Unknown COSE algorithm encountered. alg: -257

Hi,

One of my users can’t login with 2FA using hardware key.

After pressing button on key during login, Windows 10 is asking for a PIN.
After entering PIN he is receiving error “The algorithm used for the security key is not recognized.”. I checked, it’s i18n key webauthn.validation.unknown_cose_algorithm_error.

Server logs this as an error:

Unknown COSE algorithm encountered. alg: -257. user_id: <redacted>. params: <ActionController::Parameters {"signature"=>"<redacted>", "clientData"=>"<redacted>", "authenticatorData"=>"<redacted>", "credentialId"=>"<redacted>"} permitted: false>

Quick google search only found this:

So probably it need to be implemented but strangely somehow user managed to set it on account?
Not sure if I can fix it from forum’s admin side without code change.

I’m using recommended, standalone Docker install with version 2.7.0.beta3. I rebuilt forum and updated it less than 1h before creating this thread.

1 Like

That’s strange. Can they login with 2FA and this hardware key on other webapps? Any ideas @dan?

1 Like

Can you share the security key model and browser version?

3 Likes

Will be interesting to see which algorithm is missing from:

https://github.com/cedarcode/cose-ruby/tree/master/lib/cose/algorithm

I am guessing this one: https://github.com/cedarcode/cose-ruby/issues/48 EdDSA.

If we have the model and OS of the dev.

Maybe it is this thing? https://blockchain2fa.io/

I guess you can use blockchains for anything.

4 Likes

This is a limitation of cose-ruby library we use as @sam pointed out. It supports only these algorithms:

https://github.com/cedarcode/cose-ruby/blob/master/lib/cose/algorithm.rb#L29-L39

According to the error message, that security key is using algorithm “-257” which stands for RS256 and is not recommended. That is probably the reason why the library does not implement it.

What device are you trying to use for authentication?

5 Likes