ich habe seit einigen Tagen den neuen FIDO2-Stick. Nachdem ich schon mit dem SOLO-FIDO2 einige Erfahrungen gesammelt habe, bin ich etwas erstaunt, dass ich den Nitrokey-FIDO2 nur in den USB-Slot stecken muss, und nicht etwa wie beim SOLO-Key zusätzlich einen Button drücken muss. Wenn der Nitrokey schon im Slot steckt, blinkt zwar die LED, aber kein drücken/streicheln/berühren nützt, er muss raus und wieder rein. Ist das so korrekt? OS ist Win10, Testobjekt Google-Account.
Merci und Gruß
We have decided to interpret the event of device insertion as an equivalent of the user presence (UP) confirmation, which makes it easier to use. This means the device accepts without touching the button any (single) request in the first 2 seconds of its insertion. This is a difference to Solokey.
About the second case, when the device is inserted already: it is supposed to wait for the touch button. In some cases under Windows 10 and Chrome browser the requests are doubled, which means the device would require 2 touches to confirm, since the first reply is discarded by the OS. At the current implementation each touch confirms only one request (a difference to Solokey, which confirms all incoming requests while the touch is pressed). If this is the case, please try to make two distinct touches, by releasing the touch and pressing again.
The FIDO2 proxy implementation on the Windows 10 side is still evolving. However if this will not change in the near time, we will have to implement some workaround for the sake of the convenience.
I will try to reproduce this after holidays, and add proper fixes.
- What browser do you use?
- And what Windows build?
thanks for your answer. My browser ist Firefox Version 71.0, Windows 10 Build is Version 1909 Build 18363.535
Thank you for the details. Please let me know, whether the second press was working for you.
Please feel free to remind yourself, if I would take too long to reply after the holidays.
pressing on the button has no effect at all, only inserting into usb-slot. testet with google-account.
Google was a bit specific in the past (e.g. did only allow registration of keys via Chrome). Did you already tried other platforms? Did you try Chrome? Maybe this is (again) bound to Google specific handling of FIDO devices.
Indeed that theory would suit, if it would not work with the Firefox with the device reinsertion. It however does, hence the confusion.
I have the same issue using a FIDO2 Nitrokey as U2F token on Firefox 73 / Linux.
The key is recognized when plugging it into the USB port during the authentication process.
But if the nitrokey is already plugged in, the login page waits for a keypress and no kind of touch / press on the nitrokey seems to help.
Tried with two different FIDO2 nitrokeys on USB2.0 and USB3.0 ports (directly connected and via hub).
The website is a nextcloud instance with twofactor_u2f authentication app.
Another test with libpam_u2f results in the same behaviour.
Plugging the FIDO2 stick within the 10 seconds works:
~$ pamu2fcfg > u2f-test
No U2F device available, please insert one now, you have 10 seconds
Touch / key press on plugged in FIDO2 stick is not recognized:
~$ pamu2fcfg > u2f-test2
Unable to generate registration challenge, error in transport layer (-2)
Some devices of our first production batch suffer such issue indeed. Please return problematic devices to us and reach out to us for replacements.
did you check all the Fido2 keys you did send out as replacements? Mine I got here as replacement for the non-functional button on the first one, is too broken for this functionality. So I got in summary from 3 keys one which is working correctly. Sorry to say but I give up. Will use the defect key for all devices I have to plugin so I do not run in this problem (fortunately you check the USB plugin event).