Passkeys not working on certain sites #10374
Comments
t4moxjc7
changed the title
t4moxjc7
changed the title
|
It would be also nice to report with what browser the problem occurred (some sites might have exceptions for Firefox). The Passkeys support is not yet fully complete, so reports like this were expected. Some of the problems might be possible to fix on the extension side. |
|
GitLab does not set |
Good thought, I've added the browser for my entries. |
|
PayPal says in their FAQ:
It's possible to register a 2FA security key to KeePassXC, but when trying to authenticate it, the request only supports |
|
Seems a little strange to allow registration though? How come there is no constraint on that side? |
This works because we allow |
|
Hello, i have also found another website
|
|
My question is how to add passkey on keepass? It only shows an option to "impport passkey" but most sites I use passkey on don't have an option to export passkeys Edit: Okay had to enable in the extension Getting error - Origin and RP ID do not match. on techlore forum |
|
I have tried to add a Passkey to coinbase.com using the Firefox browser extension. KeePassXC 2.7.7 added this key to its database, but Coinbase stored it as a security key (just like a YubiKey). Now, when trying to authenticate, Coinbase can't find the security key, possibly because it's requesting only usb and nfc: After patching |
|
Deleted Namecheap from the list. They only support U2F keys. |
|
Seems GitLab is using this extension: https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-appid-extension (which we are not handling yet). |
|
keepassxreboot/keepassxc-browser#2141 This PR can be tested with the problematic sites. |
I've put test results for my entries (and passkey.org) in the table now - its fixed PayPal and Discourse. I also removed google from the table as that is now working with the current extension version. Maybe a change on their end or I did something differently. |
|
In my own testing Nintendo should be also fixed. For Playstation.com I could not log in even with normal credentials (there's always some error). With Microsoft I managed to create a Passkey and login normally. After that I tried it again and then it just gave me a OS/browser level popups again. I really don't know why it fails most of the tries. Wikipedia requires a separate rollout for 2FA with new users, so I didn't manage to test that. I'd like to see some debug data if possible. (If anyome wants to help the process, enable Debug Logging in the extension and inspect the JavaScript console on the web page during logins. You can find the public key objects there.) |
This seems like a Keycloak issue, that is already resolved: keycloak/keycloak#20832 |
Enable Debug Logging from the browser extension settings and inspect the JavaScript console via Inspect when right-clicking on the web page. It should show you the Public Key object during register (do not paste any ID's or actual data from it here). |
Yes. That object should include the |
No luck with Nintendo, but here is the debug output for Wikipedia: |
|
@t4moxjc7 Nintendo.com still works fine for me. The debug output of Wikipedia doesn't show anything strange. EDIT: And just tested Microsoft again. It let me create a Passkey and even sign-in works without problems. |
Strange, Nintendo doesn´t work for me on Brave Browser, "Passkeys cannot be used on this device." And Microsoft: I can´t even find where to add passkeys. I can add hardware keys (such as a yubikey). When want to convert my account to a passwordless account, it wants me to scan a qr code via the MS authenticator app. |
|
bitwarden.com doesn't work for me. Error message: Debug output: {
"attestation": "none",
"authenticatorSelection": {
"requireResidentKey": true,
"userVerification": "required"
},
"challenge": "<redacted>",
"extensions": {
"prf": {}
},
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -257
},
{
"type": "public-key",
"alg": -37
},
{
"type": "public-key",
"alg": -35
},
{
"type": "public-key",
"alg": -258
},
{
"type": "public-key",
"alg": -38
},
{
"type": "public-key",
"alg": -36
},
{
"type": "public-key",
"alg": -259
},
{
"type": "public-key",
"alg": -39
},
{
"type": "public-key",
"alg": -8
}
],
"rp": {
"id": "vault.bitwarden.com",
"name": "Bitwarden"
},
"timeout": 60000,
"excludeCredentials": [],
"user": { <redacted> }
} |
|
@CrendKing We don't support the |
|
@wichtounet That sounds a bit weird. Do you have multiple passkeys defined under the problematic account? I think the creation should fail for every account if there's a systematic problem. You can enable debug logging from the browser and see if the public keys created have some differences. It could help narrow down the issue. (Do not paste them here without omitting important data) |
|
@varjolintu I have two passkeys, each for a different email. I have looked into the debug messages. One thing I have noticed is that for the passkey that works, one of the challenges is matching KPEY_PASSKEY_CREDENTIAL_ID. For the passkey that does not work, nones of the challenges is matching this value. Should I regenerate the passkey that does not work? |
|
@wichtounet That's worth trying. |
|
@varjolintu Updating the passkey did the trick! I must have done something dumb to break it. Thanks! |
|
I had no issues creating a passkey and logging into my PlayStation account. However, I decided to remove the passkey and stopped using it because PlayStation disables other login methods, including your password, when a passkey is enabled. This limitation doesn’t make any sense to me. |
|
One more Microsoft/Live.com doesn't work datapoint. I got prompted from Skype's web version to try to enroll, the URL even had passkey in it, anyway ... on both Firefox and Brave I only get the macOS (Sonoma 14.6) native prompt. (On Brave when I cancel the native prompt Brave offers to save the passkey in a few places: iCloud Keychain, phone/tablet, brave profile, USB security key.) |
|
Update on X / Twitter: Passkeys are only supported with Android and iOS. The security key option triggers the browser level dialog instead. |
|
creating passkey in dynadot.com does not work. after entry is added to keepassxc's database. the website does nothing. |
Enable Debug Logging in the extension and see if there are any error messages in the console. |
|
here's the log for dynadot.com |
|
For Microsoft, on https://account.live.com/ :
|
|
|
Yahoo implementation of Passkeys does not seem to trigger the extension the first time. It is getting forwarded to the system dialog. Cancelling the first try and clicking Try Again triggers the KeepassXC dialog.
|
|
@Kariton Is there some kind of list in their site that shows what devices or browsers are supported? I couldn't find any information. |
|
A NextCloud instance also does not seem to be able to log in. URL: https://siljak.next-cloud.org/index.php/login No JS errors: |
|
@alensiljak If you enable debugging in the extension, can you see what RP ID is used for authentication? Does that match with the RP ID in the saved passkey entry ( |
|
@alensiljak There also appears to be a Nextcloud bug affecting all passwordless login. Maybe try the workaround listed in that issue as well? |
|
@alensiljak What happens if you write the correct username manually and try to authenticate? EDIT: To not spam this thread, I'd suggest creating a separate issue that we can link as a subissue. |
|
@varjolintu i was unable to find any information about that. |
and others
Not working
Restrictions
Instructions
Enable Debug Logging from the extension settings and see if the Web Developer / JavaScript console has any error messages. That is helpful for detecting possible errors.
The text was updated successfully, but these errors were encountered: