Attestation for Nitrokey 3

mech · March 1, 2024, 8:50am

According to the NitroKey 3 FAQ on Azure Entra ID and the Certificates page it appears NitroKey 3 does not have any attestation.

Are there any plans to provide attestation for NitroKey 3?

Background: I tried to use my NitroKey 3C for the new swiss government authentication platform (agov.ch) and it fails with the error “Attestation not trusted” - although they only specify that FIDO2/WebAuthn is required.

Also it would be great if there were at some note on the product page for future buyers regarding the attestation status of NitroKey 3. Because I get the feeling more and more platforms are requiring attestation

daringer · March 1, 2024, 11:18am

Hey @mech,

yes, we are currently working on a L1 FIDO-Alliance certification - this will help already, but so far we know many of the government platforms want L2 - this is clearly planned but for L2 I cannot share a clear roadmap yet.

best

mech · March 1, 2024, 12:01pm

Hi @daringer, thanks for your fast reply. Great to hear.

By the way, least for this swiss gov platform it appears they also support L1 certified keys like the Token2 T2F2. So L1 certification for the Nitrokey 3 would be enough, it’s “only” the attestation that’s missing …

Keep up the good work

DEF · January 31, 2025, 8:57pm

Hi

Unfortunately, the NK3 still does not work on agov.ch although the NK3 has the necessary L1 certificate on fido-mds-explorer.
The NK3 registration probably fails about the “key protection = hardware” criterion. Do I understand this correctly that the fido key should be stored in the secure element and is not on NK3? If so, is it planned?

kevin · February 1, 2025, 6:13am

For clarity i believe only nk3 mini has L1 certification, nk3 c and nk3 A are yet to have official fido certification.
i am not sure which version you have of nk3.

DEF · February 1, 2025, 10:23am

I have the NK3 A. On the site linked above its not clear which NK3 it means with “Nitrokey 3 AM”.

ion · February 1, 2025, 10:43am

If you click on the row, the long-form description states “Nitrokey 3A Mini” (3 AM).

DEF · February 1, 2025, 11:00am

@ion thanks, but this was not the question.

My question is are the NK3`s (A;C;Mini…which one?) considered to be certified L1&L2 and are there plans to change “key protection = software” to “key protection=hardware”?

Thanks

kevin · February 3, 2025, 8:29am

The nitrokey 3 mini is the only nitrokey which is L1 certified by fido at the moment. you can check it at this official website of fido
FIDO® Certified - FIDO Alliance . just search for “nitrokey” in company filter.

I had asked about certifications for other keys like nk3 A and C , a while back and the support had replied that others would get certifications soon.
You should join the matrix room to have updated info and have direct repsonse from the team members.

As for your second question about key protection , there is secure element hardware protection for some components like openpgp but for fido i guess its still on the roadmap and is currently protected by “encrypted storage”. refer faq section of nk3 for exact details .
https://docs.nitrokey.com/nitrokeys/nitrokey3/overview

Nevertheless security details and consequences have been discussed extensively in the matrix room and also in some of the threads here. So you could search for those thread by keyword “secure element” or ask in matrix room again