It is not easy to understand (for me).
I followed all steps.
But I get an error message, when I enter:
$ nitropy list-credentials
/Users/***/.local/pipx/venvs/pynitrokey/lib/python3.9/site-packages/urllib3/__init__.py:34: NotOpenSSLWarning: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'LibreSSL 2.8.3'. See: https://github.com/urllib3/urllib3/issues/3020
warnings.warn(
Usage: nitropy [OPTIONS] COMMAND [ARGS]...
Try 'nitropy -h' for help.
Error: No such command 'list-credentials'.
I think, users, who always use tools with GUI will never have a joyful user experience with a command line tool.
Command line tools are for nerds only.
IMHO.
I am just a regular user and have no further info on Nitrokeys roadmaps but the App has been heavily worked on and got a lot of functionality. It is also based on Python and code can be shared.
I think they will add most important features to the app but must make sure that the featureset is the same on Windows, Mac and Windows and some functionality is only available on the CLIs
I haven’t followed the full discussion here. So please excuse if I am off-topic!
One note: FIDO1 keys and the non-“discoverable” keys in FIDO2 (most often used as a second factor) can’t be listed at all, because they are not stored on the NK.
Very, very simplified:
The server keeps an opaque blob
Sends it to the NK
The NK verifies the blob and decrypts it with its internal master key
The NK proofs to the server that it knows the secrets (using public key cryptography)
I haven’t tried Nextcloud for a while, but some time ago it exactly used the FIDO1 / U2F / non-discoverable way of handling things.
About Windows and FIDO2: Windows actually has some tools to manage FIDO2 hardware keys built in. They’re somewhere in the system settings. Something like “security keys”. There you can actually even do a complete reset of the FIDO2 part of the NK (be careful, all your keys are gone, it basically creates a new internal master key).
Thanks for the hint. The name of the built in tool is: Windows Hello Setup.
Only two features are offered:
“Set a PIN” and “Reset the complete Nitrokey”.
At the moment I try to test the complete UX on Windows, macOS and iOS for an NGO, where normal users work. We want to understand if the UX will be OK for them or if we have to wait until the UX has been improved.
Beeing able to list all created FIDO2 and to delete single Keys (instead of deleting the whole Stick) is an essential feature for us.
Right now 10 residential keys = passkeys. Nitrokey already said that they plan to increase this number.
When you have to enter your username and the server stores the encrypted key, then an unlimited number of server side keys can be associated with your token.
As explained above, some keys (the non-discoverable or non-resident ones) are not stored at all on the NK. So you can have an unlimited number of those.
Why do you want to list or even delete those? Can you please explain your use case for this?
You only need to delete (manage) them on the server.
passkeys are the same as “resident keys” or “discoverable keys”. There the private key (and some meta information, like the website name and possibly the username) is really stored on the NK/token. And yes, currently the NK3 can only store 10 of them. And as already noted, they’re working on increasing it (I tried to find the posting, but failed).
On the other hand, FIDO2 has many variants / modes. And some of them (the non-passkey/etc ones) do not store anything on the NK. So there is nothing to manage on the NK, And those can be unlimited (on any FIDO2 compliant hardware token).
P.S.: If you want to try passkeys with the NK, just go to preferences → Security on this forum, there you can register a passkey for logging into this forum. And then the 10 free slots should go down to 9.
Yes, nextcloud uses some specific mode of operating FIDO2 (I think, facebook also did this once). Github even has both options: 1) Passkey with even the username stored on the NK 2) Second factor, where you have to provide username/password and then the NK as a second factor (in this mode, nothing is stored on the NK)
During registration: The secret (private key) is actually created on the NK. And then it is encrypted using the “master key” (also on the NK). This blob (and the public key) is sent to the server to store it.
The server only stores an encrypted blob that it can’t do anything with. Even if it could decrypt it, it would only be able to authenticate to itself (because every website gets a new private / public key).
If you want a GUI-like experience then use the Chromeum option as seen here: Click this link then scroll down to " Setting PIN with the Chrom(e|ium) web-browser" Set PINs - Nitrokey Documentation