Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passkeys not working on certain sites #10374

Open
t4moxjc7 opened this issue Mar 10, 2024 · 93 comments
Open

Passkeys not working on certain sites #10374

t4moxjc7 opened this issue Mar 10, 2024 · 93 comments

Comments

@t4moxjc7
Copy link

t4moxjc7 commented Mar 10, 2024

Not working

Browser Passkey Action URL Website error KeepassXC error Notes Team response PR 2141 a80fe66 fixes issue v1.9.0.3 fixes this issue
Chromium Create https://en.wikipedia.org InvalidArgumentException [none - prompt can be gone through successfully before website error] This may not be a KeepassXC bug, as it worked on another MediaWiki wiki. No No
Chromium Create https://www.playstation.com A passkey couldn't be created for this device or you cancelled creating a passkey. No supported algorithms were provided No No
Chromium Use https://gitlab.com 404. [None] No
Edge Create https://bestbuy.com Unspecified Error
Chromium Create https://microsoft.com We encountered an issue setting up your security key. [none - prompt can be gone through successfully before website error] Only security keys can be registered. No No
Brave, Chromium Create https://passkey.org/ [blank error] [none - prompt can be gone through successfully before website error] No (on Chromium) No (on Chromium)
Firefox Use https://coinbase.com #10374 (comment)
Chrome Register https://vercel.com "Passkey registration could not be verified. Please try again." [none - prompt can be gone through successfully before website error] in debug console there is "400 bad request" in final step. #10486
Chrome Create https://zoho.com "Use device instead of security key" None Will be fixed in the next version No No
Firefox, Chromium Create https://x.com / https://twitter.com

Restrictions

Website Restricted to / explanation
Amazon With desktop only Chrome works
Kayak Only works with Chrome with newer operating systems
Nintendo Only works with Chrome
PayPal "Passkeys can only be created on devices for which you have set up a screen lock with Chrome (Android or Apple iOS devices) and Safari (Apple devices only) browsers". However, a security key can be registered instead.
@t4moxjc7 t4moxjc7 added the bug label Mar 10, 2024
@t4moxjc7 t4moxjc7 changed the title Passkeys not working on certain sites Creating passkeys not working on certain sites Mar 10, 2024
@t4moxjc7 t4moxjc7 changed the title Creating passkeys not working on certain sites Passkeys not working on certain sites Mar 10, 2024
@varjolintu
Copy link
Member

varjolintu commented Mar 10, 2024

It would be also nice to report with what browser the problem occurred (some sites might have exceptions for Firefox). The Passkeys support is not yet fully complete, so reports like this were expected. Some of the problems might be possible to fix on the extension side.

@varjolintu varjolintu self-assigned this Mar 10, 2024
@droidmonkey droidmonkey pinned this issue Mar 10, 2024
@varjolintu
Copy link
Member

GitLab does not set rp.id at all, and one check on KeePassXC side fails (the check returns too soon). Eventually this must be fixed on KeePassXC side, but we can also add an exception to the extension.

@t4moxjc7
Copy link
Author

It would be also nice to report with what browser the problem occurred (some sites might have exceptions for Firefox). The Passkeys support is not yet fully complete, so reports like this were expected. Some of the problems might be possible to fix on the extension side.

Good thought, I've added the browser for my entries.

@varjolintu
Copy link
Member

varjolintu commented Mar 10, 2024

PayPal says in their FAQ:

Who can set up a passkey?
Passkeys are currently available for eligible personal and premier accounts. Passkeys can only be created on devices for which you have set up a screen lock with Chrome (Android or Apple devices) and Safari (Apple devices only) browsers.

It's possible to register a 2FA security key to KeePassXC, but when trying to authenticate it, the request only supports usb, nfc and ble transports. KeePassXC currently requires internal to be in this list.

@droidmonkey
Copy link
Member

Seems a little strange to allow registration though? How come there is no constraint on that side?

@varjolintu
Copy link
Member

Seems a little strange to allow registration though? How come there is no constraint on that side?

This works because we allow cross-platform authenticators as well, possibly acting as security keys. Microsoft's site is the same, but there's no separate Passkeys section at all. Just a security key option.

@klixx23
Copy link

klixx23 commented Mar 11, 2024

Hello,

i have also found another website

Browser Passkey Action URL Website error KeepassXC error Notes
Brave create https://passkey.org/ [none] PassKey created and save in database, but login is not possible

@traviss64
Copy link

traviss64 commented Mar 11, 2024

My question is how to add passkey on keepass? It only shows an option to "impport passkey" but most sites I use passkey on don't have an option to export passkeys

Edit: Okay had to enable in the extension

Getting error - Origin and RP ID do not match. on techlore forum

@luzat
Copy link
Contributor

luzat commented Mar 11, 2024

I have tried to add a Passkey to coinbase.com using the Firefox browser extension. KeePassXC 2.7.7 added this key to its database, but Coinbase stored it as a security key (just like a YubiKey). Now, when trying to authenticate, Coinbase can't find the security key, possibly because it's requesting only usb and nfc:

{
  "challenge": "***",
  "enterpriseAttestationPossible": false,
  "rpId": "coinbase.com",
  "timeout": 30000,
  "userVerification": "discouraged",
  "allowCredentials": [
    {
      "id": "***",
      "transports": [
        "usb",
        "nfc"
      ],
      "type": "public-key"
    }
  ]
}

After patching kpxcPasskeysUtils.buildCredentialRequestOptions in passkey-utils.js (transports: [...transports, 'internal']) I was able to authenticate with Coinbase again, even though it requested an external key. An advanced option in KeePassXC to allow handling usb and nfc requests would be helpful. Also, the original registration should either not have succeeded or somehow indicated that the key is a Passkey, not a hardware security key.

@varjolintu
Copy link
Member

Deleted Namecheap from the list. They only support U2F keys.

@varjolintu
Copy link
Member

varjolintu commented Mar 11, 2024

Seems GitLab is using this extension: https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-appid-extension (which we are not handling yet).

@varjolintu
Copy link
Member

keepassxreboot/keepassxc-browser#2141 This PR can be tested with the problematic sites.

@t4moxjc7
Copy link
Author

t4moxjc7 commented Mar 11, 2024

keepassxreboot/keepassxc-browser#2141 This PR can be tested with the problematic sites.

I've put test results for my entries (and passkey.org) in the table now - its fixed PayPal and Discourse.

I also removed google from the table as that is now working with the current extension version. Maybe a change on their end or I did something differently.

@varjolintu
Copy link
Member

varjolintu commented Mar 12, 2024

In my own testing Nintendo should be also fixed. For Playstation.com I could not log in even with normal credentials (there's always some error).

With Microsoft I managed to create a Passkey and login normally. After that I tried it again and then it just gave me a OS/browser level popups again. I really don't know why it fails most of the tries.

Wikipedia requires a separate rollout for 2FA with new users, so I didn't manage to test that. I'd like to see some debug data if possible.

(If anyome wants to help the process, enable Debug Logging in the extension and inspect the JavaScript console on the web page during logins. You can find the public key objects there.)

@varjolintu
Copy link
Member

For MangaDex (which uses Keycloak), I am unable to set up a passkey since it returns the following:

Security key registration result is invalid.
9: No supported algorithms were provided.

(Note: I can create and use passkeys with GitHub, so I am wondering whether MangaDex's issue is similar to bitwarden/clients#6804 .)

This seems like a Keycloak issue, that is already resolved: keycloak/keycloak#20832
Can you verify if the algorithm identifier is still a string with the site you are using?

@varjolintu
Copy link
Member

varjolintu commented Mar 12, 2024

Can you verify if the algorithm identifier is still a string with the site you are using?

How do I check the algorithm identifier (on Firefox)?

Enable Debug Logging from the browser extension settings and inspect the JavaScript console via Inspect when right-clicking on the web page. It should show you the Public Key object during register (do not paste any ID's or actual data from it here).

@varjolintu
Copy link
Member

Is this the information you requested?

[Debug passkeys.js:36] KeePassXC-Browser - publicKey global.js:124:13
(... ... ...) pubKeyCredParams: (6) (... ... ...) global.js:127:17
[Debug keepassxc-browser.js:843] KeePassXC-Browser - No supported algorithms were provided. global.js:124:13

Yes. That object should include the pubKeyCredParams list.

@t4moxjc7
Copy link
Author

In my own testing Nintendo should be also fixed. For Playstation.com I could not log in even with normal credentials (there's always some error).

With Microsoft I managed to create a Passkey and login normally. After that I tried it again and then it just gave me a OS/browser level popups again. I really don't know why it fails most of the tries.

Wikipedia requires a separate rollout for 2FA with new users, so I didn't manage to test that. I'd like to see some debug data if possible.

(If anyome wants to help the process, enable Debug Logging in the extension and inspect the JavaScript console on the web page during logins. You can find the public key objects there.)

No luck with Nintendo, but here is the debug output for Wikipedia:

{
    "attestation": "none",
    "authenticatorSelection": {
        "requireResidentKey": false,
        "userVerification": "preferred"
    },
    "challenge": "[removed]",
    "pubKeyCredParams": [
        {
            "type": "public-key",
            "alg": -7
        }
    ],
    "rp": {
        "name": "Wikipedia",
        "id": "en.wikipedia.org"
    },
    "timeout": 60000,
    "excludeCredentials": [],
    "user": {
        "displayName": "[removed]",
        "id": "[removed]",
        "name": "[removed]"
    }
}

@varjolintu
Copy link
Member

varjolintu commented Mar 12, 2024

@t4moxjc7 Nintendo.com still works fine for me. The debug output of Wikipedia doesn't show anything strange.

EDIT: And just tested Microsoft again. It let me create a Passkey and even sign-in works without problems.

@Ollipop030
Copy link

Nintendo.com still works fine for me. The debug output of Wikipedia doesn't show anything strange.

EDIT: And just tested Microsoft again. It let me create a Passkey and even sign-in works without problems.

Strange, Nintendo doesn´t work for me on Brave Browser, "Passkeys cannot be used on this device."

And Microsoft: I can´t even find where to add passkeys. I can add hardware keys (such as a yubikey). When want to convert my account to a passwordless account, it wants me to scan a qr code via the MS authenticator app.

@CrendKing
Copy link

CrendKing commented Mar 13, 2024

bitwarden.com doesn't work for me. Error message:

Error creating passkey

There was a problem creating your passkey.

Debug output:

{
    "attestation": "none",
    "authenticatorSelection": {
        "requireResidentKey": true,
        "userVerification": "required"
    },
    "challenge": "<redacted>",
    "extensions": {
        "prf": {}
    },
    "pubKeyCredParams": [
        {
            "type": "public-key",
            "alg": -7
        },
        {
            "type": "public-key",
            "alg": -257
        },
        {
            "type": "public-key",
            "alg": -37
        },
        {
            "type": "public-key",
            "alg": -35
        },
        {
            "type": "public-key",
            "alg": -258
        },
        {
            "type": "public-key",
            "alg": -38
        },
        {
            "type": "public-key",
            "alg": -36
        },
        {
            "type": "public-key",
            "alg": -259
        },
        {
            "type": "public-key",
            "alg": -39
        },
        {
            "type": "public-key",
            "alg": -8
        }
    ],
    "rp": {
        "id": "vault.bitwarden.com",
        "name": "Bitwarden"
    },
    "timeout": 60000,
    "excludeCredentials": [],
    "user": { <redacted> }
}

@varjolintu
Copy link
Member

@CrendKing We don't support the prf extension yet, which is required by Bitwarden's login.

@Ollipop030
Copy link

Can´t create MS passkeys. It should be already rolled out here in germany, but the extension windows just doesn´t show up. I can only create passkeys for USB devices. Keepass 2.7.8., extension 1.9.0.4 with brave browser.

@dionorgua
Copy link

I've just tried to use Passkeys instead of hardware Yubikey dongle. I was able to enroll KeepassXC as 'biometric' authenticator. But unfortunately keepassxc-browser prints "No logins found" error.

Could it be because I'm getting just 'rpId' property instead of 'rp' dict?

Object { challenge: "BDPZL-EDITED3", enterpriseAttestationPossible: false, extensions: undefined, rpId: "pingone.eu", timeout: 120000, userVerification: "required", allowCredentials: (1) […] }
​
allowCredentials: Array [ {…} ]
​  0: Object { id: "EDITED1-EDITED2", transports: (1) […], type: "public-key" }
​​​    id: "EDITED1-EDITED2"
​​​    transports: Array [ "internal" ]
​​​    type: "public-key"
  <prototype>: Object { shadowSelector: shadowSelector(value), shadowSelectorAll: shadowSelectorAll(value)
, … }
​​
length: 1
​​
<prototype>: Array []
challenge: "BDPZL-EDITED3"
enterpriseAttestationPossible: false
​extensions: undefined
​rpId: "pingone.eu"
​timeout: 120000
​userVerification: "required"

@varjolintu
Copy link
Member

@dionorgua Does this happen on register or authentication phase?

@dionorgua
Copy link

dionorgua commented May 7, 2024

@varjolintu sorry for being not clear. It's authentication phase. So I was able to 'enroll' passkey. PingId UI shows it as 'Biometric' authentication. Also I can confirm that I can register and authenticate at https://demo.yubico.com/ so most likely my setup is good.

EDIT: I've tested only a few sites and it works. Where it doesn't work is PingId authenticator

PS. it's KeepassXC 2.7.8 and KeepassXC-browser 1.9.0.3

@lapo-luchini
Copy link

playstation.com and gitlab.com works for me, with Firefox and KeePassXC 2.7.8.

@directentis1
Copy link

Me too, with Paypal's passkeys.

@Gusti-broesmeli
Copy link

I may have found another website where creating a passkey using KeePassXC does not work.
Website: binance.com
Browser: Brave
KeePassXC-Browser-Version: 1.9.0.5
KeePassXC-Version: 2.7.8

Passkey Action: Create
KeepassXC error: No logins found

Can anyone confirm or deny whether my assumption seems correct?

@kevinlucasilva
Copy link

Really, I didn't get to register the Microsoft's passkey with KeePassXC.

I'm using Librewolf and Ungoogled Chromium and tested in Chrome, and it didn't work, because ask me for a security key.

@linuxtopia
Copy link

linuxtopia commented May 27, 2024

For Bitwarden Vault;

Settings > Security > Two-step login > WebAuthn

option works with KeepassXC passkey. I can authenticate as 2FA option if this helps, the devs please check and compare with Login passkey issues.

image

image

@bugshunter673
Copy link

bugshunter673 commented Jun 8, 2024

Hello! Would it be possible to consider emulating a USB device? I believe this could resolve the Uncaught TypeError issue related to getPublicKeyAlgorithm and the AuthenticatorAttestationResponse interface and other errors.
What are your thoughts on this approach?

const response = Object.create(AuthenticatorAttestationResponse.prototype);
response.getPublicKeyAlgorithm();
// Uncaught TypeError: 'getPublicKeyAlgorithm' called on an object that does not implement interface AuthenticatorAttestationResponse.

Example of USB emulation:
https://github.com/psanford/tpm-fido/blob/main/fidohid/fidohid.go#L212

Relevant code:
https://github.com/keepassxreboot/keepassxc-browser/blob/72832c1a5b3bc82add6cbb62a39c7bb79f591e1a/keepassxc-browser/content/passkeys.js#L37

@varjolintu
Copy link
Member

@bugshunter673 I already have the getPublicKeyAlgorithm() ready but getPublicKey() still needs a bit tuning. But at least I'm adding the first one to 1.9.1.

@bugshunter673
Copy link

@varjolintu Apologies, I didn't notice your pull request ...

@NoahDar
Copy link

NoahDar commented Jun 19, 2024

Seems no matter what I do can't get Microsoft Office 365 to trigger this. From what I understand Corporate users are forced to use real USB / NFC security keys. I will try creating a personal Microsoft account and see what happens.

Also for some stupid reason ebay under security settings on my account the passkey option is never listed. I even checked the two factor auth area. Nadda. Weird.

All other accounts it's working perfectly including Bank of America. I do have few USB hardware security keys including Yubico for testing at work but I prefer KeePassXC as the database is sync'd to my self hosted nextcloud server. Happy with this setup.

KeePassXC - 2.7.9
KeePassXC-Browser - 1.9.0.5
Operating system: Linux x86_64
Browser: Chrome/Chromium 126.0.0.0

@Fraetor
Copy link

Fraetor commented Jun 23, 2024

Pixiv (https://accounts.pixiv.net/passkeys) is another site that does not work yet.

Versions
Firefox 127.0 (64-bit)
Fedora Linux 40 (x86_64)
Keepass 2.7.8
KeePassXC-Browser 1.9.0.5

It reports "You cannot create a passkey on this device/browser." when you try to register, though this seems to be based on User Agent sniffing. When faking Chrome's user agent registration is allowed, but fails with the following error:

Error message in passkeys.js:79:28
Uncaught (in promise) Error: Permission denied to access property "then"
    handler moz-extension://89d5f994-cc8a-47ee-a6d6-b044b4bcc9a4/content/passkeys.js:79
    r https://s.pximg.net/accounts/assets/initializer.488660abbac1c9160ec9.js:1
    postMessageToExtension moz-extension://89d5f994-cc8a-47ee-a6d6-b044b4bcc9a4/content/passkeys.js:88
    postMessageToExtension moz-extension://89d5f994-cc8a-47ee-a6d6-b044b4bcc9a4/content/passkeys.js:72
    create moz-extension://89d5f994-cc8a-47ee-a6d6-b044b4bcc9a4/content/passkeys.js:151
    t https://s.pximg.net/accounts/assets/app.c2e7c117343a1a39c47a.js:8
    l https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:6
    _invoke https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:6
    m https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:6
    r https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    u https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    i https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    i https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    Hb https://s.pximg.net/accounts/assets/app.c2e7c117343a1a39c47a.js:8
    Vb https://s.pximg.net/accounts/assets/app.c2e7c117343a1a39c47a.js:8
    t https://s.pximg.net/accounts/assets/app.c2e7c117343a1a39c47a.js:8
    l https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:6
    _invoke https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:6
    m https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:6
    r https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    u https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    promise callback*r https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    u https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    promise callback*r https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    u https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    i https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    i https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    h https://s.pximg.net/accounts/assets/app.c2e7c117343a1a39c47a.js:8
    Ve https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Qe https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Sr https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Sr https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Er https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Rr https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    De https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Rr https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Rr https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    en https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Zt https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    unstable_runWithPriority https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:30
    Hi https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Me https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Jt https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    r https://s.pximg.net/accounts/assets/initializer.488660abbac1c9160ec9.js:1
    _wrapEventTarget https://s.pximg.net/accounts/assets/initializer.488660abbac1c9160ec9.js:1
    oe https://s.pximg.net/accounts/assets/initializer.488660abbac1c9160ec9.js:1
    _r https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Cr https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Tr https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Tr https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    Zc https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    _reactRootContainer https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    ts https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    render https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:22
    t https://s.pximg.net/accounts/assets/app.c2e7c117343a1a39c47a.js:8
    l https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:6
    _invoke https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:6
    m https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:6
    r https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    u https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    promise callback*r https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    u https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    promise callback*r https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    u https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    i https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    i https://s.pximg.net/accounts/assets/commons.f68e7108ea0b815d7215.js:1
    dk https://s.pximg.net/accounts/assets/app.c2e7c117343a1a39c47a.js:8
    410 https://s.pximg.net/accounts/assets/app.c2e7c117343a1a39c47a.js:8
    410 https://s.pximg.net/accounts/assets/app.c2e7c117343a1a39c47a.js:8
    r https://s.pximg.net/accounts/assets/runtime.f9cf1b271486438e0191.js:1
    c https://s.pximg.net/accounts/assets/runtime.f9cf1b271486438e0191.js:1
    a https://s.pximg.net/accounts/assets/runtime.f9cf1b271486438e0191.js:1
    <anonymous> https://s.pximg.net/accounts/assets/app.c2e7c117343a1a39c47a.js:1
passkeys.js:79:28

The passkey was created in KeePassXC, but Pixiv fails on the registration ("An error occurred. Please reload the page and try again.").

@wichtounet
Copy link

wichtounet commented Jun 27, 2024

Before, I was able to create and use a passkey on accounts.google.com but it does not work anymore. I have upgraded Keepass and Google Chrome to the latest versions but it did not change anything.

The only thing I see is "no logins found" even though my passkey is present in the database and the URL appears to be correct.

Edit: It's even weirder because I have multiple Google accounts and another one works with the passkey, but not the first one :(

@varjolintu
Copy link
Member

@wichtounet That sounds a bit weird. Do you have multiple passkeys defined under the problematic account? I think the creation should fail for every account if there's a systematic problem. You can enable debug logging from the browser and see if the public keys created have some differences. It could help narrow down the issue. (Do not paste them here without omitting important data)

@wichtounet
Copy link

@varjolintu I have two passkeys, each for a different email. I have looked into the debug messages. One thing I have noticed is that for the passkey that works, one of the challenges is matching KPEY_PASSKEY_CREDENTIAL_ID. For the passkey that does not work, nones of the challenges is matching this value. Should I regenerate the passkey that does not work?

@varjolintu
Copy link
Member

@wichtounet That's worth trying.

@wichtounet
Copy link

@varjolintu Updating the passkey did the trick! I must have done something dumb to break it. Thanks!

@1nj0k
Copy link

1nj0k commented Jul 5, 2024

Browser Passkey Action URL Website error KeepassXC error Notes
Firefox, Chromium Create x.com

@uprprc777
Copy link

I had no issues creating a passkey and logging into my PlayStation account. However, I decided to remove the passkey and stopped using it because PlayStation disables other login methods, including your password, when a passkey is enabled. This limitation doesn’t make any sense to me.

@PAStheLoD
Copy link

One more Microsoft/Live.com doesn't work datapoint.

I got prompted from Skype's web version to try to enroll, the URL even had passkey in it, anyway ... on both Firefox and Brave I only get the macOS (Sonoma 14.6) native prompt. (On Brave when I cancel the native prompt Brave offers to save the passkey in a few places: iCloud Keychain, phone/tablet, brave profile, USB security key.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests