Cannot add a second WebAuthn/Passkey (2FA) credential — challenge returns 200 OK, but registration doesn’t complete

[AxonByteDev]

Hi everyone,
I’m having an issue with WebAuthn/Passkey (FIDO2) two-step login in Vaultwarden: I can only add one passkey/security key. The first credential registers successfully, but attempting to add a second one does not complete (no second credential is stored / shown).

What happens

First passkey registers fine.

When adding a second passkey, the flow starts (browser/OS prompt appears), but in the end no additional passkey is saved (and/or the UI does not show a new entry).

Logs

When starting the “add passkey” process, Vaultwarden logs:
[2026-02-03 10:07:51.939][request][INFO] POST /api/two-factor/get-webauthn-challenge [2026-02-03 10:07:52.034][response][INFO] (generate_webauthn_challenge) POST /api/two-factor/get-webauthn-challenge => 200 OK
After confirming the passkey prompt, I don’t see an obvious follow-up request in the logs (it looks like the registration may not reach the server, or it fails client-side).

Server Installed Ok
1.35.2
Server Latest
1.35.2
Web Installed Ok
2025.12.1+build.3
Web Latest
2025.12.1+build.3
Database
SQLite: 3.50.2

On an older server, adding multiple passkeys works fine with these versions:
Server Installed Update: 1.34.3
Server Latest: 1.35.2
Web Installed Update: 2025.7.0
Web Latest: 2025.12.1+build.3
Database: SQLite 3.50.2

I can also reproduce the same behavior on the public instance:
https://vault.riesselmann.net/#/login
(adding a second passkey does not work for me there either).

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.35.2
• Web-vault version: v2025.12.1+build.3
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": false,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://*********************",
  "domain_origin": "*****://*********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "***********************",
  "smtp_host": "******************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***********************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://**************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

[BlackDex]

Please post the support string which you can generate at the bottom of the diagnostics page.

[AxonByteDev]

Thanks for the note. I’ve updated my original post and included the required support string / diagnostics information.

[BlackDex]

So, what is the actual issue? Did the registration not work? Did you press save?
Or what is the actual result you were expecting in the web-vault?

[AxonByteDev]

I have an issue with the key management:

Key 1

I can assign a name to the key and save it (works).

After that, I have to close and reopen the key management window, otherwise I can’t add a second key.

When I open it the second time, I also can’t delete individual keys anymore (this used to work).

Key 2

Assign a name → enroll/learn the key → then the Windows window for the key opens.

The key is blinking, but when I click/use it, nothing happens until I press Cancel.

I also swapped the keys around: only the first one works; after that nothing works anymore. However, I can then use the first key to log in.

[BlackDex]

If this is about the web-vault, than that isn't something we can fix i guess.
It might be fixed in a newer web-vault, which is not yet in the latest tagged image, but there should be a newer one in testing.

Else, it might be fixed in the 2026.x.x version, but i have not yet tested that version.

Maybe you can post a more detailed step-by-step instruction on what you try to do, that might help us reproduce this.

[AxonByteDev]

I hope this helps reproduce the issue. For your information, I’m of course using two different keys.
https://github.com/user-attachments/assets/35b1d824-3fef-48d6-994b-b64f66aaae56

[BlackDex]

This is a web-vault specific item. And not really something we can fix I'm afraid. Again, it might be an already solved item but not sure.

I have several tokens added in the same way without issues. But I'll try again.