TODO error during login - YubiKey about rbw HOT 6 CLOSED

I wrote a prototype PR using webauthn-rs, and it is working (With vaultwarden + yubikey 5c). Still needs clean-up, testing, and integration into the rbw pinentry (currently it expects the pin to be entered via the stdin of the agent), but once complete it solves this issue.

from rbw.

yeah, yubikeys are currently not supported. i'd be willing to look over a patch to make this work, but i'm unfortunately pretty unlikely to get to this anytime soon (it'll be a decent amount of work, because as far as i can tell, there aren't really any u2f client libraries for rust yet, and i don't personally use a yubikey for bitwarden). sorry!

from rbw.

Yep, webauthn-rs would work here.

Keep in mind though, that due to recent changes in webauthn and ctap2, using a yubikey as a "second factor" is no longer really the intent of the spec/standard. These devices are moving to self-contained multifactor, and enforce some behaviours that can confuse users if you try to use them as "single factors" only. We try to guide you away from this in the design of the webauthn-rs api.

But otherwise, yes, webauthn-rs has everything you would need here, and we intend to add support for hmac secret in the future if you need derived keys.

from rbw.

Wondering if https://github.com/kanidm/webauthn-rs is a valid option for getting webauthn support going. It is kinda the successor to U2F and also works directly with phones, that have TPM devices.

from rbw.

@doy i assume the situation has not changed much since then?

I would really like being able to use rbw with my 2FA-enabled account.

from rbw.

Getting similar issues on darwin m1:

rbw ls
rbw list: TODO

basically on any rbw action is outputs: TODO.

Sorry, I lied, I've got email 2fa, after disabling it, rbw authenticated no problem. Will create a separate issue then.

from rbw.