Invalid Yubikey OTP provided

I Just set up Vaultwarden for the first time and all is working fine except the registering my Yubikey keys. When saving the Yubikey I get the notification “An error has occurred. Invalid Yubikey OTP provided“. I have tried several Yubikeys (2x Yubikey 5 NFC and 2x Yubikey 5c NFC) all with the same outcome. All the keys validate successful at the Yubico OTP Demo site Yubico demo website.

20221204

The Bitwarden log logged the following events:

[2022-12-04 14:11:05.972][error][ERROR] Invalid Yubikey OTP provided.
[CAUSE] Network(
    reqwest::Error {
        kind: Builder,
        source: RelativeUrlWithoutBase,
    },
)
[2022-12-04 14:11:05.973][response][INFO] (activate_yubikey_put) PUT /api/two-factor/yubikey => 400 Bad Request

I did find some similar posts on the forum and on Github, but none gave a solution. One forum post (2FA OTP Error with Yubikey 5C NFC) had explained the exact same behaviour. I can confirm that i have a valid cert and valid domain configuration as you can see in the support sting below (Domain Configuration Check and HTTPS Check are true).

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.26.0
  • Web-vault version: v2022.10.0
  • Running within Docker: true (Base: Alpine)
  • Environment settings overridden: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Forwarded-For)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.35.4
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, IP_HEADER, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD

{
  "_duo_akey": "***",
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********.*****.**",
  "domain_origin": "*****://*********.*****.**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": "***",
  "duo_ikey": "***",
  "duo_skey": "***",
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 5 * * * *",
  "emergency_request_timeout_schedule": "0 5 * * * *",
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Bitwarden",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": null,
  "smtp_from": "*******@*****.***",
  "smtp_from_name": "***",
  "smtp_host": "****.*****.***",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*******",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": "***",
  "yubico_secret_key": "***",
  "yubico_server": ""
}

I think I found the root cause and believe its a bug:

In the sourcecode of yubikey.rs on line 150 Vaultwarden validates the lenght of the Yubikey I’m trying to register. The new key/OTP MUST be 12 characters long while the Yubikey length in reality is 44 characters long (vaultwarden/yubikey.rs at main · dani-garcia/vaultwarden · GitHub).

Can someone confirm my suspicions? When entering a random 12 character string or the first 12 of my Yubikey in the settings it will be stored only when logging out and loging back in again validation of this random string, 1st 12 characters or full Yubikey OTP fails.

Thanks!

For all other that stumble upon this issue: I had some misconfiguration. I had the variable YUBICO_SERVER configured but without a value. Removing the variable solved it. see: Not posible to store a YubiKey OTP in the user Account Settings · Issue #3003 · dani-garcia/vaultwarden · GitHub