How to setup passwordless login to Github?


I am currently doing 2FA with a TOTP (Aegis) for logging in to Github. However, I would like to use my Nitrokey 3 for passwordless (FIDO2) login. Did someone already get this to work and can tell me how?

On " Passwordless sign-in with passkeys" I can click on “Add a passkey”. But registering the key always fails without a real error message (just “Passkey registration failed.”). When I set up the Nitrokey as 2FA token before (which works like a charm), Github correctly detects the already known key and asks me to upgrade it for passwordless login. However, this always fails with the message “Existing security key ‘Nitrokey3’ isn’t passkey eligible.”

NK3 firmware is up-to-date.

Can anyone tell me how to enable passwordless login, or at least how to find out more details about what’s going wrong?

Thanks in advance,

Not sure, take this advice
Upgrading an existing security key to a passkey
from the Github-site.

Thanks. The workflow isn’t exactly as described there (I think the documentation is just a bit outdated), i.e. I don’t see the mentioned Upgrade to passkey page. Instead, I get a Confirm existing registration page. When I confirm the existing key, I simply get the “Existing security key ‘Nitrokey3’ isn’t passkey eligible.” error message without further information about what’s going wrong. :slightly_frowning_face:

I’ve already removed and re-registered the key several times.

What exactly does it need to make my key “eligible” for passwordless login? Should it work with NK3 at all (i.e. is it a problem on my machine/browser) or is the hardware just not supported?

I think it is first a setup question on github.
Test your stick, check firmware latest is very new - 1.7.0.

Thanks for the firmware hint. I was still on 1.6 and just upgraded. Unfortunately, the behaviour doesn’t change in any way.

nitropy nk3 test doesn’t report any errors, is that what you mean by “Test your stick?”. Also, registration and login at (a passkey test service) works without any problems.

Maybe I’m simply the first one ever trying this with Nitrokey and Github. I think I will ask there for help. Thank you for your support, @geoW!

Recently I performed a factory reset of my Nitrokey 3 Mini and updated to latest beta firmware 1.7.0. So I was able to test the registration with GitHub with my key. I just followed the onscreen instructions on Windows 10 and Firefox.

Before you can do this, did you setup a PIN? After tests with, do you have space left for a resident key? I also had to cancel Windows HELLO as the passkey provider to access the next dialog where I could select my Nitrokey. After that, I got prompted to acknowledge the creation of a discoverable resident key on the device. I needed to enter my PIN and got asked to remove and insert the Nitrokey again. After entering my PIN, I could validate the passkey and it was shown in my GitHub account.

I validated the login in a private Firefox tab. I could login to GitHub just using my Nitrokey with my PIN.

1 Like

Yes, I’m a DAU in this subject too, and not using GitHub.
Now we have weekend and “short” weeks, you may ask your question in matrix room

There answers the chef himself. :grinning:

Thank you @nku, that’s it! I did not set a FIDO2 PIN :innocent:

After setting a PIN (with nitropy fido2 set-pin), Github offered the Passkey upgrade mentioned by @geoW, which also succeeded this time. Now I’m happy to login without password.

Maybe a bit irritating: The nitropy fido2 list command doesn’t display the Nitrokey3 as FIDO2 device, even though all the fido2 commands work on it (it definitely IS a FIDO2 stick).

Thank you all for your help, and have a nice weekend!

Glad to hear, it worked!

Historically, there was an own FIDO2 Nitrokey that this nitropy fido2 command was meant for.