starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

Invalid Yubikey OTP length #232

New Issue
Closed
opened 2026-02-04 18:50:25 +03:00 by OVERLORD · 6 comments
OVERLORD commented 2026-02-04 18:50:25 +03:00
Owner
Copy Link

Originally created by @advancingu on GitHub (Feb 20, 2019).

Actual:
Triggering "Yubikey 5 NFC" button fails to log in and triggers red error pop-up in web vault stating Invalid Yubikey OTP length. In contrast, when generating the OTP into a text editor and then immediately copy & pasting it into the web vault, the login succeeds. Triggering the Yubikey many times (e.g. 20) also leads to a successful login at some point.

Expected:
Triggering Yubikey will log in successfully every time.

Notes:

  • Using the latest Docker image from today.
  • Yubikey is plugged in via USB-A.
  • Using the same key for the same account on a different machine works fine every time.
  • Both devices sit on the same network.

Is it right to assume there is a problem with USB timing on this particular machine and that this is not a problem related to Bitwarden?

Originally created by @advancingu on GitHub (Feb 20, 2019). Actual: Triggering "Yubikey 5 NFC" button fails to log in and triggers red error pop-up in web vault stating `Invalid Yubikey OTP length`. In contrast, when generating the OTP into a text editor and then immediately copy & pasting it into the web vault, the login succeeds. Triggering the Yubikey many times (e.g. 20) also leads to a successful login at some point. Expected: Triggering Yubikey will log in successfully every time. Notes: * Using the latest Docker image from today. * Yubikey is plugged in via USB-A. * Using the same key for the same account on a different machine works fine every time. * Both devices sit on the same network. Is it right to assume there is a problem with USB timing on this particular machine and that this is not a problem related to Bitwarden?
OVERLORD commented 2026-02-04 18:50:45 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Feb 20, 2019):

That's very strange that it works copy-pasting but not directly. Could it be a browser problem, maybe they add a newline or a blank space or something? You could check the request that is being made in the browsers dev tools, it should be to the /connect/token URL and it should have a two_factor_token parameter that is exactly 44 characters long.

@dani-garcia commented on GitHub (Feb 20, 2019): That's very strange that it works copy-pasting but not directly. Could it be a browser problem, maybe they add a newline or a blank space or something? You could check the request that is being made in the browsers dev tools, it should be to the `/connect/token` URL and it should have a `two_factor_token` parameter that is exactly 44 characters long.
OVERLORD commented 2026-02-04 18:50:53 +03:00
Author
Owner
Copy Link

@advancingu commented on GitHub (Feb 20, 2019):

I investigated this some more. It appears to be browser related and not hardware or OS related.

Under Chromium everything works every time. Under Firefox, using dev tools to look at the request, I can see that one character is missing in the OTP string. Based on the OTP character pattern, it appears that it is always the first character that goes missing. When I prepend this character manually, the login works again.

Edit: I also tried with all FF extensions disabled and the issue persists.

Edit 2: This is not visible under Firefox on two other machines.

Any idea where to take this issue?

@advancingu commented on GitHub (Feb 20, 2019): I investigated this some more. It appears to be browser related and not hardware or OS related. Under Chromium everything works every time. Under Firefox, using dev tools to look at the request, I can see that one character is missing in the OTP string. Based on the OTP character pattern, it appears that it is always the first character that goes missing. When I prepend this character manually, the login works again. Edit: I also tried with all FF extensions disabled and the issue persists. Edit 2: This is not visible under Firefox on two other machines. Any idea where to take this issue?
OVERLORD commented 2026-02-04 18:51:04 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Feb 20, 2019):

Can you check the official demo site to see if the problem persists?
https://demo.yubico.com/otp/verify

So, to recap, the problem only appears in Firefox and only in one computer? If so, you can try creating a new fresh firefox profile to check if the problem is in the firefox config (Run firefox -P, I think).

@dani-garcia commented on GitHub (Feb 20, 2019): Can you check the official demo site to see if the problem persists? https://demo.yubico.com/otp/verify So, to recap, the problem only appears in Firefox and only in one computer? If so, you can try creating a new fresh firefox profile to check if the problem is in the firefox config (Run `firefox -P`, I think).
OVERLORD commented 2026-02-04 18:51:10 +03:00
Author
Owner
Copy Link

@advancingu commented on GitHub (Feb 20, 2019):

Surprisingly, https://demo.yubico.com/otp/verify validates fine on the affected machine with the same FF profile that fails when I try to log in to my own web vault. Additionally, the same issue exists when using the BitWarden FF add-on to access my installation.

I also created a completely new system user, logged in without touching anything else and tried to log in right away. Result: Continues to miss the first character.

Also fails under Firefox when booting from a USB stick into an Ubuntu 18.10 live image.
https://demo.yubico.com/otp/verify only failed once while running the live image, then 20 consecutive successes. The failed verification was again missing the first character.

@advancingu commented on GitHub (Feb 20, 2019): Surprisingly, https://demo.yubico.com/otp/verify validates fine on the affected machine with the same FF profile that fails when I try to log in to my own web vault. Additionally, the same issue exists when using the BitWarden FF add-on to access my installation. I also created a completely new system user, logged in without touching anything else and tried to log in right away. Result: Continues to miss the first character. Also fails under Firefox when booting from a USB stick into an Ubuntu 18.10 live image. https://demo.yubico.com/otp/verify only failed once while running the live image, then 20 consecutive successes. The failed verification was again missing the first character.
OVERLORD commented 2026-02-04 18:51:19 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Feb 20, 2019):

Looking through the internet, this also happens with other programs that automatically enter data in firefox, at least I could find a couple of reports for Keepass.

Most of the problems seem to be related to the fact that firefox sometimes doesn't focus on the fields correctly or quickly enough after presing TAB, and so the first character doesn't get written.

Now, I don't think the TAB part is applicable here, but maybe you can try unfocusing the field and refocusing, then waiting a second and finally touch the yubikey.

Some references:
https://sourceforge.net/p/keepass/discussion/329221/thread/32f7cdeb/
https://bugs.launchpad.net/ubuntu/+source/keepass2/+bug/1783873
https://github.com/keepassxreboot/keepassxc/issues/2081

@dani-garcia commented on GitHub (Feb 20, 2019): Looking through the internet, this also happens with other programs that automatically enter data in firefox, at least I could find a couple of reports for Keepass. Most of the problems seem to be related to the fact that firefox sometimes doesn't focus on the fields correctly or quickly enough after presing TAB, and so the first character doesn't get written. Now, I don't think the TAB part is applicable here, but maybe you can try unfocusing the field and refocusing, then waiting a second and finally touch the yubikey. Some references: https://sourceforge.net/p/keepass/discussion/329221/thread/32f7cdeb/ https://bugs.launchpad.net/ubuntu/+source/keepass2/+bug/1783873 https://github.com/keepassxreboot/keepassxc/issues/2081
OVERLORD commented 2026-02-04 18:51:27 +03:00
Author
Owner
Copy Link

@advancingu commented on GitHub (Feb 20, 2019):

Thanks for researching this! Since I have some cases where behavior suddenly changes for one attempt, I would agree that this appears to be a timing issue.

Trying various approaches of focus and unfocus unfortunately did not help either. I have the feeling that it is based on CPU load and how busy Firefox is inside other tabs.

I will close this now since it is clearly not an issue of this project.

@advancingu commented on GitHub (Feb 20, 2019): Thanks for researching this! Since I have some cases where behavior suddenly changes for one attempt, I would agree that this appears to be a timing issue. Trying various approaches of focus and unfocus unfortunately did not help either. I have the feeling that it is based on CPU load and how busy Firefox is inside other tabs. I will close this now since it is clearly not an issue of this project.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#232
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?