Cannot register Yubikey as passkeys for passwordless login

I’m facing a strange issue - I cannot register Yubikeys (I’m using series 5, and have 4 of them) as passkeys on any discourse forum. I’m able to register my Android phone’s passkey and my Password Manager’s passkey successfully.

When I try to register Yubikey I get the below error, always:

image1384×284 26.6 KB

However, a resident key is created on my Yubikey. I confirm it with ykman fido credentials list.

image1240×38 3.44 KB

This key, obviously, does not work when I try to log in again.

Subsequently, I tried to register the key on my own discourse installation to check the logs and this is the error that I see:

COSE::MalformedKeyError (Malformed CBOR key input) lib/discourse_webauthn/registration_service.rb:161:in `extract_public_key_and_credential_from_attestation' lib/discourse_webauthn/registration_servic

I want to understand if this is a known issue because I couldn’t find anything on the forum regarding Yubikey not being able to work. If not, I’d be happy to share any more details that may be needed.

Not sure if a yubikey would be a good candidate for a passkey, only the bio?

Errors should not happen though and we should have a few yubikeys to test. @pmusaraj will help triage this.

EDIT The bio does work as a passkey. Not sure anything but the bio is suitable as a passkey? You only have 1 factor at that point.

Can you register these yubikeys in a non-Discourse passkeys application like Github, Google or a test implementation like https://www.passkeys.io/?

@pmusaraj Yes, I have successfully registered them on Google, GitHub, Vercel, and a couple more services and they work fine.

@sam Yubikey Series 5 is a good candidate for passkey because it combines something I know (PIN) and something I have (the token itself) to use as a passkey. It won’t even list the resident keys without the PIN. The bio series replaces the PIN with biometric.

Thanks for checking @rishabhlakhotia. I see the errors in our logs on meta and the location of this failure is a general security key attestation function that hasn’t had any changes since four years ago. It’s used by the 2FA security key process as well.

Are you able to register the Yubikey as a two-factor authentication security key here on meta?

What’s the output of ykman list?

My YubiKey 5 NFC (5.1.2) works fine as a passkey here on Meta.

I registered with Chromium and I can use it to log in with Chromium, Firefox, and Edge.

Any Yubikey with resident keys should be suitable, as the browser can enforce multi-factor on it: both the presence check (touch the key) and the Yubikey PIN to be set.

Yes, I have all four Yubikeys registered as Security Keys. To possibly avoid any edge cases, I tried again by removing two of them as security keys to re-register them as passkeys, but even that did not work.

I have YubiKey 5C NFC (5.4.3), and I use Chrome browser.

I know that if a key has a Security Key credential for a site, attempting to use it as a Passkey will fail, I’ve run into that.

But removing the Security Key and re-registering as a Passkey should work.

UPDATE: Thanks to @supermathie’s reply, I just downloaded Firefox and tried to register the Yubikey and it worked. I was able to register the same key which was giving an error in Chrome.

Interestingly, once registered on Firefox, I was able to log in using the same Yubikey on Chrome. I then repeated the same process once again on Chrome but got the same error, once again.

I think we can narrow down the problem somewhat.

Can you let us know the Chrome & FF version you tried?

Chrome Version 120.0.6099.234 (Official Build) (arm64) and Firefox Version 122.0.1 (64-bit)

Faced the same issue just now with a YubiKey 5C NFC (5.4.3) and a YubiKey Security Key (the blue ones) with Arc Browser i.e. Chromium (122.0.6261.57) on macOS.

I did the same with Safari and it worked just fine. And just like in your case, using those Passkeys raised no issues with the Chromium browser as well.

Hi, I’m so glad I found this thread! I was desperately trying to add my YubiKey on a Discourse instance, which wasn’t working correctly — so I thought, well, maybe these guys are self-hosting and have a configuration error of some sort. Then I thought I could Google for it — and saw that meta.discourse.org seemed to have mentioned this at some point.

Unfortunately, my attempt to set things up in Brave (Chromium) utterly failed, as before, and just like the OP reported.

Here is my setup:

• macOS Big Sur 11.7.9 (20G1426) running on an ancient Apple MacBook Pro.
• YubiKey 5 NFC Firmware: 5.4.3

Browsers:

• Brave [Chromium] Version 1.73.91 Chromium: 131.0.6778.85 (Official Build) (x86_64)
• Safari: [WebKit] 16.6.1 (16615.3.12.11.5, 16615)
• Firefox: [Gecko] 133.0
• Microsoft Edge: [Chromium] Version 131.0.2903.70 (Official build) (x86_64)

So, I launched Safari, proceeded to add a passkey, started with a software-based passkey, which Safari liked and Discourse accepted; then, additionally, I tried to add the YubiKey 5 NFC as a passkey and as an additional 2FA confirmation — and Discourse had no problems in accepting everything!

Once that was configured, I tested out with Firefox, and it worked immediately; the same also happened with Microsoft Edge. And, when returning to Brave, it now worked with the YubiKey without any fuss at all.

It seems like the only issue that Discourse has is with the initial communication with the key (or, rather, whatever enables the key to be ‘visible’ to the browser) in Chromium-based browsers. Once that key is assigned to Discourse, it will easily be accepted by any other browser. I didn’t try it out on Safari for iOS (YubiKey 5 NFC definitely works with it as well), but I seriously suspect that it won’t have any issues there, either.

Now I’ll have to go back to those many Discourse setups I had joined without success and see if they work now!