NK3: List all Fido2 Credentials

As discussed here I want to ask again how to list all fido2 credentials.
If I do a nitropy fido2 list-credentials I am asked for the corresponding pin but only the credentials which require the pin at login are listed and counted down from 10 slots. I see no way so far to list the fido2 credentials for which only user presence is checked.
Is this correct or am I doing anything wrong?
Is there another way to list the “other” credentials ?

1 Like

AFAIK only resident keys are listed. The other keys are stored decentral on each site that you registered the key using the fido2 key


With FIDO2 on Nitrokey 3 I added a passkey in Google account and in GitHub account. Both work!
But checking credentials by “nitropy fido2 list-credentials” I only see the credential for GitHub - not Google.
Is this related? I would like to understand more about it. - Can anyone share more details here?


Hi Steff,
a Passkey does not rely on a hardware key, so it’s normal you don’t see it. Since a couple months Google seems to default to Passkeys, when you want to add a second-factor. They do support other options.
Your github account probably asks for the password (?), making the NK3 FIDO2 a second factor during login.

You can read about the different FIDO2 options and Passkeys in NK blog, keeping in mind that browser-support got better since the blogpost.

Thank you @ion, for feedback and the link! That’s very helpful!
In both cases, Google as well as GitHub I can login without password. So in both cases I would expect FIDO2. - Looking to the blog you shared: GitHubFIDO U2F does not store data on the stick but FIDO2 (i. e. resident key). But from the blog it’s not so clear whether in FIDO2 the resident key is really required or still an option?

To me it is more useful to approach your question the other way around: Do I want/need a resident key for a particular service authentication, or does it suffice to use presence of the second factor (NK3)? Next, have a look what the service offers/accepts for respective authentication and set it up.

I mentioned Passkeys first, because you used the term in your first sentence and it fit with the question why it’s not listed by the NK3. The account settings show what method is setup, no need to speculate. What method does it show for the account you miss in the NK’s list?

I need to know too because my nitrokey is now full and now a paperweight, probably from all my random registration testing.

A full reset of the FIDO2 app can be done with „nitropy fido2 reset“. It will delete all FIDO2 registrations that you would need to do again using a backup MFA or by deregistering it beforehand on those services.

@sosthene-nitrokey Is there a way to list the used storage for resident keys?

The current limitation for discoverable credentials it 10. You can know how many resident credentials are registered with nitropy fido2 list-credentials.