I have two working nitrokeys, but don’t seem to be able to register them on this forum.
The two Nitrokey3 keys work fine at Google, but not here on this forum.
My keys support: FIDO2 and FIDO U2F
So am I missing something?
During the registering-process windows first asks for a pin (which usually should not be needed) on behalf of Firefox, and when entering the pin I very shortly asks for “press key button now”, just to shortly show error message "can not communicate… " something → and again windows asks for a pin for the device
Note: This issue is not about the pin, because tried to enter wrong pin, and then next step (press key) does not show.
System details: Windows 10, Firefox 107
I don’t use it on this forum, but on another Discourse forum I use a Yubikey and works great. U2F I think, also works fine via NFC.
Just registered my 3 Nitrokey 3As and both the one with a PIN and the two without work just fine.
I’m using Firefox 107 on Linux with kernel 6.0.10 though, and my keys haven’t been connected to a Google account.
What firmware version are your Nitrokeys running?
Interesting, I though firmware updates were not available for the newest nitrokeys (3A/3C when writing this).
Is there an easy way to “see” firmware version without using the software Nitropy?
(Nitropy is currently experimental for windows, and need libUSB libraries)
And the more I read about management software for windows, I get the feeling you need to be root/admin to reach full functionality… which does not feel secure
So get a feeling this could be related to windows drivers, or lack of admin rights (unless anoyone has other ideas why registering a key seem to be working on a linux system)
“For science” I will later try register my nitrokeys “logged with user that has admin rights”.
Sorry, can’t help you with the Windows side of things, never used them with my Windows partition.
If you get
nitropy nk3 update will update them, only plug in one at a time. I’ve done several updates this way. Be careful though, depending on the version you are running, there might be a risk of data loss when updating. Newer versions are fine, but if you are on a very old release (1.0.0 apparently), updating might wipe your key.
So finally I made some tests:
- Windows 10, 22H2, jan-23 update, and Firefox 109.0.1)
- Nitrokeys at latest firmware (as of 4th feb-23): v1.2.2
- When running Firefox with admin-rights user it works to register/login to the forum
- details: popup asking for a pin I set for “Windows hello pin”, which makes it work, and the pin for the nitrokey does not work (which proves hardware key is not even used)
- When running Firefox with a regular user it does NOT work
- details: a different popup shows which actually seem to be the right one: “Enter you hardware key pin” (or similar), but if you enter the correct pin, a short error shows (to quick to read) and again I am asked for the hardware key.
In short it seems Firefox is asking the Windows system for the “wrong” type of security credentials…
Next step to test could be to register a “Windows Hello-PIN” on the regular user… although that seems a bit strange if it works. I mean: No pin from the security key is then being used, or is it?
I mean: It COULD be that when setting up the Hello-PIN it makes ONE handshake with the key (don’t remember) and then create a unique credential out of that. Maybe stored in my TPM module or something. THAT would be ok
At the moment it seems I only can make a “hardware key login” of this forum to work by using Windows Hello-PIN
So made some final tests on the forum using “Authenticate with Security key”:
- First you get the forum popup for “Two-Factor Authentication”
- Then you get a popup from “Windows security” asking two questions
- Entering the Windows Hello-PIN here logs you in to the forum
- Security key / Hardware key (Windows only shows this option if key inserted)
- If choosing the security key option (in step 2.) you get a third popup, this time from Firefox
- And correctly asking specifically for the hardware key pin
This steps fails for me
- And after a brief error message I am asked to enter pin in an endless loop
Status after this final test makes me think that this would work if starting Firefox with administrators rights. But considering how dangerous that could be, I won’t.
All of this is pointing towards Nitrokey software/firmware not being able to talk to the hardware key correctly. And doing this assumption based on all the hassle I had to do to even upgrade the firmware. Upgrading the firmware with nitropy requires you to run nitropy from a shell that is in administrative mode (full access). So I would not be surpriced that this “root problem” is stopping registration of a hardware key (requiring write access during handshake).
But what is pointing the other way is that both my Nitrokeys work without a problem when logging into Google
I will try pass my finding directly to the Nitrokey support.
And to Fairphone support.
I love these hardware keys. Would be a shame if not used
Been in contact with support of both Fairphone, and Nitrokey, and both forwarding me between them. So gave up that route.
Did a quick test today (Firefox 111, and Windows 10) and with these steps:
- Plugged in one of my unregistered Nitrokey3 hardware keys in a USB3-port
- Fairphone forum (through Firefox popup) asks for Windows Hello pin/login
- pin of my Windows Hello login checks out (and is correct)
- again Fairphone forum (through Firefox popup) asks for pin/login, but now for my Nitrokey
- an incorrect pin at this stage just says “incorrect pin” and asks me again
- a correct pin of my Nitrokey checks out and
- a short “flicker” of an error message says: “can’t communicate with the hardware key…”
- (although for me in may native language)
- …and takes me back to enter pin
So what if this works without a NitroKey3?
- I unplugged all hardware keys,
- pressed register hardware key in forum
- entered a name
- Fairphone forum (through Firefox popup) makes Windows Hello ask for pin/login
Bam! “Your hardware key is registered”
- and what ACTUALLY probably registered is most likely my TPM-module on my motherboard
Or in one line:
- This forum does not support having more than one hardware key available at the same time
I even did a last test to confirm the “multi-hardware-key-theory” by:
- Plugged in ALL of my NitroKey3 keys
- (btw: Windows recognize all of them without a problem)
- Fairphone forum (through Firefox popup) still asks for Windows Hello login
- Fairphone forum gets confused when (through Firefox popup) asking for pin on the nitrokeys: Can not recognize key
- When pressing cancel the last error message kind of confirms the confusiong by saying: "You have already registered this hardware key (most likely my TPM key)
Again: Google has no problem identifying all of my hardware keys, of ANY type
Hence giving Nitrokey support “the win” with saying: “We have full support for Windows” → which seems true, because same browser (on same OS, and same latest nitro firmware version) works with other sites.
Hence a last guess: Nitrokeys do not work on this Fairphone forum if you have a TPM hardware key on your system
So why posting this (sorry for long posts): I do not like unsolved technical mysteries
And maybe a user comes along with a working hardware key and confirms that they do NOT have a TPM module in their system.
3 NitroKey 3 connected at the same time, works fine
This is on though, might be a Windows issue or …
… related to me not having a TPM
I don’t have access to a system with a TPM, so I won’t be able to help you narrow it down to a Linux / Windows vs. TPM issue, sorry.
The more I think about this it could be as easy being an issue when activating (and configuring) “Windows hello with pin”. It is a functionality that (to my knowledge) uses the TPM module to use a pin to unlock a more complex security key, to log into windows. And it is THIS functionality that gets activated on this forum (instead of letting me use my nitrokey).
If I find a regular Windows machine without a TPM and/or “Windows hello pin” deactivated, then I deffo will use my Nitrokey on it, and report back here.
I think that even if you find out it’s related to TPM and this forum it will only help if you’re sure it’s not a general problem with Discourse.
So in your case is first test the problem with https://meta.discourse.org/
If your problem even happens there then you might ask for a solution over there…