 20:38:20.667][request][INFO] POST /api/two-factor/send-email-login [2024-07-08 20:38:20.673][vaultwarden::api::core::two_factor::email::_][WARN] Data guard `Json < SendEmailLoginData >` failed: Parse("{\"DeviceIdentifier\":\"device-uuid-replacement\",\"Email\":\"my.email@address.com\",\"MasterPasswordHash\":\"master-password-hash-replacement"}", Error("missing field `email`", line: 1, column: 154)). [2024-07-08 20:38:20.675][response][INFO] (send_email_login) POST /api/two-factor/send-email-login => 422 Unprocessable Entity [2024-07-08 20:38:24.696][request][INFO] POST /api/two-factor/send-email-login [2024-07-08 20:38:24.697][vaultwarden::api::core::two_factor::email::_][WARN] Data guard `Json < SendEmailLoginData >` failed: Parse("{\"DeviceIdentifier\":\"device-uuid-replacement\",\"Email\":\"my.email@address.com\",\"MasterPasswordHash\":\"master-password-hash-replacement"}", Error("missing field `email`", line: 1, column: 154)). [2024-07-08 20:38:24.697][response][INFO] (send_email_login) POST /api/two-factor/send-email-login => 422 Unprocessable Entity [2024-07-08 20:39:44.657][request][INFO] GET /api/config [2024-07-08 20:39:44.657][response][INFO] (config) GET /api/config => 200 OK [2024-07-08 20:40:31.589][vaultwarden::api::core::two_factor][INFO] User my.email@address.com did not complete a 2FA login within the configured time limit. IP: 46.223.163.248 ```

MrUnknownDE closed this issue

2026-04-06 01:34:12 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1063