I did try with this app since it was mentioned in the grapheneos forum, with the same issue. It’s very possible something on my phone is fucked up
I’ll test both apps with my NFC yubikey tomorrow
This app helped me at work today.
Small company, all of our workstations and laptops are Debian. Sometime last year I swapped a physical Yubikey for my Flex + FIDO2 as the 2nd factor for one of our AWS accounts. I kept a reader at my desk and had the Linux CTAP bridge installed and running on my workstation. We’ve since swapped all of our AWS logins to SSO and I forgot about having my Apex as a 2nd factor. Took the reader home a few months ago for testing, and I’ve since upgraded my workstation so no more CTAP bridge.
I needed to log in without SSO for some testing today and was about plan for a lunchtime detour to my house to pick up a reader, then remembered the app. Worked perfectly on Chrome/Debian 12; just needed to turn on Bluetooth.
I like FIDO2 for non-discoverable 2FA a lot more then I like it for Passkeys right now. I know the industry is pushing hard to eliminate passwords (and phishing them), but 2FA based on physical devices still has a lot going for it. Mature tech with a lot more months under it to have worked out the kinks. No storage pressure on memory-scarce devices like the Apex. The only downside is not many sites allow you to enroll multiple FIDO security keys (for backup). Thankfully, AWS is an exception and allows 2 per user account.
Really? My problem is finding sites that still allow u2f or Fido2 non-resident key use at all. Of the sites that do offer it I don’t think I’ve ever seen one not allow multiple registrations.
Awesome! Tell your friends 
Maybe “not many” isn’t accurate. I should say that of the sites I have U2F enabled on, quite a few don’t allow multiple devices.
Take Google for instance. They’ve merged U2F and Passkeys into the same security settings screen. You can still add a pin-less U2F as an actual 2nd factor, but once you have one set, any attempts to add a 2nd security key one only allows it as a discoverable Passkey (at least for me). There’s some Reddit posts about some hacky workarounds that I haven’t tried.
I have a co-worker who occassionaly leaves their badge at home, and I’m usually the first one in the office so I let them in. I’ve said that they get 4 buzz-ins per year before they have to get a xEM implanted. They just used #3 a week ago, lol.
I had a problem with U2F on google earlier. But i got 0x6a82 which is odd given U2F and FIDO2 have the same AID, non?
I may have found a bug but I’m unsure. When using the bridge for websites the bridge pops-up as an option. When attempting to use it for SSH key authentication it seems to not show up as an option only other passkey managers on my phone are available. To replicate this in windows at least you can open powershell and create a temporary key: ssh-keygen -t ed25519-sk -O resident -f “$env:USERPROFILE.ssh\id_ed2551_test” This will then pop-up with the normal windows flow of qr code or other device and when scanning the qr code the bridge isn’t an option. Just an FYI
What if you scan the QR code from the scanner in passkey bridge itself?
The problem might also be the relying party request. It might specify platform only authenticators not hybrid authenticators that the bridge registers as.
Has anyone tested Passkey Bridge with a Yubikey 5 NFC .. the kind with passkey support, not just 2FA “security key” functions? I had a customer email about having problems using their PIN with a “Yubikey NFC 5” so I purchased this guy to do some testing with;
Anyone else already test this out?
@amal I have one at home that I can test. I’ll let you know tonight.
I’m getting this error:
I am in fact using a Yubikey 5C NFC and I can see the Passkey for the site I tried in the Passkey section on the Yubico Authenticator app:
Interesting. What’s the site? Or could you test with webauthn.me
I tested it logging into my Google account as well as an okta account and got the same result
Both websites succeed when using my Apex with the passkey bridge
I think this error is actually old because ctap1 for 2FA is now supported. What version of passkey bridge do you have running? can you update?
I’m running 1.4.1 But according to Google Play, there is no update available
The mystery deepens..
I just successfully completed the following tests;
- reset Fido2 application with yubikey manager. The Fido AID will not select unless this is done at least once.
- set PIN code using NFC Passkey Manager
- registered a credential with NFC Passkey Bridge on Win 11, Firefox browser, using caBLE protocol
- authenticated using NFC Passkey Bridge on same system.
Now I will start registering the yubikey with other services and test both registration and authentication. I will register with both Windows directly using the USB interface of the yubikey and NFC, as well as NFC using NFC Passkey Bridge.
My hunch is that users that register with the USB are having problems using the NFC interface.. Fido2 be goofy like that.. but we shall see. @caj380 can you confirm how you registered the credentials you are testing? Was it using NFC or USB when you first registered with Okta and Google?
Ok I was able to replicate the problem immediately by registering the Yubikey 5C NFC using the USB interface and then try to auth with NFC Passkey Bridge. It said INVALID_PIN, which is not exactly the same problem @caj380 was having, but it is the problem the customer who pinged me about it was having.
Working the problem and will do more testing…
Ok looks like Yubikeys are sensitive little bastards about getting assertions from the token. Working on update..