Ubuntu-20.04: Nitrokey3A NFC and Chrome/Firefox

I received my Nitrokey3A NFC and tried to get it working via https://webauthn.io.

  1. I started using Chrome → created a PIN, seems to work OK
  2. Then I tried to “login”/authenticate using Firefox → no success at all

I think I made similar tests with my solokey v1 and as far as I remember it works.
You just have to use “Authentication Settings: Require User Verification - No” for Firefox.
Any idea?

Firefox does not yet support user verfification exceot for WIndows. (should be available in feb. 2023?)
Also Android sadly does not support it, yet. (no date known)

I have just seen that there is a good blog post about this from Nitrokey.

1 Like

Thx @ricsi . I guess you are referring to the blog post above stating thag firefox 109 will probably provide support for it. So I’ll wait and see…

Yes, I have a stick from the competition (with y), and it reacts the same.
I am looking if I want to buy a NK3A NFC as a backup and play stick.

Thx. Solokeys do work differently. They just don’t require the PIN for firefox.
For me, the solokey variant is the worst possible implementation.


On Arch Linux Firefox 109 rolled out and i can use my NK 3A with success.

I found out that Firefox has in its about:config this settings:
security.webauth.u2f = true
security.webauth.webauthn = true
security.webauth.webauthn_enable_softtoken = false
security.webauth.webauthn_enable_usbtoken = true
security.webauthn.ctap2 = false

This means Fido U2F is in use, but not Fido2. Is Fido2 not secure enough to use in Firefox? Is it Stable?

I would not change this setting because it would not be default. With IT security, it’s important to look at it conservatively. If changed, it’s the own risk.


Hey @Chris2000SP , thanks for sharing your observations. For me, https://webauthn.io seems to work with Firefox-109, too. But only when “User Verification” isn’t set to “Required”

After reading your post more carefully and changing security.webauthn.ctap2 from false to true, “User Verification” works, too. I’m happy.

Keep in mind, that this setting isn’t default. Think of it this way, it is beta status as long as the Firefox version ship with this setting.

For it to work you need to go to about:config and change security.webauthn.ctap2 = false option to security.webauthn.ctap2 = true. Works on Mac/Linux since Firefox version 109 onwards.

1 Like