Is the Nitrokey 3A NFC definitely compatible with the FIDO2 standard?

rafkoch · October 9, 2024, 5:34pm

In Poland, there are 2 banks that theoretically allow the use of FIDO2-compliant U2F keys (ING and PKO BP).

Unfortunately, when trying to add Nitrokey 3A NFC keys, the operation fails.

PKO BP Bank responded to my complaint that now it only allows using YUBICO keys.

Both banks write on their websites that any key purchased from an electronics store, compliant with the FIDO2 standard, will suffice.

ING bank, on the other hand, shows the message “Device does not support FIDO2” on the screen when refusing to accept the key.

I wrote an article on LinkedIn because I believe this is either an unfinished implementation or a vendor lock-in.

This case is evolving.
What worries me, however, is that I don’t see that the NITROKEY 3A NFC is certified to support FIDO2.
I checked this register: FIDO® Certified - FIDO Alliance

The only certified key is the NITROKEY 3A mini.
I want to be sure that NITROKEY 3A NFC is definitely certified and FIDO2 compliant!
Does NITROKEY have such certification, or is it in the process of being obtained?

I’m afraid that at the next stage the banks will answer me that, however, NITROKEY 3A NFC is not compliant with the FIDO2 standard, because there is no certification.

nku · October 9, 2024, 7:32pm

I think this is still valid. More and more Nitrokey devices will get certified.

A Relying Party can choose the attestation and conformance level of the device.

The FIDO2 standard allows self-attestation.

However:

Some services though, such as those in the financial industry or the public sector, may be required to know more about the devices that are accessing their services. They must guarantee that encryption keys are secure, biometrics are of a certain level of accuracy, etc. This is where the second aspect of attestation comes in, which is enabling the service to trust that the registration request is coming from a specific model of FIDO authenticator.
FIDO TechNotes: The Truth about Attestation - FIDO Alliance

Whether it’s a smart move to require specific attestation levels for FIDO2 devices is debatable. It definitely is an entry barrier for open source implementations.