Not posible to store a YubiKey OTP in the user Account Settings #1856

New Issue

MrUnknownDE · 2026-04-06T02:29:04+02:00

MrUnknownDE commented

2026-04-06 02:29:04 +02:00

Originally created by @zucht on 12/17/2022

Subject of the issue

After following the steps in the Vaultwarden Wiki how to obtain a Client ID and Secret Key at Yubico and setting those values as enviromental variables for the docker container (https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication) I still can't register any YubKey in Vaultwarden. When trying to do so, after touching the gold contact of the YubiKey at one of the YubiKey fields in user account settings, an red error notification is given:

Invalid YubiKey OTP provided.

Tested it with multiple YubiKey Keys (2x YubiKey 5 NFC and 2x YubiKey 5C NFC)

The error is also logged in the logfile:

[2022-12-17 12:46:21.330][request][INFO] PUT /api/two-factor/yubikey
[2022-12-17 12:46:21.402][error][ERROR] Invalid Yubikey OTP provided.
[CAUSE] Network(
    reqwest::Error {
        kind: Builder,
        source: RelativeUrlWithoutBase,
    },
)
[2022-12-17 12:46:21.403][response][INFO] (activate_yubikey_put) PUT /api/two-factor/yubikey => 400 Bad Request

The YubiKey OTP DEMO site validates all my keys successful:

{
  "otp": "xxx",
  "nonce": "xxx",
  "serial": xxx,
  "sl": "100",
  "status": "OK",
  "t": "2022-12-17T12:51:00Z0068"
}

I've found the given error in the source code of yubikey.rs at an if/then statement at line 150. The statement looks to accept a string of which the total length is only 12 characters long, while in fact a YubiKey is a 44 character long string where the first 12 characters remain constant (https://developers.yubico.com/OTP/OTPs_Explained.html).

If I for testing purposes only enter the first 12 characters of my YubiKey in the field, the value is stored at the settings. Only this will cause YubiKey 2FA login for Vaultwarden to always fail.

Deployment environment

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.26.0
Web-vault version: v2022.10.0
Running within Docker: true (Base: Alpine)
Environment settings overridden: true
Uses a reverse proxy: true
IP Header check: true (X-Forwarded-For)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Database type: SQLite
Database version: 3.35.4
Clients used:
Reverse proxy and version:
Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, IP_HEADER, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD

{
  "_duo_akey": "***",
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********.*****.**",
  "domain_origin": "*****://*********.*****.**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": "***",
  "duo_ikey": "***",
  "duo_skey": "***",
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 5 * * * *",
  "emergency_request_timeout_schedule": "0 5 * * * *",
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Bitwarden",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": null,
  "smtp_from": "*******@*****.***",
  "smtp_from_name": "***",
  "smtp_host": "****.*****.***",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*******",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": "***",
  "yubico_secret_key": "***",
  "yubico_server": ""
}

Steps to reproduce

Follow steps "Enabling Yubikey OTP authentication" in Vaultwarden Wiki.
After login in at the Bitwarden Web Vault go to Account Settings.
Select Security > Two-step login > YubiKey OTP Security Key > Manage.
Enter Master Password and click Continue.
Hilight the first YukiKey 1 field, insert the YubiKey and press the gold contact of the YubiKey.

Expected behaviour

Posible to store the YubiKey's as 2FA for Vaultwarden at the user account settings by just touching the gold contact.

Actual behaviour

Not posible to use YubiKey as MFA in Vaultwarden.

Troubleshooting data

*Originally created by @zucht on 12/17/2022* ### Subject of the issue After following the steps in the Vaultwarden Wiki how to obtain a Client ID and Secret Key at Yubico and setting those values as enviromental variables for the docker container (https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication) I still can't register any YubKey in Vaultwarden. When trying to do so, after touching the gold contact of the YubiKey at one of the YubiKey fields in user account settings, an red error notification is given: Invalid YubiKey OTP provided. Tested it with multiple YubiKey Keys (2x YubiKey 5 NFC and 2x YubiKey 5C NFC) The error is also logged in the logfile: ``` [2022-12-17 12:46:21.330][request][INFO] PUT /api/two-factor/yubikey [2022-12-17 12:46:21.402][error][ERROR] Invalid Yubikey OTP provided. [CAUSE] Network( reqwest::Error { kind: Builder, source: RelativeUrlWithoutBase, }, ) [2022-12-17 12:46:21.403][response][INFO] (activate_yubikey_put) PUT /api/two-factor/yubikey => 400 Bad Request ``` The YubiKey OTP DEMO site validates all my keys successful: ``` { "otp": "xxx", "nonce": "xxx", "serial": xxx, "sl": "100", "status": "OK", "t": "2022-12-17T12:51:00Z0068" } ``` I've found the given error in the source code of yubikey.rs at an if/then statement at line 150. The statement looks to accept a string of which the total length is only 12 characters long, while in fact a YubiKey is a 44 character long string where the first 12 characters remain constant (https://developers.yubico.com/OTP/OTPs_Explained.html). If I for testing purposes only enter the first 12 characters of my YubiKey in the field, the value is stored at the settings. Only this will cause YubiKey 2FA login for Vaultwarden to always fail. ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.26.0 * Web-vault version: v2022.10.0 * Running within Docker: true (Base: Alpine) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, IP_HEADER, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD ```json { "_duo_akey": "***", "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*********.*****.**", "domain_origin": "*****://*********.*****.**", "domain_path": "", "domain_set": true, "duo_host": "***", "duo_ikey": "***", "duo_skey": "***", "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 5 * * * *", "emergency_request_timeout_schedule": "0 5 * * * *", "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Bitwarden", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": "/data/bitwarden.log", "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "password_hints_allowed": true, "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": null, "smtp_from": "*******@*****.***", "smtp_from_name": "***", "smtp_host": "****.*****.***", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*******", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": "***", "yubico_secret_key": "***", "yubico_server": "" } ``` </details> ### Steps to reproduce 1. Follow steps "Enabling Yubikey OTP authentication" in Vaultwarden Wiki. 2. After login in at the Bitwarden Web Vault go to Account Settings. 3. Select Security > Two-step login > YubiKey OTP Security Key > Manage. 4. Enter Master Password and click Continue. 5. Hilight the first YukiKey 1 field, insert the YubiKey and press the gold contact of the YubiKey. ### Expected behaviour Posible to store the YubiKey's as 2FA for Vaultwarden at the user account settings by just touching the gold contact. ### Actual behaviour Not posible to use YubiKey as MFA in Vaultwarden. ### Troubleshooting data ![20221204](https://user-images.githubusercontent.com/11066331/208245006-4e6674d0-1834-4771-bc28-1de6b5f68a2d.png)

MrUnknownDE closed this issue

2026-04-06 02:29:04 +02:00

Sign in to join this conversation.

No Label enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement good first issue good first issue good first issue good first issue good first issue good first issue good first issue

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1856