Cannot register Yubikey as passkeys for passwordless login

I’m facing a strange issue - I cannot register Yubikeys (I’m using series 5, and have 4 of them) as passkeys on any discourse forum. I’m able to register my Android phone’s passkey and my Password Manager’s passkey successfully.

When I try to register Yubikey I get the below error, always:

image1384×284 26.6 KB

However, a resident key is created on my Yubikey. I confirm it with ykman fido credentials list.

image1240×38 3.44 KB

This key, obviously, does not work when I try to log in again.

Subsequently, I tried to register the key on my own discourse installation to check the logs and this is the error that I see:

COSE::MalformedKeyError (Malformed CBOR key input) lib/discourse_webauthn/registration_service.rb:161:in `extract_public_key_and_credential_from_attestation' lib/discourse_webauthn/registration_servic

I want to understand if this is a known issue because I couldn’t find anything on the forum regarding Yubikey not being able to work. If not, I’d be happy to share any more details that may be needed.

Not sure if a yubikey would be a good candidate for a passkey, only the bio?

Errors should not happen though and we should have a few yubikeys to test. @pmusaraj will help triage this.

EDIT The bio does work as a passkey. Not sure anything but the bio is suitable as a passkey? You only have 1 factor at that point.

Can you register these yubikeys in a non-Discourse passkeys application like Github, Google or a test implementation like https://www.passkeys.io/?

@pmusaraj Yes, I have successfully registered them on Google, GitHub, Vercel, and a couple more services and they work fine.

@sam Yubikey Series 5 is a good candidate for passkey because it combines something I know (PIN) and something I have (the token itself) to use as a passkey. It won’t even list the resident keys without the PIN. The bio series replaces the PIN with biometric.

Thanks for checking @rishabhlakhotia. I see the errors in our logs on meta and the location of this failure is a general security key attestation function that hasn’t had any changes since four years ago. It’s used by the 2FA security key process as well.

Are you able to register the Yubikey as a two-factor authentication security key here on meta?

What’s the output of ykman list?

My YubiKey 5 NFC (5.1.2) works fine as a passkey here on Meta.

I registered with Chromium and I can use it to log in with Chromium, Firefox, and Edge.

Any Yubikey with resident keys should be suitable, as the browser can enforce multi-factor on it: both the presence check (touch the key) and the Yubikey PIN to be set.

Yes, I have all four Yubikeys registered as Security Keys. To possibly avoid any edge cases, I tried again by removing two of them as security keys to re-register them as passkeys, but even that did not work.

I have YubiKey 5C NFC (5.4.3), and I use Chrome browser.

I know that if a key has a Security Key credential for a site, attempting to use it as a Passkey will fail, I’ve run into that.

But removing the Security Key and re-registering as a Passkey should work.

UPDATE: Thanks to @supermathie’s reply, I just downloaded Firefox and tried to register the Yubikey and it worked. I was able to register the same key which was giving an error in Chrome.

Interestingly, once registered on Firefox, I was able to log in using the same Yubikey on Chrome. I then repeated the same process once again on Chrome but got the same error, once again.

I think we can narrow down the problem somewhat.

Can you let us know the Chrome & FF version you tried?

Chrome Version 120.0.6099.234 (Official Build) (arm64) and Firefox Version 122.0.1 (64-bit)

Faced the same issue just now with a YubiKey 5C NFC (5.4.3) and a YubiKey Security Key (the blue ones) with Arc Browser i.e. Chromium (122.0.6261.57) on macOS.

I did the same with Safari and it worked just fine. And just like in your case, using those Passkeys raised no issues with the Chromium browser as well.