I have two working nitrokeys, but don’t seem to be able to register them on this forum.
The two Nitrokey3 keys work fine at Google, but not here on this forum.
My keys support: FIDO2 and FIDO U2F
So am I missing something?
Detailed steps:
During the registering-process windows first asks for a pin (which usually should not be needed) on behalf of Firefox, and when entering the pin I very shortly asks for “press key button now”, just to shortly show error message "can not communicate… " something → and again windows asks for a pin for the device
Note: This issue is not about the pin, because tried to enter wrong pin, and then next step (press key) does not show.
System details: Windows 10, Firefox 107
Just registered my 3 Nitrokey 3As and both the one with a PIN and the two without work just fine.
I’m using Firefox 107 on Linux with kernel 6.0.10 though, and my keys haven’t been connected to a Google account.
Interesting, I though firmware updates were not available for the newest nitrokeys (3A/3C when writing this).
Is there an easy way to “see” firmware version without using the software Nitropy?
(Nitropy is currently experimental for windows, and need libUSB libraries)
…
And the more I read about management software for windows, I get the feeling you need to be root/admin to reach full functionality… which does not feel secure
So get a feeling this could be related to windows drivers, or lack of admin rights (unless anoyone has other ideas why registering a key seem to be working on a linux system)
“For science” I will later try register my nitrokeys “logged with user that has admin rights”.
Sorry, can’t help you with the Windows side of things, never used them with my Windows partition.
If you get nitropy running, nitropy nk3 update will update them, only plug in one at a time. I’ve done several updates this way. Be careful though, depending on the version you are running, there might be a risk of data loss when updating. Newer versions are fine, but if you are on a very old release (1.0.0 apparently), updating might wipe your key.
Windows 10, 22H2, jan-23 update, and Firefox 109.0.1)
Nitrokeys at latest firmware (as of 4th feb-23): v1.2.2
Summary:
When running Firefox with admin-rights user it works to register/login to the forum
details: popup asking for a pin I set for “Windows hello pin”, which makes it work, and the pin for the nitrokey does not work (which proves hardware key is not even used)
When running Firefox with a regular user it does NOT work
details: a different popup shows which actually seem to be the right one: “Enter you hardware key pin” (or similar), but if you enter the correct pin, a short error shows (to quick to read) and again I am asked for the hardware key.
In short it seems Firefox is asking the Windows system for the “wrong” type of security credentials…
Next step to test could be to register a “Windows Hello-PIN” on the regular user… although that seems a bit strange if it works. I mean: No pin from the security key is then being used, or is it?
I mean: It COULD be that when setting up the Hello-PIN it makes ONE handshake with the key (don’t remember) and then create a unique credential out of that. Maybe stored in my TPM module or something. THAT would be ok
At the moment it seems I only can make a “hardware key login” of this forum to work by using Windows Hello-PIN
So made some final tests on the forum using “Authenticate with Security key”:
First you get the forum popup for “Two-Factor Authentication”
Then you get a popup from “Windows security” asking two questions
PIN-code
Entering the Windows Hello-PIN here logs you in to the forum
Security key / Hardware key (Windows only shows this option if key inserted)
If choosing the security key option (in step 2.) you get a third popup, this time from Firefox
And correctly asking specifically for the hardware key pin
This steps fails for me
And after a brief error message I am asked to enter pin in an endless loop
Status after this final test makes me think that this would work if starting Firefox with administrators rights. But considering how dangerous that could be, I won’t.
All of this is pointing towards Nitrokey software/firmware not being able to talk to the hardware key correctly. And doing this assumption based on all the hassle I had to do to even upgrade the firmware. Upgrading the firmware with nitropy requires you to run nitropy from a shell that is in administrative mode (full access). So I would not be surpriced that this “root problem” is stopping registration of a hardware key (requiring write access during handshake).
But what is pointing the other way is that both my Nitrokeys work without a problem when logging into Google
I will try pass my finding directly to the Nitrokey support.
And to Fairphone support.
I love these hardware keys. Would be a shame if not used
