I’m trying to play with a java test card and get FIDO2 and U2F working directly with the card. I’m able to use the card on windows under Two factor Auth.>Physical security key. If I understand this correctly, this is U2F/FIDO1. I’m unable to get it to work as a passkey, windows lets me scan the key and enter a pin, but the site gives me a timeout error.
On android, I’m not able to do either. With keepassDX as the cred provider, I’m able to scan the card to unlock the db and use it as the passkey/U2F key. I don’t believe this is using the card directly for the auth, just the actual keepass DB.
Setting the credential provider to the default google manager, google doesn’t even allow me to attempt to use a physical key. Just a virtual one. I’m assuming this is either intentional on their part or an error on mine.
Am I missing something? I am using Graphene on my phone, but do have google services running and am able to use virtual FIDO2/U2F just fine. The goal is to have the auth done directly on the card, but I guess i can live with just keepass if that’s all I’m able to get working
EDIT: This is just using the forums implementation. Discord seems to work fine.
EDIT again: After trying to use it on both windows and android, discord no longer works fine. Complains of a low-level error. Windows also no longer accepts the key
windows doesn’t allow direct auth with fido2 or u2f.. where are you seeing “physical security key” at?
ah. ok now your post makes a little more sense. good to be thorough when describing issues needing support.
Now I’m back to confused. Did you mess up pin entry? Is your fido2 app now locked due to pin entry problems?
I would remove FIDO2 and re-deploy it. Set a pin. Then try again with whatever you were trying to do and please break down exactly what the steps and details are.
I then set it up with discord on windows, using the prompts. This had me enter a pin, this worked fine on windows. I then attempted to use it on their android app, and this worked.
With this working, I then went to set up on the forums on windows. I scanned the card, and it asked for a pin. Even after entering the pin, it wouldn’t accept the key.
I then tried on mobile, again for the forums, and wasn’t able to due never being prompted for an NFC device. It would only allow me to use either keepass or google’s own password manager, not the card itself.
Following a few more attempts of this, I then moved to trying discords mobile app. Was not prompted for a pin, but it did not log me in either. It would error out.
After this error happened, I removed the key from discord, and re-added it on mobile. Was never asked to set or prompted for a pin. I then attempted to use it on windows, but was unable to. It would scan but would say “This key is not familiar”
Attempting this a few more times didn’t help either, and I couldn’t get either device to use the key.
I’ve since deleted the applet and will deploy it again tomorrow, need some sleep before attempting signing certs and uploading
I assume by “the forums” you mean this forum here I know it seems obvious but you never know.. could have been trufflehunter forums for all I know.
This forum supports both “security keys” and “passkeys”. The whole industry is kinda fucked on this naming convention thing and nobody has really sorted out a definitive naming convention here.. but generally speaking “security key” nowadays means U2F and “passkey” means FIDO2 resident keys or non-resident keys, but more often than not it’s a resident key they refer to as “passkey”.
For FIDO2, it’s made more difficult by the fact that your user experience (enter a pin or not) depend on both the FIDO2 applet code as well as the relying party requirements. But, that said, generally speaking U2F does not ask for pin because it’s a 2nd factor and just having it is enough security since you must use a username and password as your first factor. When it comes to FIDO2, resident keys and non-resident keys alike will, for our NFC authenticator, always require a PIN even if the relying party does not require one (for whatever reason). Now, an RP could “fall back” to U2F for instance, which our FIDO2 applet supports, and then you will not be asked for a PIN but you will also not have a FIDO2 key generated either. Relying parties that have not implemented FIDO properly (and there are a ton) could have major differences in how their website might implement FIDO vs their mobile app.
For the forum here, did you follow these steps for passkey (FIDO2 passwordless);
You can see Passkeys are called out right on the security page:
Cant sleep due to not know what’s wrong, you know how it is.
Provisioned new certs (This is not the final keys that i will use so i dont mind the private keys being here)
After finishing with the above, the video below is the resulting behavior on the DT forums, have not tested other apps or mobile. Not shown was the first attempt, but the only difference was setting the 4 character pin. The result was the same. The windows Device connect and disconnect sounds are the card coming off and on the reader.
What the hell do they mean change? The relying party is very likely going to request a resident key during authentication if they are specifying one in the registration phase.. but this one blows me away completely;
Whatever MS is smoking, I want some. The change button just takes you back to the previous menu, to switch between types.
Good news, I was able to get things working. I wiped the applet off of the card (there were some pkgs that stuck around for some reason) and reinstalled:
I then attempted in firefox, originally i was trying in opera:
And it works just fine. Even works when logging in with opera.
Bad news is i still dont know what caused the original failure state. On mobile, U2F works as expected. Passkeys do not, im not prompted for a NFC tap. Just keepass. I’ll record it later today
I think this is due to grapheneOS or google being google. On mobile, I am not prompted for a security key, even web sources. This is fine, as keepassDX works with their yubikey driver, so im still able to “use” the card as a method of auth.
To provide an example of the behavior, on discord, attempting to login with a passkey just provides a generic credential error and never prompts for a key. Putting in a user/pass does correctly prompt for a key and does log in.
I do believe this is due to my choice of custom OS on mobile, rather than anything on my end. PC works fine, even passing through to a VM and using pam-u2f works. Im happy with what im getting from the card. I’ll have to wait for the apex install to get all my services moved over, as im not comfortable with only having one key, especially one i can lose. Thanks for the assistance, Amal
Providing a username and password, then scanning the token works fine, but its not using passkey bridge when doing that. I registered the key on PC, by scanning the QR code.
Again, I’m happy with how things are functioning. Would have liked to use the card directly, but im happy with the way things work as is. Good to have the passkey bridge either way, as I do carry a laptop with me.
this has to do with how your fido token was registered and how the authentication request came in. That’s why we put a debug section on the pop-up, so you can evaluate the request. The “no credentials” error can mean a few things, but without debug data, it’s hard to troubleshoot.
To get access to full debug data, to into settings and long-press the logo and a debug toggle will appear with a share icon. Do your registration and your authentication and share the debug log to yourself to see what’s being asked of your token during registration and during authentication. This should reveal some clues.
I think I found the issue, at least in my case. Discord is sending an empty “allowed Credentials” array: debug_log_1771958712674.txt (57.7 KB)
Edit: Actually, I think it’s due to registration. Registering on mobile doesn’t ask for a pin, which makes me think it’s setting it up for u2f rather than full fido2
that’s called “UserVerification”.. this is where it gets annoying because the standard is written to not step on toes too hard so the RP can request a credential with no pin (no UV).. but because our applet is NFC in the code it will require UV, so there is kind of an interplay.
The log does not show registration with discord. Did you try to register with NFC PassKey Bridge? I would remove the credential with discord, turn on debug mode, register with NFC PassKey Bridge, then attempt to authenticate with it. Post the debug.
Here’s logs for registration and the several failed attempts. Also, the key did not work on PC with a USB reader after this debug_log_1771993272407.txt (159.9 KB)
I know it seems obvious but you never know.. could have been trufflehunter forums for all I know.
