How many Passkeys can be stored on a Nitrokey?

Nitrokeys
21

Hi,

My NK3C still shows only 10 slots (firmware 1.8.3).

Is this expected?

22

btw. you can manage the passkeys (and also see which webpages have registered them) using Chromium using chrome://settings/securityKeys

23

For the Nitrokey 3C or 3A the number of passkey is 35 as said here:

This number is the maximum but if you use other features such as OpenPGP or PIV this number will be lower since the space is used dynamically.

24

Hi,

Checked again with fido2-token -I and nitropy fido2 list-credentials, and both show 5 credentials and 7 remaining (estimated).

GPG and PIV are not in use currently.

Edit: there are a few (single digits?) credentials and TOTPs stored, but I’d hope they don’t take the space of 30 resident passkeys :sweat_smile: .

1 Like
25

My Nitrokey 3 NFC shows this using nitropy fido2 list-credentials:

[…]
There are 17 registered credentials
[…]
There is an estimated amount of 0 credential slots left

That really sucks – 17 is WAY too few for my requirements :frowning:

My Yubikey 5C NFC has space for 100 (!) passkeys and my Swissbit iShield Key 2 Pro even supports 300 (!!!) passkeys.

A Feitian K40 supports 26 passkeys. Also way too few. Sigh.

26

Interesting: https://www.nitrokey.com/blog/2025/nitrokey-3-firmware-v182-more-passkeys-bitcoin-curve

One of the most significant improvements is the removal of the FIDO2 passkey limit. Dynamic memory calculation now allows significantly more passkeys to be stored:

  • Nitrokey 3 NFC: Up to 25 passkeys

  • Nitrokey 3A Mini: Up to 100 passkeys

The FAQ entry says the limit is 35, but the blog article says it’s 25. One of both has a typo, I suppose…

27

I updated the firmware of my Nitrokey 3C NFC from v1.8.2 to the latest v1.8.3 using nitropy nk3 update (instead of using the Nitrokey App which didn’t work).

The command nitropy fido2 list-credentials shows the same limit as before (17):

[…]
There are 17 registered credentials
[…]
There is an estimated amount of 0 credential slots left

Sigh.

Now it get’s interesting:

I thought about the possibility that I might need to set the config settings opcard.disabled and piv.disabled to true, so I did that using nitropy nk3 set-config piv.disabled true (I had to cut power to the NK3 afterwards, as it didn’t came up again) and nitropy nk3 set-config opcard.disabled true (no power cut needed afterwards).

Still, the output of nitropy nk3 status showed the same amount of free blocks as before (4/465):

PS C:\Users\foo> nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.11.4
UUID:               3945C90DD1AEE659BC3101E99E6F3EBE
Firmware version:   v1.8.3
Init status:        ok
Free blocks (int):  4
Free blocks (ext):  465
Variant:            LPC55
PS C:\Users\foo>

It showed the same output after running nitropy nk3 factory-reset-app opcard.

Then, I ran nitropy nk3 test just out of curiosity and oh!, it showed 1 failed test (status => IFS block count critical (4)):

PS C:\Users\foo> nitropy nk3 test
Command line tool to interact with Nitrokey devices 0.11.4
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at \\?\hid#vid_20a0&pid_42b2&mi_01#c&13a18cb7&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}

Running tests for Nitrokey 3 at \\?\hid#vid_20a0&pid_42b2&mi_01#c&13a18cb7&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}

[1/5]   uuid            UUID query                      SUCCESS         3945C90DD1AEE659BC3101E99E6F3EBE
[2/5]   version         Firmware version query          SUCCESS         v1.8.3
[3/5]   status          Device status                   FAILURE         IFS block count critical (4)
Running SE050 test: |
[4/5]   se050           SE050                           SUCCESS         SE050 firmware version: 3.1.1 - 1.11, (persistent: (28212,), transient_deselect: (607,), transient_reset: (592,))
Please press the touch button on the device ...
Please press the touch button on the device ...
[5/5]   fido2           FIDO2                           SUCCESS

5 tests, 4 successful, 0 skipped, 1 failed

Summary: 1 device(s) tested, 0 successful, 1 failed

Critical error:
Test failed for 1 device(s)

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to support@nitrokey.com is also possible
- Please attach the log: 'C:\Users\foo\AppData\Local\Temp\nitropy-20260323T231032-eya2rk6x.log' with any support/help request!
--------------------------------------------------------------------------------

PS C:\Users\foo>

Hmm. I re-enabled opcard and piv using nitropy nk3 set-config opcard.disabled false and nitropy nk3 set-config piv.disabled false.

After that, nitropy nk3 status surprisingly showed different amounts of free blocks (now 10/470 when they were 4/465 before):

PS C:\Users\foo> nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.11.4
UUID:               3945C90DD1AEE659BC3101E99E6F3EBE
Firmware version:   v1.8.3
Init status:        ok
Free blocks (int):  10
Free blocks (ext):  470
Variant:            LPC55
PS C:\Users\foo>

WTF?! =)

Also, nitropy nk3 test now shows no failure anymore:

PS C:\Users\foo> nitropy nk3 test
Command line tool to interact with Nitrokey devices 0.11.4
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at \\?\hid#vid_20a0&pid_42b2&mi_01#c&13a18cb7&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}

Running tests for Nitrokey 3 at \\?\hid#vid_20a0&pid_42b2&mi_01#c&13a18cb7&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}

[1/5]   uuid            UUID query                      SUCCESS         3945C90DD1AEE659BC3101E99E6F3EBE
[2/5]   version         Firmware version query          SUCCESS         v1.8.3
[3/5]   status          Device status                   SUCCESS         Status(init_status=<InitStatus.0: 0>, ifs_blocks=10, efs_blocks=470, variant=<Variant.LPC55: 1>)
Running SE050 test: |
[4/5]   se050           SE050                           SUCCESS         SE050 firmware version: 3.1.1 - 1.11, (persistent: (28212,), transient_deselect: (607,), transient_reset: (592,))
Please press the touch button on the device ...
Please press the touch button on the device ...
[5/5]   fido2           FIDO2                           SUCCESS

5 tests, 5 successful, 0 skipped, 0 failed

Summary: 1 device(s) tested, 1 successful, 0 failed
PS C:\Users\foo>

Oh, wow, nitropy fido3 list-credentials now shows that 1 slot is left:

[…]
There is an estimated amount of 1 credential slots left

So, that increases the total number from 17 to 18, but still not anywhere close to 25 or even 35.

Is the NK3C NFC some sort of gambling device? :wink:

Hmm, the migration notes of firmware v1.8.2 shed some light on it:

This updates will change the way internal data is stored for the FIDO application in order to reduce data usage.
[…]
To solve this, you can do some operations that will free up space on the internal filesystem:
[…]
Factory resetting the other applications
While applications other than the FIDO application use mainly the external filesystem, they still use the internal filesystem for some critical state.

I guess I should try a complete factory reset of my NK3C, losing all of the FIDO2 keys already stored on it :frowning: Actually not a big problem as I have used to stored additional FIDO2 keys on my Swissbit iShield Key 2 Pro and my Yubikey 5C NFC (so 3 keys in total for every account), but still a hassle.

28

Well, I did a complete factory reset of the NC3 and after re-adding it everywhere it now shows 5 used, 11 left (estimated).

Compared to the previous 7 total it’s an improvement, but still less than half of what is advertised :unamused_face: .