ID-Austria does not accept Nitrokey 3A NFC

ID-Austria is the Austrian government identity provider offering Webauthn and hardware tokens, see compatible devices. Site lists “Token, die FIDO2 Level 2 zertifiziert mit WebAuthn unterstützen”

When registering with my Nitrokey 3A NFC I get:

"A-Trust wants to see the make and the model of the ..."

Fehler: Dieser FIDO-Sicherheitsschlüssel konnte nicht verifiziert werden.

SessionId: A4_RXOX.................

Is the Nitrokey 3A NFC not FIDO2 Level 2 certified with WebAuthn? If it is, will you get in contact with A-Trust to enable your Nitrokey 3A FIDO2 keys?

My Nitrokey verified correctly:

user@debian:~$ .venv/bin/nitropy fido2 verify
Command line tool to interact with Nitrokey devices 0.4.38
Enter PIN:
Touch your authenticator device now...
found device: Nitrokey 3 A NFC...

I see sometimes problems with other websites if one rejects all cookies or only accepts some of them. For registration one can accept more cookies and for login from my experience one can just accept minimal cookies.

Which browser are you using?

See also: Nitrokey 3c NFC (FW v1.5) funktioniert weder bei Microsoft noch bei Google - #3 by mepi0011

1 Like

Using Brave browser v1.56.20 (Aug 3, 2023).

Even without private tab the response is:

a-trust wants to see the make and model of your security-key → Allow

Fehler: Dieser FIDO-Sicherheitsschlüssel konnte nicht verifiziert werden.
SessionId: A7_QYP...

According to ID-Austria the FIDO Alliance page https://fidoalliance.org/certification/fido-certified-products/ does not list the Nitrokey 3A NFC. Only tokens listed there are allowed to be accepted by ID Austria. Seems the level 2 certification is missing for the Nitrokey.

According to the ID-Austria service provider a-trust there is no formal admission process, but as soon as the Nitrokey is listed with the required certifications by the FIDO Alliance, manufacturer Nitrokey could send a test token to a-trust and they will accept the key.

1 Like

I confirm: ID-Austria requires FIDO2 level 2 certified authenticator devices which Nitrokey don’t have.

BTW: We are aiming for a level 1 certification in the coming months but this wouldn’t satisfy ID-Austria.

2 Likes

@jan do you have a brief description of what these certification levels entail and what the (security?) promise is that follows from them?

I had this issue because in an Azure AD (now Entra ID) someone set a policy requiring this certification. I don’t know which certification level was required, but essentially the Nitrokey 3 got rejected as MFA token.

But from what I understood when I researched this topic, there only seem to be certain more or less bureaucratic requirements which in turn are supposed to guarantee that the manufacturer doesn’t clone the tokens. But as guarantees go, this sounded like a rather weak one at the level of “I promise” (or for German speakers “Indianerehrenwort”).

So the value in getting this certification is mostly the peer pressure from other manufacturers that already certified their products, in conjunction with customers asking because some policy precludes their Nitrokey 3 from use in a given scenario? Anything else, though? …

See Certified Authenticator Levels - FIDO Alliance for details. It’s not a bureaucratic formality but requires a thorough technical evaluation.

1 Like

Thank you!

Similar for me - it’s clear that even L1 certification takes some time but are you aiming forL2 certification? At the fido alliance link posted by @jan there needs to be a certified lab involved and that sounds complicated: “For Level 2 and higher, it is recommended that the Vendor contact a FIDO Accredited Security Laboratory early to work out contract and NDA details so the Vendor and the Lab are ready for the Security Evaluation process, and so the Accredited Security Laboratory can be listed as part of the Authenticator Certification Application step.”

In any case, if I can help somehow to make ID Austria accept the nitrokey, I’d be happy!

1 Like