FIDO2: Manage username-less sites (max. 50)

Dear all,

  1. is there a way (Browser code, USB app…) to manage the 50 slots that the Nitrokey FIDO2 provides for storing username-less credentials?

  2. In github there were commits, stating, that on a Firmware Flash, the resident keys are gone. What would be the correct procedure to perform the update, once the stick is in use and a firmware reflash is needed, short of reregistering the stick again on all sites?

Thank you,

Michael.

PS: Reason I am asking is, that if I cannot manage the RKs, I would probably do a lot of testing on one key without using that one in production and competely reset it (if this is possible) before actually using it.

Dear Michael,

  1. You should be able to manage the RKs over Google Chrome on non-Windows OSes. We should prepare in the future one additional tool for doing that in the command line.
  2. I think you are referring to the transition between major releases, specifically 1.x -> 2.x. Decision was made to not migrate the user data in this upgrade path, since the RKs were not properly constructed earlier and thus not usable in the next version. Non-RK key was migrated for both FIDO2 and FIDO U2F. In the next releases we plan to maintain user data in all upgrades whenever feasible.

Regarding point 1 and Google Chrome, it is available either via direct configuration URL:

  • chrome://settings/securityKeys

or by following the path:

  • Settings -> Privacy and security -> Security -> Manage security keys -> Fingerprints

Privacy and security window:

Security keys window:

Let me know in case of further questions.

Best regards,
Szczepan

Dear Szczepan,

thank you for the explanation to #2.

Regarding #1 I tried that now with the latest Chrome on macOS Mojave. None of the option worked, these were the messages:

  • This security key doesn’t support PINs
  • This security key can’t store any sign-in data
  • Your security key can’t store fingerprints
  • Resetting does not work at all, no messages.

So I am hoping that you can release an Electron App, which allows to use the security key on multiple platforms and remove no longer needed keys once the 50 slots are full.

Thank you for your time!

Michael.

Hi,
looks like I also have problems with nitrokey fido2:
I also tried nitrokey fido2 with webauth.io and with https://demo.yubico.com/playground.
On both, fido2 passwordless does not work! u2f works.
I also tried the Chrome settings as mentioned above:
Same problem, security key does not support a pin.
I have following key: Nitrokey FIDO2 2.2.0

Am I right, that some fido2 features not available now ?
(from https://static.solokeys.com/en/start/faq/)

  1. Can I use Solo for two-factor authentication?
  • Yes
  1. Can I use Solo for password-less login in Windows 10?
  • Not yet (we’re missing the hmac-secret extension, details here)
  1. Can I use Solo for password-less login in …?
  • In theory yes, let us know if you find any service supporting password-less login!
  1. Can I use Solo for OpenGPG or SSH?
  • Not yet
  1. Can I use Solo to store passwords?
  • Not yet

Hi!

Thank you for the report @michaelrommel @alois . We will definitely check this. All should work with the latest v2.2.0 firmware. By design it should work with Google Chrome and any desktop applications handling FIDO2 devices - no need for additional application. We plan to add such in the future, but not as a requirement.

@alois The posted article is outdated. hmac-secret is supported. Custom password store, OpenGPG and SSH not.

Edit: registered as https://github.com/Nitrokey/nitrokey-fido2-firmware/issues/61

@alois Which operating system, browser and version have you used in your FIDO2 password-less tests?

Hi,
i use ubuntu 20.04 and tried both browsers:
Firefox: 84.0.1 (64-bit)
Chrome: 86.0.4240.183 (64-bit)

I just tried to secure a microsoft account with the key.
So there is a real application.
Looks like they do only support passwordless. (description: without useraname and password)
Tried this with chrome and my nitrokey.
Still without success.