Passkeys not working on certain sites #10374
Comments
t4moxjc7
changed the title
t4moxjc7
changed the title
|
It would be also nice to report with what browser the problem occurred (some sites might have exceptions for Firefox). The Passkeys support is not yet fully complete, so reports like this were expected. Some of the problems might be possible to fix on the extension side. |
|
GitLab does not set |
Good thought, I've added the browser for my entries. |
|
PayPal says in their FAQ:
It's possible to register a 2FA security key to KeePassXC, but when trying to authenticate it, the request only supports |
|
Seems a little strange to allow registration though? How come there is no constraint on that side? |
This works because we allow |
|
Hello, i have also found another website
|
|
My question is how to add passkey on keepass? It only shows an option to "impport passkey" but most sites I use passkey on don't have an option to export passkeys Edit: Okay had to enable in the extension Getting error - Origin and RP ID do not match. on techlore forum |
|
I have tried to add a Passkey to coinbase.com using the Firefox browser extension. KeePassXC 2.7.7 added this key to its database, but Coinbase stored it as a security key (just like a YubiKey). Now, when trying to authenticate, Coinbase can't find the security key, possibly because it's requesting only usb and nfc: After patching |
|
Deleted Namecheap from the list. They only support U2F keys. |
|
Seems GitLab is using this extension: https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-appid-extension (which we are not handling yet). |
|
keepassxreboot/keepassxc-browser#2141 This PR can be tested with the problematic sites. |
I've put test results for my entries (and passkey.org) in the table now - its fixed PayPal and Discourse. I also removed google from the table as that is now working with the current extension version. Maybe a change on their end or I did something differently. |
|
In my own testing Nintendo should be also fixed. For Playstation.com I could not log in even with normal credentials (there's always some error). With Microsoft I managed to create a Passkey and login normally. After that I tried it again and then it just gave me a OS/browser level popups again. I really don't know why it fails most of the tries. Wikipedia requires a separate rollout for 2FA with new users, so I didn't manage to test that. I'd like to see some debug data if possible. (If anyome wants to help the process, enable Debug Logging in the extension and inspect the JavaScript console on the web page during logins. You can find the public key objects there.) |
This seems like a Keycloak issue, that is already resolved: keycloak/keycloak#20832 |
Enable Debug Logging from the browser extension settings and inspect the JavaScript console via Inspect when right-clicking on the web page. It should show you the Public Key object during register (do not paste any ID's or actual data from it here). |
Yes. That object should include the |
No luck with Nintendo, but here is the debug output for Wikipedia: |
|
@t4moxjc7 Nintendo.com still works fine for me. The debug output of Wikipedia doesn't show anything strange. EDIT: And just tested Microsoft again. It let me create a Passkey and even sign-in works without problems. |
Strange, Nintendo doesn´t work for me on Brave Browser, "Passkeys cannot be used on this device." And Microsoft: I can´t even find where to add passkeys. I can add hardware keys (such as a yubikey). When want to convert my account to a passwordless account, it wants me to scan a qr code via the MS authenticator app. |
|
bitwarden.com doesn't work for me. Error message: Debug output: {
"attestation": "none",
"authenticatorSelection": {
"requireResidentKey": true,
"userVerification": "required"
},
"challenge": "<redacted>",
"extensions": {
"prf": {}
},
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -257
},
{
"type": "public-key",
"alg": -37
},
{
"type": "public-key",
"alg": -35
},
{
"type": "public-key",
"alg": -258
},
{
"type": "public-key",
"alg": -38
},
{
"type": "public-key",
"alg": -36
},
{
"type": "public-key",
"alg": -259
},
{
"type": "public-key",
"alg": -39
},
{
"type": "public-key",
"alg": -8
}
],
"rp": {
"id": "vault.bitwarden.com",
"name": "Bitwarden"
},
"timeout": 60000,
"excludeCredentials": [],
"user": { <redacted> }
} |
|
@CrendKing We don't support the |
|
Various people (including myself) have problems with eBay and passkey usage, region-independent as it seems. The following issues are in Bitwarden sites, but I have the exact same experience with KeePassXC 2.7.7 and extension 1.9.0.3 (on Brave, Windows 11): bitwarden/clients#7456 and bitwarden/clients#7785 There, I wrote about my experience in detail. And so far, nobody seems to have a clue - or at least make it public - of what may be the reason, why the browser extensions don't intercept the passkey request in the log-in process. (to me it seems, the ebay site directly sends the request to the OS - and third-party password managers can't (or at least don't?) intercept the login-request) |
|
And an info about Microsoft, what was also disussed here: On another forum, someone posted this: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/what-s-new-in-microsoft-entra/ba-p/3796395 There, the first point after the overview - "Changes to FIDO2 authentication methods and Windows Hello for Business") - states more or less (and if I understand correctly) that for corporate users, only a physical security key / device-bound passkey is possible. (and it seems, for private users there are also synced passkeys possible) So in a way, both infos are true - and with Microsoft, one maybe has to distinguish between "business" and "private" user, regarding passkeys. |
|
Some sites are, we SUSPECT, doing browser finger printing and denying use of PassKeys based on that information. I believe this to be true for ebay, PayPal, and Microsoft at the least. Microsoft works sometimes which points to some heuristic BS in my opinion. |
|
@droidmonkey Ah, thanks for the first clue! So you don't see how you could "catch" that passkey request / improve that, because ebay etc. "block" it from happening (so to speak)? - BTW: In that occasion, I first noticed that (in my case) Windows 11 doesn't offer to "put the request through/back" to e.g. KeePassXC... However, passkeys are still in it's infancy... |
|
Yes, if the browser doesn't call up the callback, we can not intercept it. For a good number of these sites, they only support passkeys on mobile devices and a select few desktop browsers / versions. |
|
Well, I've just tried ebay.com (on Windows 11 and the latest Chrome) and again - passkey support works perfect in Enpass (software-based passkeys support) password manager. I've created an account on ebay.com, properly stored passkey in Enpass on request and then successfully logged in with passkey from Enpass. |
|
@lichwala I just created a passkey for my eBay account without any problems. Authentication works as expected. |
|
@lichwala and @varjolintu Do the passkeys still work, when you close and open the browser or restart the PC? Because, (only) the first login with passkey, directly after creation of the passkey, worked for me as well. But after browser closing or restart, eBay never again even offers me to use the passkey. I just tested it again, though with Bitwarden, and two things happen for me:
And this was the same experience for me, as I tried it with KeePassXC a few weeks ago. So, again, the first login after creation was no problem at all. But after that, it never works again for me. On what systems and browsers are you? Maybe this has an influence as well, if it works for you and not for me (and others)? |
|
@pamperer562580892423 I can reproduce the same: eBay does not offer passkeys login if the browser is restarted. Maybe they are storing that info to a cookie or temporary localStorage during register? I created my eBay passkey with the latest Firefox on macOS. |
|
@varjolintu The thought of a cookie or something occurred to me as well. And then, not a comprehensive test, but as of now it seems to be pretty much platform independent. |
|
It would be preferred that sites do not restrict passkeys use in any way. It just breaks 3rd party password managers. And the browsers will (should) return and error if there are compatibility issues anyways. |
|
Yes, I agree. But just a thought: Instead of waiting for a passkey request from the browser, would it be possible to initiate the passkey-login proactively (meaning, initiating the passkey login from KeePassXC or the browser extension, instead of initiating it on the website in the browser)? PS: Of course it is not possible now - but could something like that be implemented? Not for eBay alone, but, as you wrote, to maybe "circumvent" third-party password manager restrictions in the future as well? (of course, this would only work, if at least passkey creation successes - like it does with eBay now...) PPS: I mean, the domain is bound to the passkey. I don't know if a "passkey request" technically could be initiated from the browser/password manager to the WebAuthn API or whatever, at that to-the-passkey-bound-domain? But maybe this is not possible, and not in the WebAuthn specs / the process doesn't work that way around? |
|
@pamperer562580892423 Triggering a request would mean submitting a login form anyway, because the first request always comes from the server side. |
@varjolintu I tested today on firefox and brave, I can't create a passkey. |
Microsoft just announced that they will support passkeys with all consumer accounts, but it seems on desktop it's restricted to Windows. I'm not surprised if it still doesn't work correctly. |
I tested with Bitwarden (Firefox, Linux) and it always works regardless how many times I tried. |
Good to know. I need to figure out why our extension does not receive the requests. EDIT: Just retested this, and I could create a new passkey every time, plus signin also worked. Tested with Firefox (macOS). Extension version 1.9.0.3, which is not the latest. 1.9.0.4 was just released but not yet updated to the stores. |
|
Microsoft often does slow rolling releases. Always good to give a solid week after an announcement from them. |
|
Can´t create MS passkeys. It should be already rolled out here in germany, but the extension windows just doesn´t show up. I can only create passkeys for USB devices. Keepass 2.7.8., extension 1.9.0.4 with brave browser. |
|
I've just tried to use Passkeys instead of hardware Yubikey dongle. I was able to enroll KeepassXC as 'biometric' authenticator. But unfortunately Could it be because I'm getting just 'rpId' property instead of 'rp' dict? |
|
@dionorgua Does this happen on register or authentication phase? |
|
@varjolintu sorry for being not clear. It's authentication phase. So I was able to 'enroll' passkey. PingId UI shows it as 'Biometric' authentication. Also I can confirm that I can register and authenticate at https://demo.yubico.com/ so most likely my setup is good. EDIT: I've tested only a few sites and it works. Where it doesn't work is PingId authenticator PS. it's KeepassXC 2.7.8 and KeepassXC-browser 1.9.0.3 |
|
playstation.com and gitlab.com works for me, with Firefox and KeePassXC 2.7.8. |
|
Me too, with Paypal's passkeys. |
|
I may have found another website where creating a passkey using KeePassXC does not work. Passkey Action: Create Can anyone confirm or deny whether my assumption seems correct? |
|
Really, I didn't get to register the Microsoft's passkey with KeePassXC. I'm using Librewolf and Ungoogled Chromium and tested in Chrome, and it didn't work, because ask me for a security key. |
|
For Bitwarden Vault; Settings > Security > Two-step login > WebAuthn option works with KeepassXC passkey. I can authenticate as 2FA option if this helps, the devs please check and compare with Login passkey issues.
|
and others
Not working
Restrictions
The text was updated successfully, but these errors were encountered: