Windows Yubikey 2fa time-out on Windows Client #252

New Issue

MrUnknownDE · 2026-04-05T20:43:37+02:00

MrUnknownDE commented

2026-04-05 20:43:37 +02:00

Originally created by @tanpro260196 on 12/4/2025

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.3
Web-vault version: v2025.7.0
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: SQLite
Database version: 3.50.2
Uses config.json: true
Uses a reverse proxy: true
IP Header check: true (X-Forwarded-For)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: false

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, SHOW_PASSWORD_HINT, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY

Failed HTTP Checks:

2FA Connector calls:
Header: 'x-frame-options' is present while it should not
Header: 'content-security-policy' is present while it should not

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********************",
  "domain_origin": "*****://**********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials,ssh-key-vault-item,ssh-agent,extension-refresh,inline-menu-positioning-improvements,inline-menu-totp,export-attachments,mutual-tls",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Teararia",
  "invitations_allowed": false,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***********************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": "96009",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Nginx Proxy Manager Plus 2025-05-07-r1

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04

Clients

Desktop

Client Version

Windows 2025.11.2

Steps To Reproduce

New Client Installation (Only on Windows, other client seems to work fine)
Try to login into an account with WebAuthn 2fa
The WebAuthn pop-up never show up, only a loading icon spinning forever.

Expected Result

WebAuthn 2fa works as expected

Actual Result

The WebAuthn pop-up never show up, only a loading icon spinning forever. Vaultwarden server time-out after 30s but the client never stop spinning.

Logs

Timeout in log:
[2025-12-04 09:23:10.730][request][INFO] POST /identity/connect/token
[2025-12-04 09:23:10.733][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-12-04 09:23:10.784][request][INFO] GET /api/accounts/revision-date
[2025-12-04 09:23:10.785][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2025-12-04 09:23:29.130][request][INFO] GET /api/config
[2025-12-04 09:23:29.130][response][INFO] (config) GET /api/config => 200 OK
[2025-12-04 09:23:30.698][request][INFO] GET /api/devices/knowndevice
[2025-12-04 09:23:30.698][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2025-12-04 09:24:10.542][request][INFO] POST /identity/accounts/prelogin
[2025-12-04 09:24:10.543][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2025-12-04 09:24:10.809][request][INFO] POST /identity/connect/token
[2025-12-04 09:24:10.940][error][ERROR] 2FA token not provided
[2025-12-04 09:24:10.940][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2025-12-04 09:27:37.208][vaultwarden::api::core::two_factor][INFO] User xxx@xxx.com did not complete a 2FA login within the configured time limit. IP: xxx.xxx.xxx.xxx

Screenshots or Videos

No response

Additional Context

No response

*Originally created by @tanpro260196 on 12/4/2025* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3 * Web-vault version: v2025.7.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: false ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, SHOW_PASSWORD_HINT, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY **Failed HTTP Checks:** ```yaml 2FA Connector calls: Header: 'x-frame-options' is present while it should not Header: 'content-security-policy' is present while it should not ``` **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**********************", "domain_origin": "*****://**********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials,ssh-key-vault-item,ssh-agent,extension-refresh,inline-menu-positioning-improvements,inline-menu-totp,export-attachments,mutual-tls", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Teararia", "invitations_allowed": false, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "***********************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": "96009", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Nginx Proxy Manager Plus 2025-05-07-r1 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 24.04 ### Clients Desktop ### Client Version Windows 2025.11.2 ### Steps To Reproduce 1. New Client Installation (Only on Windows, other client seems to work fine) 2. Try to login into an account with WebAuthn 2fa 3. The WebAuthn pop-up never show up, only a loading icon spinning forever. ### Expected Result WebAuthn 2fa works as expected ### Actual Result The WebAuthn pop-up never show up, only a loading icon spinning forever. Vaultwarden server time-out after 30s but the client never stop spinning. ### Logs ```text Timeout in log: [2025-12-04 09:23:10.730][request][INFO] POST /identity/connect/token [2025-12-04 09:23:10.733][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-12-04 09:23:10.784][request][INFO] GET /api/accounts/revision-date [2025-12-04 09:23:10.785][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2025-12-04 09:23:29.130][request][INFO] GET /api/config [2025-12-04 09:23:29.130][response][INFO] (config) GET /api/config => 200 OK [2025-12-04 09:23:30.698][request][INFO] GET /api/devices/knowndevice [2025-12-04 09:23:30.698][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2025-12-04 09:24:10.542][request][INFO] POST /identity/accounts/prelogin [2025-12-04 09:24:10.543][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2025-12-04 09:24:10.809][request][INFO] POST /identity/connect/token [2025-12-04 09:24:10.940][error][ERROR] 2FA token not provided [2025-12-04 09:24:10.940][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2025-12-04 09:27:37.208][vaultwarden::api::core::two_factor][INFO] User xxx@xxx.com did not complete a 2FA login within the configured time limit. IP: xxx.xxx.xxx.xxx ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_

MrUnknownDE closed this issue

2026-04-05 20:43:37 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#252