Login with Bitwarden Passkey

[naimo84]

Expected behavior:
A working login with passkeys and bitwarden/vaultwarden

Current behavior:
adding a passkey to bitwarden via the options works as expected,
verifing identity via passkey works,
login only works with a Google Passwordmanager Passkey, not with the added bitwarden passkey

Bug details:

• Teleport version: 15.1.1
• Recreation steps

---

adding:

---

verifing identity:

---

logging in:

• Debug logs

Mar 12 11:38:52 1337 teleport[3131766]: 2024-03-12T11:38:52+01:00 INFO [AUDIT] mfa.add addr.remote:[::1]:37468 cluster_name:teleport code:T1006I ei:0 event:mfa.add mfa_device_name:bitwarden2 mfa_device_type:WebAuthn mfa_device_uuid:42037189-d5bb-48af-b48e-4b9f180ba6ab time:2024-03-12T10:38:52.755Z uid:32a9c0ab-4480-41d2-a6d1-c9baec11ce7a user:naimo user_kind:1 events/emitter.go:278
Mar 12 11:39:19 1337 teleport[3131766]: 2024-03-12T11:39:19+01:00 INFO [AUDIT] mfa_auth_challenge.validate challenge_allow_reuse:false challenge_scope:CHALLENGE_SCOPE_MANAGE_DEVICES cluster_name:teleport code:T1016I ei:0 event:mfa_auth_challenge.validate mfa_device_name:bitwarden2 mfa_device_type:WebAuthn mfa_device_uuid:42037189-d5bb-48af-b48e-4b9f180ba6ab success:true time:2024-03-12T10:39:19.405Z uid:37dc8ec9-fee1-4ae1-abda-746e3fc85049 user:naimo user_kind:1 events/emitter.go:278

Issue Link: #19314

[ilbarone87]

I have same issue, bitwarden self hosted, not working either on Chrome and Safari. Both bitwarden and teleport are behind traefik reverse proxy. I can delete and re-add the passkey without problem but the login doesn't work

[adrianwalthert]

I have the same problem:
Bitwarden browser plugin: 2024.2.1
Server version: 2024.3.1

[ilbarone87]

Is there any update regarding this issue?

[im-alfa]

Hello,

I can confirm I have the same issue as @naimo84 .

"Verify my identity" opens Bitwarden as expected

However, "Sign in with a passkey" automatically opens the Windows selector. Same with Passkey as MFA

[milos-teleport]

Workaround:

1. Export your Bitwarden vault
2. Open the exported file and remove all JSON elements except the one for your tenant
3. Change the items[].login.fido2Credentials[].discoverable to true
4. Import the single JSON element into Bitwarden (creates a duplicate)
5. Optional: Remove the old Bitwarden vault entry

Example resulting JSON structure after step number 3: do not copy/paste

{
   "encrypted": false,
   "folders": [],
   "items": [
      {
         "collectionIds": null,
         "creationDate": "2024-12-16T14:06:22.226Z",
         "deletedDate": null,
         "favorite": false,
         "folderId": null,
         "id": "REDACTED-UUID",
         "login": {
            "fido2Credentials": [
               {
                  "counter": "0",
                  "creationDate": "2024-12-16T14:06:40.388Z",
                  "credentialId": "REDACTED-UUID",
                  "discoverable": "true",
                  "keyAlgorithm": "ECDSA",
                  "keyCurve": "P-256",
                  "keyType": "public-key",
                  "keyValue": "REDACTED",
                  "rpId": "yourcompany.teleport.sh",
                  "rpName": "Teleport",
                  "userDisplayName": "[email protected]",
                  "userHandle": "REDACTED-UUID",
                  "userName": "[email protected]"
               }
            ],
            "password": "REDACTED-PW",
            "totp": null,
            "uris": [
               {
                  "match": null,
                  "uri": "https://yourcompany.teleport.sh"
               }
            ],
            "username": "[email protected]"
         },
         "name": "yourcompany.teleport.sh",
         "notes": null,
         "organizationId": null,
         "passwordHistory": null,
         "reprompt": 0,
         "revisionDate": "2024-12-16T14:06:40.466Z",
         "type": 1
      }
   ]
}

[milos-teleport]

The workaround should only be needed for old Bitwarden passkeys. Looks like Bitwarden fixed similar issues recently: bitwarden/clients#7302