Login via "Passkey" created on Yubikey 5 does not work

[Kirby]

This is what for example Google does - I can use a YubiKey 4 for 2FA but not for passwordless login

Interestingly, the Passkeys Google (and XenForo currently) creates on YubiKey IMHO somewhat contradict the definition used by FIDO alliance:

Passkeys - FIDO Alliance

Payment service providers and banks are evolving service delivery to online payments from physical branches. Using Passkeys for Payments with FIDO’s open and scalable authentication standards offers a faster and easier way to secure online payments.

fidoalliance.org

From a technical standpoint, passkeys are FIDO credentials that are discoverable by browsers

The Passkeys created by Google and XenForo on YubiKey are not resident/discoverable, eg. they can be used for passwordless login only if the credential is provided by the RP.

For XenForo this would require a change to the login flow, eg. even with such a Passkey the user would first have to enter the username/email so the credentials can be loaded from the server (just like it is done for 2FA).

Passkeys created via Android/Google Password Manager or iOS on the other hand are always discoverable and don't need the username first.

Passkey interoperability is really a mess with each option having advantages and disadvantages

With the current implementation of login flow:

userVerification discouraged, residentKey discouraged
userVerification discouraged, residentKey preferred
FIDO2 and U2F scecurity keys can be used for 2FA only.

userVerification preferred, residentKey discouraged
userVerification preferred, residentKey preferred
FIDO2 and U2F scecurity keys can be used for 2FA only; FIDO2 security keys will (most likely) setup/ask for PIN

userVerification required, residentKey discouraged
FIDO2 keys can be used for 2FA only and will setup/ask for PIN; U2F security keys can't be used.

userVerification required, residentKey required
FIDO2 security keys can be used for login and 2FA, will setup/ask for PIN and store the credential.
Some users might want to have this behaviour, others may not as slots for resident keys are pretty limited (25 for YubiKey 5, 10 for NitroKey 3).

To cover most use cases XenForo would have to determine wether to use residentKey required or not before creating the credentiall:

• Use residentKey required if the user wishes to perform a login without entering username first using a FIDO2 security key
• Use residentKey preferred otherwise

If the user uses a FIDO2 security key but does not wish to create a resident key the login flow would have to support this usecase by allowing to get the credentials from the server (eg. by entering username / email first) before calling WebAuthnProcess.

 

[Sadiq6210]

Go to https://xenforo.com/community/account/two-step/ on your iPhone, get the backup codes and use one on your Laptop - this should work.

Is this a normal behavior? I mean many of my users may face the same issue and may not find the answer!

 

[ŽivaAkcija]

looks like to much problems and very complicated to work, i am stay on standard login

 

[Kirby]

Thinking about the GUI & workflow:

Maybe the easiest option could be to have two buttons for registration: Add Passkey and Add Security Key.

The first one would require user verification and resident key, the second prefer user verification and discourage resident key.
Credentials created via Add Passkey could be used for login without username and password.
Credentials created via Add Security key could be used for passwordless login (after entering username / email to fetch credentials from server) if the UV flag is present after registration; if not they could only be used for TFA.

The get workflow (if used for login) would have to be modified to check if a username / email is entered in the login form - if there is one it would have to fetch credentials for that user first before starting WebAuthnProcess.

 

[Sim]

This now works with the new code deployed on xenforo.com - I created new passkeys on each of my 3 yubikeys on my workstation and was able to log in with each of them. I then tried logging in to xenforo.com on my laptop using my USB-C key and it also worked.

As far as I'm concerned, this bug report can be closed. @Kirby does it work for you now?

 

[Kirby]

@Kirby does it work for you now?

Nope, still the same

when trying to log in with Chrome on Windows 10.

This is the german Windows 10 equivalent of


To be honest, from looking at the JS source I don't see how this could be working:
userVerification is still set to discouraged and residentKey is set to preferred - with these settings chrome doesn't create a resident key on the Yubikey so when trying to log in there is nothing that could be used for authentication.

If I force creation of a resident key (by adding attributes data-user-verification="required" and data-resident-key="required" to button Add Passkey) or by adding the existing ID like explained in https://xenforo.com/community/threa...n-yubikey-5-does-not-work.220467/post-1674920 it does work just fine.

But that did work since the Passkey feature was initially added.

 

[Sim]

Nope, still the same
View attachment 301170
when trying to log in with Chrome on Windows 10.

This is the german Windows 10 equivalent of
View attachment 301171

To be honest, from looking at the JS source I don't see how this could be working:
userVerification is still set to discouraged and residentKey is set to preferred - with these settings chrome doesn't create a resident key on the Yubikey so when trying to log in there is nothing that could be used for authentication.

If I force creation of a resident key (by adding attributes data-user-verification="required" and data-resident-key="required" to button Add Passkey) or by adding the existing ID like explained in https://xenforo.com/community/threa...n-yubikey-5-does-not-work.220467/post-1674920 it does work just fine.

But that did work since the Passkey feature was initially added.

Did you delete and re-create your passkeys?

 

[Kirby]

Of course

Did you verify that a Passkey was indeed created on your Yubikeys?

To check (assuming that Yubikey Manager is installed) run ykman fido credentials list from an elevanted console.

If it is, the output should look smth. like this:

Enter your PIN:
Credential ID  RP ID        Username                   Display name
xxxxxxxxx..    xenforo.com  xxxxxxxxxxxxxxx@xxxxxxxxx  Sim

 

[K a M a L]

I still can't add my Yubikey 5 NFC as passkey .. when going to add key I only see the option to use windows Hello.


but accidently when I cancelled .. it asked me if I want to setup a security key


then asked for PIN


and asked me to touch security key


the key was added successfully

then I logged out and tried to login using the security key I created, I got

I cancelled and went to login using username/password but it asked me to touch the key ( it was automatically add as 2FA method ) .. it asked me to touch the key without asking for PIN and the login worked .. I doubt it didn't attempt to verify the key .. just pretending to be doing that.
I did a logout and tried to login again and it didn't ask me for security key this time ..

 

[Kirby]

it asked me to touch the key without asking for PIN and the login worked ..

This is actually expected (with the settings XenForo uses):
userVerification is set to discouraged so normally the authentication should not verify the user (ask for PIN, fingerprint, etc.)

I doubt it didn't attempt to verify the key .. just pretending to be doing that.

It most certainly did - just without verifying the user (=asking for pin), only checking user presence (=asking for touch).

I did a logout and tried to login again and it didn't ask me for security key this time ..

That is expected as well, the device is now trused.
If you want to test: Delete cookie xf_tfa_trust and try again.

 

[Sim]

Of course

Did you verify that a Passkey was indeed created on your Yubikeys?

To check (assuming that Yubikey Manager is installed) run ykman fido credentials list from an elevanted console.

If it is, the output should look smth. like this:

Enter your PIN:
Credential ID  RP ID        Username                   Display name
xxxxxxxxx..    xenforo.com  xxxxxxxxxxxxxxx@xxxxxxxxx  Sim

Well it did allow me to log in on a second device, so I assumed it had.

I ran ykman anyway just in case, and the passkey is indeed there.

 

[Kirby]

That's interesting, might be a difference between Windows 10 and 11.

Could you try a Yubikey Passkey login with Firefox, does it ask for the PIN?

 

[Sim]

That's interesting, might be a difference between Windows 10 and 11.

Could you try a Yubikey Passkey login with Firefox, does it ask for the PIN?

That was going to be my next question - which version of Windows? I'm running Win11.

I still can't add my Yubikey 5 NFC as passkey .. when going to add key I only see the option to use windows Hello.

Are you running Windows 10 or 11?

 

[K a M a L]

Are you running Windows 10 or 11?

Windows 10

 

[Kirby]

That was going to be my next question - which version of Windows? I'm running Win11.

Windows 10, I don't have access to devices running Windows 11 yet.

 

[Kirby]

Ì've done some more testing with a Windows 11 VM:

1. Test:
I've reset the Yubikey, logged into xenforo.com with a backup code using Edge in Windows 11 and created a Passkey.
Result: I was not asked for a PIN but XenForo reported a successful creation of a passkey - logging in with that did not work.

2. Test
Back on Windows 10 I checked if there are any FIDO credentials on the Yubikey
Result: ykman reported that credentials can't be managed as no PIN is set

3. Test
Still in Windows 10 I set a PIN for the Yubikey.
Back in Edge in Windows 11 I've deleted the created Passkey in my account and created a new one
Result: This time I was asked for the PIN and logging in with Edge did work afterwards

4. Test
Still in Windows 11 I tested to log into xenforo.com with the Yubikey using Firefox.
Result: Logging in did not work

5. Test
Still in Firefox I logged in using my username & password anf the Yubikey as TFA
Result: Logging in did work, but I was not asked for the PIN

6. Test
I switched back to Windows 10 and tried to log in using Firefox
Result: Same as with Windows 11, eg. logging in did not work but TFA did without asking for the PIN.

7. Test
Still in Firefox in Windows 10 I logged out and started a login with my username and password.
When TFA was triggered I aborted the TFA process and copied attribute data-existing-credentials
Afterwards I refreshed, deleted all cookies, opened a new login dialog and added a second Passkey button with the previously saved existing credentials.
Result: Clicking that button resulted in a successful login without asking for the PIN.

8. Test
Still in Windows 10 I've once again reset the Yubikey, deleted the passkey from my xenforo.com account.
Afterwards I've added a new Add Passkey button with attributes data-user-verification="required" and data-resident-key="required"
Result: After clicking the created button to register a new credentials, logging in with PIN verification worked afterwards with Chrome in Windows 10 and Edge in Windows 11.
Logging in also worked in firefox - but without asking for a PIN.

Conclusion
The current parameters used to register credentials do not properly create a Passkey on security keys like the Yubikey.
Depending on the Windows version they create a redident (Windows 11) or Non-Resident (Windows 10) key.
Depending on the browser (engine) used the UV (user verification) flag is either set (Chrome/Chromium) or not (Firefox).
This setup ist not only partly non-functional but also IMHO dangerous as it creates credentials that can be used without user verification.

@Sim
Did you test a login with Firefox?

 

[Sim]

Did you test a login with Firefox?

Not yet - have been travelling for the past couple of days.