Unable to set up security key for passwordless login

Dex-chan lover
Joined
Nov 4, 2020
Messages
374
I recently acquired a YubiKey 5 NFC security key, that I wanted to setup for passwordless login (I have the phone's biometric set up, but can't use it with my computer, so I wanted a key that can do both).

I was able to set it up for 2FA with no difficulties, however when I try to set it up for passwordless, following the exact same steps, I get an error saying "Failed to register your Security key.
Validator is configured to check user verified, but UV flag in authenticatorData is not set."

I am using Firefox on an Android 13 phone, the steps to reproduce are:
  • Set up Security key
  • Sign in if necessary
  • Register
  • The security key screen shows up, put the key on the back of the phone and wait until it says it can be removed, and remove it (you can also explicitly choose NFC on the security key screen before using the key)
  • Validate when the browser asks to choose a name for the security key (you can also change the name, it doesn't change anything since it fails)
 
Dex-chan lover
Joined
Nov 4, 2020
Messages
374
After fiddling a bit, I found that the issue is that the WebAuthn configuration expects user validation, thus having 2FA (what you have, the security key + what you know, a PIN code), and it seems to not be implemented correctly, not sure if this is because of NFC specifically or because of the browser or Android.
I tried on a Windows computer, directly plugging the key in, and was prompted for a PIN code, which essentially makes passwordless authentication a lie, even if the server does not store it I still have to use a password for the security key :pout:

Also, I can't seem to use it to log in, passkeys detects that I have my fingerprint and directly uses it, so the NFC tap acts as if there was no ongoing authentication request.
And for some reason, my fingerprint passkey is only detected in one session, if I try to login in a private tab or with a different browser, it tells me no passkeys detected but if I try to save it from there, it tells me it already exists :questionblob:

Clearly, there is some stuff going on, but I don't know if the issue comes from the browser, the OS or the website implementation. Potentially a mix of all that.
 
Last edited:
Joined
Feb 1, 2024
Messages
4
After fiddling a bit, I found that the issue is that the WebAuthn configuration expects user validation, thus having 2FA (what you have, the security key + what you know, a PIN code), and it seems to not be implemented correctly, not sure if this is because of NFC specifically or because of the browser or Android.
I tried on a Windows computer, directly plugging the key in, and was prompted for a PIN code, which essentially makes passwordless authentication a lie, even if the server does not store it I still have to use a password for the security key :pout:

Also, I can't seem to use it to log in, passkeys detects that I have my fingerprint and directly uses it, so the NFC tap acts as if there was no ongoing authentication request.
And for some reason, my fingerprint passkey is only detected in one session, if I try to login in a private tab or with a different browser, it tells me no passkeys detected but if I try to save it from there, it tells me it already exists :questionblob:

Clearly, there is some stuff going on, but I don't know if the issue comes from the browser, the OS or the website implementation. Potentially a mix of all that.
Received the same issue when I was using my Bitwarden password manager for MangaDex. 1Password seems to be working fine when I tested it.
 
Last edited:

Users who are viewing this thread

Top