Overview
A user uses Bitwarden to store their credentials and would like to use Bitwarden as the client that handles the device biometrics MFA in Auth0. They are able to begin the MFA enrollment process of their device, but after attempting to register the device on Bitwarden, the below error message appears:
Device registration error. If you already registered this device, please try again. If not, try using another method
The user confirms that device biometrics enrollment works on the same machine when using a different client, such as 1Password or Dashlane. The browser being used is supported, as mentioned here.
There are no error messages in the logs from this MFA enrollment. From viewing the tenant logs, the device enrollment for MFA starts and remains pending but never completes or fails. The HAR file from reproducing the issue shows a 200 status code from /u/mfa-webauthn-platform-error-enrollment after the enrollment starts.
Applies To
- Multifactor Authentication (MFA)
- Device Registration
- Bitwarden
Cause
A common problem is the relying party ID being wrong but in this case the relying party ID was not being used and the HAR file is showing the request coming from their custom domain.
Solution
Bitwarden is not configured to be used with device biometrics as MFA, but it does allow for the storage of a passkey.
Given the high level of security passkeys provide, a solution could be to skip MFA for users who have authenticated with a passkey in order to reduce friction. This can be achieved by using a post-login Action.