I am currently doing 2FA with a TOTP (Aegis) for logging in to Github. However, I would like to use my Nitrokey 3 for passwordless (FIDO2) login. Did someone already get this to work and can tell me how?
On " Passwordless sign-in with passkeys" I can click on “Add a passkey”. But registering the key always fails without a real error message (just “Passkey registration failed.”). When I set up the Nitrokey as 2FA token before (which works like a charm), Github correctly detects the already known key and asks me to upgrade it for passwordless login. However, this always fails with the message “Existing security key ‘Nitrokey3’ isn’t passkey eligible.”
NK3 firmware is up-to-date.
Can anyone tell me how to enable passwordless login, or at least how to find out more details about what’s going wrong?
Thanks. The workflow isn’t exactly as described there (I think the documentation is just a bit outdated), i.e. I don’t see the mentioned Upgrade to passkey page. Instead, I get a Confirm existing registration page. When I confirm the existing key, I simply get the “Existing security key ‘Nitrokey3’ isn’t passkey eligible.” error message without further information about what’s going wrong.
I’ve already removed and re-registered the key several times.
What exactly does it need to make my key “eligible” for passwordless login? Should it work with NK3 at all (i.e. is it a problem on my machine/browser) or is the hardware just not supported?
Thanks for the firmware hint. I was still on 1.6 and just upgraded. Unfortunately, the behaviour doesn’t change in any way.
nitropy nk3 test doesn’t report any errors, is that what you mean by “Test your stick?”. Also, registration and login at https://webauthn.io/ (a passkey test service) works without any problems.
Maybe I’m simply the first one ever trying this with Nitrokey and Github. I think I will ask there for help. Thank you for your support, @geoW!
Recently I performed a factory reset of my Nitrokey 3 Mini and updated to latest beta firmware 1.7.0. So I was able to test the registration with GitHub with my key. I just followed the onscreen instructions on Windows 10 and Firefox.
Before you can do this, did you setup a PIN? After tests with webauthn.io, do you have space left for a resident key? I also had to cancel Windows HELLO as the passkey provider to access the next dialog where I could select my Nitrokey. After that, I got prompted to acknowledge the creation of a discoverable resident key on the device. I needed to enter my PIN and got asked to remove and insert the Nitrokey again. After entering my PIN, I could validate the passkey and it was shown in my GitHub account.
I validated the login in a private Firefox tab. I could login to GitHub just using my Nitrokey with my PIN.
Thank you @nku, that’s it! I did not set a FIDO2 PIN
After setting a PIN (with nitropy fido2 set-pin), Github offered the Passkey upgrade mentioned by @geoW, which also succeeded this time. Now I’m happy to login without password.
Maybe a bit irritating: The nitropy fido2 list command doesn’t display the Nitrokey3 as FIDO2 device, even though all the fido2 commands work on it (it definitely IS a FIDO2 stick).
Thank you all for your help, and have a nice weekend!
