Fix Webauthn/Passkey 2FA migration/validation issues #404

New Issue

MrUnknownDE · 2026-04-05T21:09:45+02:00

MrUnknownDE commented

2026-04-05 21:09:45 +02:00

Originally created by @BlackDex on 8/16/2025

Applied SecurityKey to Passkey fixes from @zUnixorn

Fix Webauthn/Passkey 2FA migration issues

Because the webauthn-rs v0.3 crate did not know or store new flags currently used in v0.5, some verifications failed.
This mainly failed because of a check if a key was backuped or not, and if it was allowed to do so.

Most hardware keys like YubiKey's do not have this flag enabled and can't be duplicated or faked via software.

Since the rise of Passkey's, like Bitwarden's own implementation, and other platforms like Android, and Apple use Software keys which are shared between devices, they set these backup flags to true. This broke the login attempts, because the default during the migration was false, and cause an error during validation.

This PR checks for the flags during the response/verification step, and if these flags are true, then search for the stored key, adjust it's value, and also update the current challenge state to match, to prevent the first login attempt to fail.

This should not cause any issue, since the credential-id is checked and matched, and only updated when needed.

Fixes #6154

*Originally created by @BlackDex on 8/16/2025* - Applied SecurityKey to Passkey fixes from @zUnixorn ### Fix Webauthn/Passkey 2FA migration issues Because the webauthn-rs v0.3 crate did not know or store new flags currently used in v0.5, some verifications failed. This mainly failed because of a check if a key was backuped or not, and if it was allowed to do so. Most hardware keys like YubiKey's do not have this flag enabled and can't be duplicated or faked via software. Since the rise of Passkey's, like Bitwarden's own implementation, and other platforms like Android, and Apple use Software keys which are shared between devices, they set these backup flags to true. This broke the login attempts, because the default during the migration was `false`, and cause an error during validation. This PR checks for the flags during the response/verification step, and if these flags are `true`, then search for the stored key, adjust it's value, and also update the current challenge state to match, to prevent the first login attempt to fail. This should not cause any issue, since the credential-id is checked and matched, and only updated when needed. Fixes #6154

MrUnknownDE closed this issue

2026-04-05 21:09:45 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#404