Passkeys not working on certain sites #10374
Comments
t4moxjc7
changed the title
t4moxjc7
changed the title
|
It would be also nice to report with what browser the problem occurred (some sites might have exceptions for Firefox). The Passkeys support is not yet fully complete, so reports like this were expected. Some of the problems might be possible to fix on the extension side. |
|
GitLab does not set |
Good thought, I've added the browser for my entries. |
|
PayPal says in their FAQ:
It's possible to register a 2FA security key to KeePassXC, but when trying to authenticate it, the request only supports |
|
Seems a little strange to allow registration though? How come there is no constraint on that side? |
This works because we allow |
|
Hello, i have also found another website
|
|
My question is how to add passkey on keepass? It only shows an option to "impport passkey" but most sites I use passkey on don't have an option to export passkeys Edit: Okay had to enable in the extension Getting error - Origin and RP ID do not match. on techlore forum |
|
I have tried to add a Passkey to coinbase.com using the Firefox browser extension. KeePassXC 2.7.7 added this key to its database, but Coinbase stored it as a security key (just like a YubiKey). Now, when trying to authenticate, Coinbase can't find the security key, possibly because it's requesting only usb and nfc: After patching |
|
Deleted Namecheap from the list. They only support U2F keys. |
|
Seems GitLab is using this extension: https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-appid-extension (which we are not handling yet). |
|
keepassxreboot/keepassxc-browser#2141 This PR can be tested with the problematic sites. |
I've put test results for my entries (and passkey.org) in the table now - its fixed PayPal and Discourse. I also removed google from the table as that is now working with the current extension version. Maybe a change on their end or I did something differently. |
|
In my own testing Nintendo should be also fixed. For Playstation.com I could not log in even with normal credentials (there's always some error). With Microsoft I managed to create a Passkey and login normally. After that I tried it again and then it just gave me a OS/browser level popups again. I really don't know why it fails most of the tries. Wikipedia requires a separate rollout for 2FA with new users, so I didn't manage to test that. I'd like to see some debug data if possible. (If anyome wants to help the process, enable Debug Logging in the extension and inspect the JavaScript console on the web page during logins. You can find the public key objects there.) |
This seems like a Keycloak issue, that is already resolved: keycloak/keycloak#20832 |
Enable Debug Logging from the browser extension settings and inspect the JavaScript console via Inspect when right-clicking on the web page. It should show you the Public Key object during register (do not paste any ID's or actual data from it here). |
Yes. That object should include the |
No luck with Nintendo, but here is the debug output for Wikipedia: |
|
@t4moxjc7 Nintendo.com still works fine for me. The debug output of Wikipedia doesn't show anything strange. EDIT: And just tested Microsoft again. It let me create a Passkey and even sign-in works without problems. |
Strange, Nintendo doesn´t work for me on Brave Browser, "Passkeys cannot be used on this device." And Microsoft: I can´t even find where to add passkeys. I can add hardware keys (such as a yubikey). When want to convert my account to a passwordless account, it wants me to scan a qr code via the MS authenticator app. |
|
bitwarden.com doesn't work for me. Error message: Debug output: {
"attestation": "none",
"authenticatorSelection": {
"requireResidentKey": true,
"userVerification": "required"
},
"challenge": "<redacted>",
"extensions": {
"prf": {}
},
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -257
},
{
"type": "public-key",
"alg": -37
},
{
"type": "public-key",
"alg": -35
},
{
"type": "public-key",
"alg": -258
},
{
"type": "public-key",
"alg": -38
},
{
"type": "public-key",
"alg": -36
},
{
"type": "public-key",
"alg": -259
},
{
"type": "public-key",
"alg": -39
},
{
"type": "public-key",
"alg": -8
}
],
"rp": {
"id": "vault.bitwarden.com",
"name": "Bitwarden"
},
"timeout": 60000,
"excludeCredentials": [],
"user": { <redacted> }
} |
|
@CrendKing We don't support the |
|
Can´t create MS passkeys. It should be already rolled out here in germany, but the extension windows just doesn´t show up. I can only create passkeys for USB devices. Keepass 2.7.8., extension 1.9.0.4 with brave browser. |
|
I've just tried to use Passkeys instead of hardware Yubikey dongle. I was able to enroll KeepassXC as 'biometric' authenticator. But unfortunately Could it be because I'm getting just 'rpId' property instead of 'rp' dict? |
|
@dionorgua Does this happen on register or authentication phase? |
|
@varjolintu sorry for being not clear. It's authentication phase. So I was able to 'enroll' passkey. PingId UI shows it as 'Biometric' authentication. Also I can confirm that I can register and authenticate at https://demo.yubico.com/ so most likely my setup is good. EDIT: I've tested only a few sites and it works. Where it doesn't work is PingId authenticator PS. it's KeepassXC 2.7.8 and KeepassXC-browser 1.9.0.3 |
|
playstation.com and gitlab.com works for me, with Firefox and KeePassXC 2.7.8. |
|
Me too, with Paypal's passkeys. |
|
I may have found another website where creating a passkey using KeePassXC does not work. Passkey Action: Create Can anyone confirm or deny whether my assumption seems correct? |
|
Really, I didn't get to register the Microsoft's passkey with KeePassXC. I'm using Librewolf and Ungoogled Chromium and tested in Chrome, and it didn't work, because ask me for a security key. |
|
For Bitwarden Vault; Settings > Security > Two-step login > WebAuthn option works with KeepassXC passkey. I can authenticate as 2FA option if this helps, the devs please check and compare with Login passkey issues.
|
|
Hello! Would it be possible to consider emulating a USB device? I believe this could resolve the const response = Object.create(AuthenticatorAttestationResponse.prototype);
response.getPublicKeyAlgorithm();
// Uncaught TypeError: 'getPublicKeyAlgorithm' called on an object that does not implement interface AuthenticatorAttestationResponse.Example of USB emulation: |
|
@bugshunter673 I already have the |
|
|
Seems no matter what I do can't get Microsoft Office 365 to trigger this. From what I understand Corporate users are forced to use real USB / NFC security keys. I will try creating a personal Microsoft account and see what happens. Also for some stupid reason ebay under security settings on my account the passkey option is never listed. I even checked the two factor auth area. Nadda. Weird. All other accounts it's working perfectly including Bank of America. I do have few USB hardware security keys including Yubico for testing at work but I prefer KeePassXC as the database is sync'd to my self hosted nextcloud server. Happy with this setup. KeePassXC - 2.7.9 |
|
Pixiv (https://accounts.pixiv.net/passkeys) is another site that does not work yet.
It reports "You cannot create a passkey on this device/browser." when you try to register, though this seems to be based on User Agent sniffing. When faking Chrome's user agent registration is allowed, but fails with the following error: Error message in passkeys.js:79:28The passkey was created in KeePassXC, but Pixiv fails on the registration ("An error occurred. Please reload the page and try again."). |
|
Before, I was able to create and use a passkey on accounts.google.com but it does not work anymore. I have upgraded Keepass and Google Chrome to the latest versions but it did not change anything. The only thing I see is "no logins found" even though my passkey is present in the database and the URL appears to be correct. Edit: It's even weirder because I have multiple Google accounts and another one works with the passkey, but not the first one :( |
|
@wichtounet That sounds a bit weird. Do you have multiple passkeys defined under the problematic account? I think the creation should fail for every account if there's a systematic problem. You can enable debug logging from the browser and see if the public keys created have some differences. It could help narrow down the issue. (Do not paste them here without omitting important data) |
|
@varjolintu I have two passkeys, each for a different email. I have looked into the debug messages. One thing I have noticed is that for the passkey that works, one of the challenges is matching KPEY_PASSKEY_CREDENTIAL_ID. For the passkey that does not work, nones of the challenges is matching this value. Should I regenerate the passkey that does not work? |
|
@wichtounet That's worth trying. |
|
@varjolintu Updating the passkey did the trick! I must have done something dumb to break it. Thanks! |
|
|
I had no issues creating a passkey and logging into my PlayStation account. However, I decided to remove the passkey and stopped using it because PlayStation disables other login methods, including your password, when a passkey is enabled. This limitation doesn’t make any sense to me. |
|
One more Microsoft/Live.com doesn't work datapoint. I got prompted from Skype's web version to try to enroll, the URL even had passkey in it, anyway ... on both Firefox and Brave I only get the macOS (Sonoma 14.6) native prompt. (On Brave when I cancel the native prompt Brave offers to save the passkey in a few places: iCloud Keychain, phone/tablet, brave profile, USB security key.) |
and others
Not working
Restrictions
The text was updated successfully, but these errors were encountered: