The tutorial mentions that both, a YUBICO_CLIENT_ID and YUBICO_SECRET_KEY, variable need to be set in the container settings. They are generated per Yubikey as I understand, that’s where I’m stuck.
Is it enough to follow the mentioned steps for one key only, or should I add multiple variables per key in my container settings?
If they support WebAuthn you can use them without those specific settings by using WebAuthn instead.
The generation is just for a global one and the users can override it i think? But i’m not sure actually.
Also see what Upstream Bitwarden tells about it here: Configure Environment Variables | Bitwarden Help & Support and look for globalSettings__yubico__.
Thanks for your reply, when clicking on add Yubikey OTP in Vaultwarden, I get notified to enable YUBICO_CLIENT_ID and YUBICO_SECRET_KEY. I guess both keys are needed for a full OTP authentication via one button press / NFC on Yubikey.
Which means I have to follow the guide linked in my first post, since it explains how to setup both variables. Sadly it’s not described how to proceed with multiple Yubikeys.
I was wondering about that as well. If i understood this correctly, you have to register yourself at the yubikey cloud with one key to generate the Client ID and the Secret Key. Those Credentials are Used to contact the yubico cloud, where the Yubikey OTPs are authenticated. But i could also be completely wrong there
go to Yubico API key signup and obtain a key pair. add them to your Yubikey config in the VW admin page or config (leaving the server field blank - it will default to Yubicloud servers).
registering your Yubikeys as a VW user should then work.
you should not use the YubiKey OTP Security Key setting in the 2 factor auth pane, this is only for OTP, look 2 buttons below and you will see FIDO2 WebAuthn
Thanks for this, I realized that version 5 keys have two slots. I used slot #2 to create a new set of private keys and registered with their server. On the version 5 key if you just press for 1 second you get slot 1 if you long hold you get slot 2.
I then went to the api registration page long held on the key field and it gave me the CLIEND_ID and Secret key, put both of those into the YAML file and it worked. Registered my key into Vaultwarden with no issues.