Login via "Passkey" created on Yubikey 5 does not work

Sim

Well-known member
Affected version
2.3.0 Beta 3 / xenforo.com
After setting up my 3 YubiKey devices as 2FA options on xenforo.com/community, none of them are working.

I get to the point of it asking for my PIN but then I get an error:

1711747763653.webp

The same error occurs with all 3 devices.

I can log in using a passkey with 1Password or with Windows Hello, but none of my yubikeys are recognised.

I tried deleting and then re-adding the passkey, but I get the same result.
 
More information - it's working for 2FA, so if I log in using my username/password and then get prompted for 2FA, I can use my YubiKey to authenticate.

The issue is specifically with the "Log in using Passkey" option which isn't working with my YubiKeys.
 
Steps to reproduce
  1. Go to https://xenforo.com/community/account/security
  2. Click Add Passkey
  3. Compete registration of a Yubikey 5
  4. Log out
  5. Click Log in
  6. Click Button Passkey
Expected Result
You are logged into the account

Actual Result
Error message that the security key can't be used

Cause
XenForo does not enable authenticatorSelection options requireResidentKey / residentKey
If those options are not enabled, the created credential is not resident / client discoverable and thus WebAuthN login does not work.

Suggested Fix
Passkeys (by definition) are discoverable FIDO2 credentials, in order for this to work with security keys like Yubikey 5 they must be created as resident.
But this needs to be done carefully - if a resident key is requested a U2F device (like a Yubikey 4) cannot be used for 2FA WebAuthN.
 
Last edited:
Guys, we've rolled out some changes here. Could you please check Yubikey 5 again?

This should also solve similar issues with Bitwarden and Windows Hello.
 
Guys, we've rolled out some changes here. Could you please check Yubikey 5 again?

This should also solve similar issues with Bitwarden and Windows Hello.
Unrelated but I didn't get an alert for your reply...

(yes I'm watching the thread have been since my reply)
 

Attachments

  • Screenshot_20240331_194657_com.android.chrome.webp
    Screenshot_20240331_194657_com.android.chrome.webp
    72.4 KB · Views: 9
You probably weren't watching "this" thread.

This thread is the result of two threads being merged. One of which you were watching, another which you weren't. The destination thread is not the one you were watching.
 
Ahh. Sense made. Thanks.

Interesting that the bar at the top said unwatch though given I wasn't officially watching it?
 
Guys, we've rolled out some changes here. Could you please check Yubikey 5 again?

This should also solve similar issues with Bitwarden and Windows Hello.

Same result, sorry. Tried two of my YubiKeys and got the same message.

Windows Hello and 1Passwork work for login. I can use the YubiKeys for 2FA.
 
Guys, we've rolled out some changes here. Could you please check Yubikey 5 again?
As already posted by @Sim: It still doesn't work "out of the box" as no Passkey is created on the Yubikey.

I performed all tests with a freshly reset YubiKey 5 NFC and a YubiKey 4.

I can make Passwordless login work in Chrome on Windows using one of following methods:

1) Setting resident key required
This works if I modify the passkey registration process by adding data-resident-key="required" via Chrome developer tools to the button Add passkey before clicking it to register the YubiKey.
This also enables user verification in Chrome - user verification is not enabled if I do the same in Firefox.

2) Providing existing credentials when logging in
This works by
  1. Cloning the form for button Passkey bia browser developer tools
  2. Adding data-existing-credentials="..." to the cloned form
  3. Calling XF.activate() on the cloned form to activate the handler code
  4. Finally clicking button Passkey of the cloned form
Using the second approach also allows me to perform a paswordless login with a Yubikey 4 which even can't perform user verification.

IMHO not requiring user verification for passwordless login is a somewhat serious security issue as this effectively bypasses Two Factor authentication as an attacker only needs physical access to the key and the "existing credentials" data (that might have been sniffed somehow) to log into the account.
(Granted, that is not very likely - but possible).

As already pointed out in https://xenforo.com/community/threads/passwordless-logins-with-passkeys.220458/post-1674581 I think this needs to be changed so only FIDO2 credentials with enabled user verification can be used for passwordless login.

Using resident FIDO2 credentials without user verfication is also a privacy issue:
If the authenticator device is lost anyone who gets access to it could probe / list the RPs.

Using any U2F/FIDO2 credentials "just" for 2FA would be fine.
This is what for example Google does - I can use a YubiKey 4 for 2FA but not for passwordless login:
1711926604445.webp
 
Last edited:
I've no experience with JS hacking via developer tools (done plenty of HTML/CSS though), so I'll need help with step 2 and 3 ... exactly what goes into the data-existing-credentials ? and how do I call XF.activate() ?
To get the existing credentials perform an login with username and password.
When asked for 2FA via Passkey abort the dialog.

On the Passkeys tab right-click on button Use passkey or security key and click Inspect from the context menu in Chrome (Untersuchen = Inspect, sorry for the german browser :))
1711927166916.webp

This should open browser developer tools and show smth. similar like in the following screenshot:


Copy the value of attribute data-existing-credentials into clipboard and paste into an editor (Notepad, etc.)

Navigate somwhere to make sure you are not logged in (or log out if you are logged in).

Now click on Log in again to open the login overlay.

Right-click on the Passkey button and select Inspect from the context menu.

This should show smth. like this in the inspector
1711930776534.webp


Navigate to the <form> element and press F2.
Select all text and copy to clipboard.
Navigate to the closing </form> and paste the copied code.
Navigate up again to the opening <form> of the copy-pasted code and insert attribute data-existing-credentials.

It should now look similar to
1711927811832.webp

Make sure the <form> with the added attribute is selected.

Now click on Console, enter XF.activate($0); and press enter
1711927945900.webp

Click on the second Passkey button (the one you just created) and test if you can login with one of the YubiKeys.

It's not really much JavaScript tempering (if fact only the activate call to activate the handler on the cloned form), mostly it is just modifying HTML.
 
Last edited:
To get the existing credentials perform an login with username and password.
When asked for 2FA via Passkey abort the dialog.

On the Passkeys tab right-click on button Use passkey or security key and click Inspect from the context menu in Chrome (Untersuchen = Inspect, sorry for the german browser :))
View attachment 300634

This should open browser developer tools and show smth. similar like in the following screenshot:


Copy the value of attribute data-existing-credentials into clipboard and paste into an editor (Notepad, etc.)

Navigate somwhere to make sure you are not logged in (or log out if you are logged in).

Now click on Log in again to open the login overlay.

Right-click on the Passkey button and select Inspect from the context menu.

This should show smth. like this in the inspector
View attachment 300640


Navigate to the <form> element and press F2.
Select all text and copy to clipboard.
Navigate to the closing </form> and paste the copied code.
Navigate up again to the opening <form> of the copy-pasted code and insert attribute data-existing-credentials.

It should now look similar to
View attachment 300638

Make sure the <form> with the added attribute is selected.

Now click on Console, enter XF.activate($0); and press enter
View attachment 300639

Click on the second Passkey button (the one you just created) and test if you can login with one of the YubiKeys.

It's not really much JavaScript tempering (if fact only the activate call to activate the handler on the cloned form), mostly it is just modifying HTML.

Strange ... I followed your instructions the first time and it worked with my 5 Nano.

I then tried it again with my YubiKey 5 and it didn't work.

So I tried it a third time with my 5 Nano again and it didn't work either. Infact, I haven't been able to get it to work again?
 
Okay - I tried again, this time removing the second YubiKey from my machine so only one was present.

This time it worked with either key - I was able to log in with my Nano, then I reset and tried again with my 5/USB-A and it worked as well.

Interestingly, at no point did it ask me for my PIN for the YubiKeys?

That's what was different when I had both keys in - it would ask me to touch my key first (so it knew which key), then it would ask for the PIN and then it would fail.

This time with only a single device in the system it didn't ask for the PIN and let me straight in once I touched the key.
 
Guys, we've rolled out some changes here. Could you please check Yubikey 5 again?

This should also solve similar issues with Bitwarden and Windows Hello.

I am not sure if someone reported this issue as I didn't go through all the posts here.

1. I enabled/added passkey from my iPhone, all is good if I try to login using the same iPhone.

2. I tried to login to my account using the laptop (windows-11) and I have been redirected to this page:

1711963718447.webp

3. I clicked Next and scan the QR code using my iPhone, then I got this error:

1711963770758.webp


Currently I am not able to access to my account from the laptop

Q: Why 2FA is automatically enabled if I add a passkey? Is it mandatory?
 
Interestingly, at no point did it ask me for my PIN for the YubiKeys?
That's really interesting, I am unable to create a credential with my YubiKey 5 that won't ask for the PIN even if userVerification is set to discouraged (which XenForo does set).

Did you verify via Yubikey Manager that a PIN is indeed set on the YubiKey(s)?

If so: Wich Firmware version do you have on them?
 
Back
Top Bottom