Nitrokey 3C NFC and Google 2FA not working

I received my Nitrokey 3C NFC and currently add the security key to my accounts. I’m using Firefox 94.0 on Ubuntu 21.10.

I could add the key to all sites (e.g., Cloudflare, Github, Gitlab, etc.) as expected, only Google 2FA does not want to cooperate.

When I click on “ADD SECURITY KEY” in “2-Step Verification”, I’m asked to insert the key and then tap it (this is when the green lamp turns green/orange(?)), and after the tap I only get “Something went wrong. Try again.”

If I try to add the key on my Android phone in the same dialog using NFC, I get the same error message.

I also used https://webauthn.bin.coffee/ to check whether everything is working, and it indeed works: Create Credential and Get Assertion gives me all green.

1 Like

Hey @teakay,
this is a (pretty weird) known issue, we are looking into it, also already reported here, although it’s german: Nitrokey 3: Schlüssel lässt sich nicht dem Google-Konto hinzufügen - #4 by robin-nitrokey

best

Got my Nitrokey 3A NFC and have same issue with google & microsoft accounts.
Is there any news ?

I have not even managed to set up 2fa with nitrokey and youtube. I can’t get a code even manually from them it seems like??? Their policies might suck big time…
Can’t they even share a 2fa key? I think their goal is to get peoples phone numbers so they want “2fa” with phone numbers. The most lame security ever!
Useryoutube1984

Google and MS should work with the latest update NK3 firmware update. Please watch out, as the current FIDO registrations will probably stop working. See below for more information:

I am still unable to enroll my key to google after the 1.0.1 update, I just get “Something went wrong. Try again” like before. MS works though, as does systemd-cryptenroll which did not work prior to the update.

1 Like

Can you tell which browser do you use, or check different browser?
I remember I was testing Google with Chromium. Firefox might not be supported with Google at all.

Upgraded firmware to v1.0.1. All FIDO registrations stopped working. Registering the key on Google with Chromium 97.0.4692.99 and Firefox 96.0 still does not work (tried with and without Google Advanced Protection Program logins).

Difference between FF and Chromium is that

  • Firefox immediately errs out with “Something went wrong. Try again”, while

  • Chromium first shows “Insert your security key and touch it”, then I have to touch the NK3 multiple times until a new box shows up with “Allow this site to see your security key?” and then I click on “Allow”.

Result is the same: “Something went wrong. Try again”.

This was using Firefox 96, which should be supported according to this article (Step 2, subsection 1 under “Computer”).

Follow-up: tried with Chrome on Android device, same outcome with USB or NFC: “Something went wrong. Try again”

@teakay @egraven
Thank you for the additional information. I have started tracking this issue at:

@teakay
It works on my side on Linux, though I have not replayed your case ideally (details in the ticket). Looking further.
@egraven
I plan to follow later with Firefox tests.
Edit: Firefox 95 on Linux works for me for registering and logging in. Will check further.

Can you both remind me please, which OS are you using? If it is Windows, please provide build number / release name as well.

I’m using Ubuntu 21.10.

You are mentioning a device reset here: https://github.com/Nitrokey/nitrokey-3-firmware/issues/36#issuecomment-1019999013

How would I do that now? Or is this something for a future firmware update?

I am using Fedora 35.

Thank you both for the OS details.

@teakay I have looked into that yesterday, and it seems the cause is somewhere else. Another firmware update will be required, but reset operation should not.

For the future, these are the docs for the reset operation, which recreates all the keys on the device, thus losing all registration info:

1 Like

I updated the firmware of the NK3C to Release v1.0.3 · Nitrokey/nitrokey-3-firmware · GitHub and could successfully register the token as another security key.

Thank you for your help!

3 Likes

Google are terrible. They could just gave me the base32 key or what it’s called. That is real 2fa. Then i could set it up on any nitrokey! They don’t even offer that key anymore right? They used to in a video i watched. I have not been able to set up 2fa on youtube with nitrokey pro 2 even… should be easy! They made that hard.

Adding a new key for Microsoft accounts (office.com etc.) does not work in firmware 1.0.3
I managed to add some keys with firmware 1.0.1 and I still can login, but adding a new key based on firmware 1.0.3 is not possible.