Nitrokey 3 C 2FA Discourse Forum does not register on Windows 10

Adding Nitrokey 3 C on this very forum as 2FA method does not work as expected on Windows 10.

Steps to reproduce:

  1. Reboot Windows 10
  2. Use Chrome, Firefox, Edge Browser (one at a time)
  3. Login to Forum using Password and TOTP
  4. Adding new 2FA token
  5. Cancel first dialog to skip Windows Hello
  6. OK to allow access to hardware token
  7. Enter correct PIN for Nitrokey 3
  8. Cannot successfully enter PIN and activate token within timelimit
  9. Try to login to Google
  10. Google 2FA with Nitrokey works fine

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      19044  0       

Same behavior/unable to register token on IOS

Now the strange thing:

Same Windows PC → Virtualbox → Debian 11.1 → Firefox ESR → USB Passthrough of Nitrokey 3C - adding key without PIN works just fine

After the device got registered, login works just fine on said browsers and IOS.

hey @nku,
mmh, that’s weird,

  • do you have set a pin for the Nitrokey 3?
  • can you confirm that registration works for any other FIDO2 device?
  • do you have latest firmware on the Nitrokey 3?

In the meantime I’ll see if we can reproduce this


Firmware is latest. PIN is set and known to work. Yubikey NEO (FIDO U2F) / Onlykey (FIDO2) work right away. When I have access to my other FIDO2 device, I will test with a SOLO and Nitrokey FIDO2.

1 Like

Could test it with Nitrokey FIDO 2 and could register it. It was difficult for the touch to register. I needed to ground myself first. Maybe it has todo with myself not properly grounded?

In general with the touch buttons you might need to make a short touch first to “reset” it, before making the actual gesture.
In the Nitrokey FIDO2 case you should see if the touch/tap is felt by the device due to the LED blinking being faster, before the touch gesture is accepted. There is no signals like that for the Nitrokey 3 at the moment.

Regarding the main issue, all browsers on Windows share the same Webauthn driver, hence often only one test is required to check all of them.

Could you take the logs? Here is the procedure for it (tested on Chromium 100):

  1. Open chrome://device-log/
  2. Press Clear
  3. Execute the failing operation in another tab of the same Chrome window
  4. Press Refresh
  5. Save the webpage (e.g. with CTRL+S)

Here is the Device Log.

Chrome: Version 101.0.4951.67 (Official Build) (64-bit)

I tested several browsers to rule out that maybe some plugin is interfering. I don’t usually use Chrome and the profile is empty.

I also verified on Arch with latest nitropy that I am using latest 1.0.3 firmware and that the PIN is correct by running the test suite. The PIN does not contain ambiguous characters where the keyboard layout might be an issue.

I was able to change and changeback the PIN on Windows using Settings->Sign-in Options->Security Key->Manage->Security Key PIN but it was necessary to unplug and insert the token.

1 Like