[Feedback] Passkeys for passwordless authentication

[hpsin]

We've taken passkeys from a public beta to general availability, with all users able to set up and use a passkey.

This discussion is to track known ecosystem issues and get your feedback about passkeys. Previous feedback from the beta can be found here.

Known issues

• Some browsers and operating systems may not allow you to upgrade an existing security key registration to a passkey. If you receive an error during the upgrade flow, you should delete the security key from your GitHub account and then register your authenticator as a passkey by clicking "Add a passkey".
• Some browsers will show old security keys (i.e. Touch ID) in the password autofill section, but GitHub won't accept them. These keys have not been registered as passkeys and do not sync, but we cannot delete them from your device. To fix this, ensure that the device is registered as a passkey and then in your device settings, delete the old security key registration.
• If you have not set up Windows Hello, your browser may not tell GitHub.com that you have an available passkey. If you see a warning that your browser doesn't support passkeys, and you are on Windows, try setting up Hello and trying again, or use a passkey on another device.
• If you use Firefox and a hardware security key, you might get an error during setup or upgrade indicating Passkey registration failed. This cannot be used as a passkey. This is because Firefox doesn't support setting up the PIN for a hardware key. If you encounter this issue, you have to set up the PIN yourself, using an app like Yubico Authenticator to manage the key directly, before trying again.

Filing a report

If you've encountered a bug or undesirable behavior with how GitHub interacts with your device's passkey support , it's really helpful to know your operating system and browser version, I.e. Mac OS Ventura 13.5.2, Google Chrome 117.0.5938.62.

You can learn more about passkeys at these useful links:

• About Passkeys
• Launch blog post
• Chrome's OS support matrix in case you see a warning that passkeys aren't supported in Chrome.

[schwa]

Excited to see this. Tried to enable it on my current account (that currently uses authenticator app). Turned on in browser (Safari Version 17.0 (19616.1.27.111.16) on M1 Mac Studio running 14.0 (23A339)). Turned on passkey as an authenticator (this might have been a mistake but it wasn't too clear whether to use this or not). Logged out. Got an error dialog trying to log back in "Unable to sign in with your passkey. Please sign in with your password."

Logged back in the normal way with credentials stored in Safari (which is tricky because Safari is convinced I should be using the passkey)

Turned OFF passkey as an authenticator. Logged out. Tried again. Same error. Logged in via password instead…

Tried on iPhone and WAS able to log in with Mobile Safari and Passkey. Issue seems limited to Mac Safari for me.

[mlbuck]

I am quite disappointed. I am experiencing problems as many state in this thread. It is now 7 months later and nothing has changed. What needs to happen to get GitHub to fix this? If they don't intend to support PassKeys, they should remove the illusion that they do. I am running a new Mac with all updated software. I would like to see this work, but I can't see anything that I can do to help this along. Does anyone have any suggestions?

[simX]

This is also still happening to me, and the for the first time, the dedicated "Sign In With Passkey" button no longer works for me on macOS 14.4.1 and Safari 17.4.1. That also generates the "Unable to sign in with your passkey. Please sign in with your password." error. Now I am forced to sign in with my password, and then it also requires me to sign in with the passkey after that, at which point it works.

None of this happens on Safari on iOS, passkeys seem to work perfectly fine there.

[arpitjain099]

Understanding how gh communities work. thank you for sharing

[Themeuz]

WEEEEEEEEEEE
🚀🚀🚀🚀🚀🚀

[astrowonk]

I have a similar issue as @simX : neither the safari-autofil nor the "sign with passkey" button works. I have to use my password then my 2FA code.

[yashgorana]

Love this! Is there a way we can remove password from the account and go completely passwordless?

[hpsin]

@Firstyear I'd love to grab some more detail on why non-rk is considered the definition of passwordless. If you'll be at one of the upcoming summits such as the passwordless summit or Authenticate would be great to go in depth.

[Firstyear]

Hey there,

I'm Australian so I wont be attending either (I am not comfortable to enter the US due to a preexisting medical issue).

I'd be happy to talk more via email though if you want - it's on my profile :)

[JetForMe]

I, too, would like to be able to disable password authentication. I'm not sure what benefit passkeys provide if someone can still authenticate using less-secure methods.

[Frederick888]

I agree with @Firstyear.

Worth saying passwordless within webauthn specifically means non-resident authenticators as a self contained MFA

According to https://www.w3.org/TR/webauthn-2/#sctn-authenticator-taxonomy:

Passwordless multi-factor authentication requires an authenticator capable of user verification, and in some cases also discoverable credential capable.

And 'user verification' is:

The technical process by which an authenticator locally authorizes the invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations. User verification MAY be instigated through various authorization gesture modalities; for example, through a touch plus pin code, password entry, or biometric recognition (e.g., presenting a fingerprint) [ISOBiometricVocabulary].

So I think for example, if you type in your username and then use a 'user-verifying platform authenticator', e.g. fingerprint sensor on your laptop/phone + a security chip, with or without a resident key aka. client-side discoverable credential, it's already considered MFA.

Same goes for things like YubiKey Bio and PIN + touch:

User-verifying platform authenticators and first-factor roaming authenticators enable passwordless multi-factor authentication. In addition to the proof of possession of the credential private key, these authenticators support user verification as a second authentication factor, typically a PIN or biometric recognition. The authenticator can thus act as two kinds of authentication factor, which enables multi-factor authentication while eliminating the need to share a password with the Relying Party.

I'm not quite sure why in the table 'first-factor roaming authenticator' is defined as having 'client-side credential storage' though. I think whether the authenticator is user verification-capable is more important.

@Firstyear I'd love to grab some more detail on why non-rk is considered the definition of passwordless

I think @Firstyear meant non-rk is considered one of the forms of passwordless.

[Firstyear]

The problem here also is that there are a whole bunch of different terms in webauthn that have confusing or overlapping meanings. Passkeys for example, have 4 different definitions, all in use by various production IAM providers, with different behaviours.

Passwordless in webauthn actually specifically means non-resident keys as a self contained MFA. RK can exist, but it's opportunistic. It's because in webauth passwordless was the goal for a long time (mainly when security keys were the most common authenticator class), but then passkey hype took over and now everyone wants to force rk's everywhere so the definition fell by the wayside. Passkeys in the "common" definition forces rk's which pretty much excludes security keys.

I'm not quite sure why in the table 'first-factor roaming authenticator' is defined as having 'client-side credential storage' though. I think whether the authenticator is user verification-capable is more important.

It's because "one definition" of passkeys enforces credential storage in the device (resident keys) which allows the user-id to be stored in the credential. so you don't need a username entry, you just "pick the passkey" and it identifies and authenticates you. It also ties in with certain vendors attempts to lock you in to their synced passkey systems and browser features around username autocomplete (see conditional ui).

However, the flip side is that most of these workflows are actually pretty janky and confuse users. "Yes please I'd love to pick up my phone, scan a qr code and wait 30 seconds for it to authenticate me" (btw this workflow is an accessibility nightmare ... ). It also completely alienates and breaks security keys since they have so little rk storage, and now the browsers are pushing their sync ui's in front of security keys to make it extra clicks adding "forced friction". I already know of people who can't use passkeys because a certain cloud provider forces rk and it bricked their keys.

Generally the people pushing passkeys as resident keys are making assumptions that you are "all in on chrome+android" or "all in on safari and iphone" or "all in on edge and windows". But none of them account for the reality that people use android + mac with firefox, or other combinations, which means that none of these passkey sync mechanisms will interoperate. For example, my partner (a surgeon) has an iphone, a windows machine, and uses chrome. None of these can sync keys with each other, and so there is no passkey provider that would work except security keys - and we can't use those because rk obsession means we'll fill the devices up in no time. Can you imagine her needing to juggle 4 yubikeys to find which one she needs? She has ~80 accounts in her pw manager, and this is a nightmare. Once passkey hype kicks in, this will be the future for her.

Anyway, so passwordless is what we should be pursuing where the keys are opportunistically rk (iphone always makes rk even under discouraged for example). This way you still prompt with a username field. You can use conditional ui to opportunistically allow rk's to complete the username + authentication in one go. And then for users without those rk's such as yubikeys, you allow the username prompt to complete and then do the webauthn challenge with the credential id list set as normal for that user.

[supermarin]

Tried to add a Yubikey 5c on Safari and Firefox on macOS, and on Firefox on Linux. Getting 422 with this error:

[Firstyear]

(Which incidentally why I have been repeatedly warning about rk's being required/preferred rather than discouraged since it can lead to devices filling their extremely limited storage, rather than rk being opportunistic to allow flows ontop of passwordless. )

[hagould]

I'm currently not using any TOTP slots on the key, only FIDO2 and PIV

Related to that storage space issue I mentioned, if you've hit max storage on your yubikey then it won't let you create the type of webauthn credential that we'd accept as a passkey.

You could check if that's the issue using the yubikey CLI depending on your hardware key version.

Edit: what @Firstyear said.

[Firstyear]

Oh another gotcha. Only CTAP 2.1PRE and 2.1 support credential management. If your key is older (like mine) and is CTAP2.0 only, you CAN NOT list rk's, and you can never delete them. Meaning you're "stuck". You'll see this if ykman errors with Error: Authenticator does not support Credential Management. If you get that, then you pretty much can't do anything at all. 🙃

[xz-dev]

I have same problem, but when I set a PIN for FIDO2.
It's working fine, I don't know why GitHub need the PIN set, because other website never care about that.

[Frederick888]

@xz-dev cos the PIN counts as a 'factor': https://www.w3.org/TR/webauthn-2/#authentication-factor-capability

[wfjsw]

It seems I cannot setup Windows Hello as a passkey as Windows only allows me to provision a USB key:

though Security Key via Windows Hello works fine.

Windows 11 Pro 22H2 (22621.2283)
Chrome 116.0.5845.188

[Firstyear]

You need a tpm on machine and a PIN enabled for win hello to work without the security key.

[wfjsw]

I'm pretty sure I have a TPM and a PIN and the passkey features works elsewhere, for example, Google.
I believe that if I don't have a TPM I can't even setup Security Key via Windows Hello.

[hagould]

Two possible problems:

• Windows hello isn't properly configured - you can try these instructions to see if this applies to you
• If you already have a security key registration via Windows Hello for GitHub, it will stop showing the "full" registration dialogue since it assumes you don't need it anymore. Deleting your existing security key should unblock you from registering a non-USB passkey

[wfjsw]

Can confirm that removing the existing security key first works :)

[amandabot]

I'm not able to set up a passkey on an Android device. After going through the setup on GitHub, following the push notification steps, and entering my phone PIN, I see "Passkey registration failed."

Android 11
Chrome 117.0.5938.60

I was able to set one up with MacOS + Chrome and Windows 11 + Chrome without issue. I tried setting it up on my device from the Windows computer, but that also resulted in a failed registration. I saw this error in the browser console at that time:

webauthn-create.ts:295 Uncaught (in promise) DOMException: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.

[jrdnvasquez]

Pixel 7 Pro with Android 13. I am also hitting this error.

[amoosbr]

I also wasn't able to use passkeys on my Pixel 6 Pro and my new phone with my main Google Account. But it was working with another account, I just setup.
During the setup for the new account, I recognized Chrome requiring me to enable "Screen Lock" under Settings -> Password Manager.

What fixed the issue for me now, was to manually disable the Screen Lock setting for my main account (had this manually enabled before) and then starting the passkey registration on e.g GitHub. In the process of creating the passkey, I was the asked to enable screen lock again and the registration went through successfully. Tested the registration with latest Chrome on Android 14.

Hope it will fix the issue for others as well.

This is the setting to disable first:

[cschiller]

This worked. Thanks!

[fuhrmanator]

I tried all of the steps proposed by @amoosbr, but I still get the webauthn-get-element.ts:187 Uncaught (in promise) DOMException: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client. error in the console.

I'm on Android 10 with a Samsung S9 OneUI (old, I know).

[FrankSzendzielarz]

Likewise. Android device stopped working for roaming passkey registration and cannot see why. Tested everything i can think of.

[rogercreagh]

Please help by explaining two things - I have read all the docs and posts but I cannot find an answer. I use a linux (ubuntu 22.04) laptop and edge browser.

1. When I click on add a passkey in my account settings I get Your device supports passkeys, a password replacement that validates your identity using touch, facial recognition, a device password, or a PIN. OK that sounds good. Password or PIN would be ok - there is no fingerprint sensor or camera on the laptop.
   I then click on the green Add Passkey button and a popup tells me I have to use an Android phone or a usb key. Having no idea what a usb key is (side questions: is it simply any old usb memory stick? How big does it have to be? Can I store other stuff on it as well and use it as normal? Does it have to be in the machine all the time I am on github?) I click on Android phone.
   It shows me a QR code which I scan with an app on the phone but what do I with it? It contains FIDO:/ followed by loads of numbers.
   what am I supposed to do with this?
   it asked me on the laptop to turn on bluetooth - does bluetooth also have to be on on the phone? Do I have to somehow link the phone to the laptop using bluetooth. There seem to be no further instructions and all I have is an incomprehensible QR code.

2. how is this gong to enable me to log in without a password on the laptop. Do I have to have the laptop connected to the phone in some way? If so isn't this even more stupid and cumbersome than having to send a text message to the phone with a code that I then have to type in on the laptop, That seems to me a completely pointless faff.

Thirdly can someone answer if I don't set up 2FA or a passkey will I still be able to report bugs and contribute to discussions on github projects with a simple password. It is proving so difficult to understand all the unexplained stuff in your 2FA docs that I am thinking that it'll be easier simply to stop using github for my own code.

[hagould]

if I don't set up 2FA or a passkey will I still be able to report bugs and contribute to discussions on github projects with a simple password

If you've been asked to enable 2FA by GitHub, and not by an organization that you belong to, then you won't be able to contribute on GitHub after the deadline if you haven't enabled 2FA. Passkey registration is separate from our 2FA rollout, so you can completely ignore it if you want. You just need to enable 2FA from your user settings. Passkeys are more like an additional benefit on top of 2FA to make your life easier. There are benefits to using passkeys without 2FA too but we're not asking or forcing anyone to do that.

If you're still interested in passkeys:
Linux doesn't support platform authentication yet, which is why you only saw the phone or USB options. USB is specifically referring to a "hardware security key" like a yubikey.

The QR code: you would have to scan it with your phone's camera. If your phone has passkey and bluetooth support then you could register a passkey for login. It's similar to the SMS flow that you described except using bluetooth - the benefit is better account security for folks that want it, and additional convenience for 2FA users or folks that don't like managing their passwords.

[Firstyear]

@hagould You should likely feed this back to the chrome team since the UI referenced by @rogercreagh is part of the browser, and this kind of usability issue will likely come up more often.

[rogercreagh]

Thanks you @hagould that was clear and most helpful (if not quite what I hoped to hear)

[MaxHelios]

Excellent news!

May I suggest adding the ability to enable 2FA for specific passkeys?
For example: use Yubikey for a passkey and TOTP for 2FA.

[MaxHelios]

Indeed. Still, even though it is not the same as keeping passwords and TOTP keys in the same password manager, it is a single vendor.
Well, that is my paranoid mind speaking.
In most cases, adding another 2FA for passkeys is overkill. But something good to have, even if not now or in the near future.

As a side note, it is quite cumbersome to use YubiKey with resident keys for git access on Windows. Because it requires 5+ confirmations for "git push". Because SSH on Windows does not support the ControlMaster option.

[hpsin]

Huh, TIL, and I was on the team that added openSSH to Windows... Looking over some older issues from e.g. @roblourens looks like it's a deep compat issue with Windows itself.

Would a non-rk registration be easier to use? That's a bit surprising to me, but certainly it's something we want to make a good experience.

[MaxHelios]

Would a non-rk registration be easier to use? That's a bit surprising to me, but certainly it's something we want to make a good experience.

Yes, non-residential keys can be stored in the SSH agent, removing the need to enter a password each time at the cost of less protection compared to residential keys.
For residential keys, the alternative is to use ControlMaster options with a short lifespan. For Windows, it is not an option. Well, it is possible to run a VM with Linux and proxy ssh through it. But...

Non-rk keys should protect against most attacks targeting credentials. And if there was an attack that was able to dump memory from the SSH agent and extract keys, then it could do much more damage than just steal credentials.

It seems I should reconsider my usage of rk and switch to non-rk instead.

(My paranoid mind does not make my life easier...)

[Arcturuss]

So you're absolutely correct - it's that we have trusted [the passkey] to perform the second factor auth, and compromise of your passkey provider can be a total compromise. Picking a secure provider is an important choice that we leave to the user, letting them balance convenience, reliability, and threat model.

Isn't it a bit misleading (or a lot misleading) to call it a 'second factor', if it's a single passkey and therefore a single factor?

[Firstyear]

https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 section 5.1.9 defines multi-factor cryptographic devices.

[MaxHelios]

My small list of suggestions.

It would be handy to have the ability to test the passkey directly in your account settings.
For example, by adding a third button for passkey "Check/Test/Confirm" passkeys to the currently existing "Edit" and "Delete" buttons.
After clicking on it, GitHub must prompt the user to authenticate using a passkey. Once completed, inform the user if the passkey he used is the same one he tested.

Ability to add a passkey with a lifespan.

Backup passkey(s). A passkey that is not intended for frequent usage and must be opened first, with a specific time period set in the initialization stage and, optionally, a list of users who must be informed.
When the time begins to tick, GitHub shows a toolbar on every page, informing the user that one of his backup passkeys has been opened and in N days it will be usable for authentication. The user can delete the key before it becomes usable.
It is for passkeys stored outside the user's immediate control.

Periodically ask the user to check if he still has access to the passkey and if it is in a working condition by completing the test. If it is not already done. I never used keys for 2FA on GitHub. (pass+TOTP). And saw only messages about 2FA and backup codes.

[hagould]

adding a third button for passkey "Check/Test/Confirm" passkeys

You can actually do this today if you go to add a new passkey but auth with one of your existing ones.

The other suggestions are interesting, thank you for the feedback!

[hpsin]

Periodically ask the user to check if he still has access to the passkey and if it is in a working condition by completing the test. If it is not already done. I never used keys for 2FA on GitHub. (pass+TOTP). And saw only messages about 2FA and backup codes.

This is something we're looking at adding to the existing checkup period! Right now there's a "security checkup" that's pretty useless - "you have security keys" is not a direct call to action. We would like to periodically check second factor freshness and warn on severely out of date factors that look like they're unused.

Interestingly we do expire unused GitHub Mobile keys for authentication, which can lead to more lockouts since it kills a possible recovery factor.

[DerRockWolf]

Will it be possible to disable TOTP in the future?
To only be able to login with the passkey or with username+password and the passkey as 2FA.

[hagould]

The next step will be to allow users to essentially disable/delete their passwords, but we haven't gotten there yet. Today you still need 2FA to keep your account secure with passkeys.

[pm4rcin]

@hpsin is it still not possible to disable TOTP while having backup codes?

[pm4rcin]

@hagould could you answer my question here? If it's not possible is there any ETA?

[hagould]

It's not possible today - we may allow this in the future but there is no ETA for it.

[pm4rcin]

@hagould any plans for that or it's still not planned?

[John-Nagle]

I got a popup from Github today demanding an SMS authentication. I have 2FA set up with a Yubikey, a backup Yubikey, and a list of TOTP passwords. But there was no option to use the Yubikey. It insisted on SMS. My first reaction was to think this was some kind of phishing message.

If you've set up 2FA with a Yubikey, you should never be forced to use SMS.

[hagould]

We want to get there, but today we only accept an authenticator app or SMS number for your "primary factor" for 2FA. To reduce lockouts we've starting asking folks to authenticate with that factor (for you, SMS) a month after enrolling to make sure that it was successfully configured and to reduce account lockouts. If you'd gone with an authenticator app you would've had to prove you still had access to it in the same way.

We're are working towards allowing folks to enroll with just a webauthn credential, we'll likely have some requirements that we're still working out.

[thetooth]

I was able to setup and login while the beta was active but it seems there has been a recent change in the way webauthn is requesting the device on android chrome. If I tap sign in with a passkey I just get a window saying "there aren't any passkeys for github.com on this device", where as other sites are prompting for the type of passkey to use, NFC or USB. Works fine on all other platforms but now I have to use a computer to complain about free software.

[hpsin]

We haven't changed anything about the request, so that's not a good sign. If you open Chrome, and navigate to the password manager, and locate GitHub.com in the list, there should be a passkey listed at the bottom of that entry. Do you see that?

[jsoref]

Fwiw, I suspect I was in this category. I eventually deleted my things and started fresh. (This is a while ago, I'm here now because of another nudge.)

Note that the flows at the time didn't lead me to this discussions/the previous beta discussion.

[John-Nagle]

Today, not only did Github ask for SMS authentication again, and, as before, would not accept my Yubikey, it offered to redisplay my TOTP keys! Those are last-ditch credentials that were supposed to be sent once only! I printed them and put the printout in a safe deposit box. Now you're exposing them to anybody who can divert or steal my cell phone. This is really sloppy.

Need to get Schneier on Security to review Github's 2FA system.

[hpsin]

As written above, this is a verification step to ensure you've saved them properly. If you can't pass, we register new credentials. Yes, this does result in an opportunity where someone who has stolen your session (or your password and SMS) can re-register your 2FA credentials. That's also true of anyone who has stolen your password and SMS in general.

You are not required to register SMS, and if you do not want to use it, please do not register it.

[Logiar]

I had an issue when registering 1password as a passkey on Ubuntu 22.04 with Firefox 119.0 (64-bit).
I had to use my yubikey 5 nfc fips as a security key. So when I started the process I was asked for this to authorize it. It then asked me if I wanted to upgrade. I selected no, unplugged the yubikey and selected add passkey and gave it a nickname. This correctly registered 1password as a passkey, but it seems to also have removed my yubikey which was not what was expected.

[hpsin]

Oh, interesting, thank you! When we show the upgrade prompt we flag the presumed upgrading key for deletion on the next registration. We have to clear that when the upgrade is rejected. Cc @hagould

[hagould]

@Logiar This has been fixed for a bit! Let us know if you're having any other issues.

[magthe]

Are you planning on using passkeys for git too, i.e. to allow it instead of SSH keys?

[mittalyashu]

Correct me if I am wrong.

Behind the scenes, aren't Passkeys and SSH keys works the same way.

By using public and private key for authentication.

[Frederick888]

It seems Android (I'm using Android 13. Are these updates part of the 'Google Play system update'?) now requires discoverable/resident keys?

I used to be able to log into GitHub and other services by plugging in my YubiKey and using it only as the second factor. Now it just asks me to set up a PIN. If I refuse, the login fails.

Not sure about NFC. That has been broken for a long time.

[Firstyear]

This is a known and intentional issues with android to exclude other devices kanidm/webauthn-rs#365 (comment)

[jsoref]

@hpsin could you possibly unpin /~https://github.com/orgs/community/discussions/54450? It's confusingly listed before this one. Anyone searching would still find items in it, but as you've pinned this item, it seems more useful to have it listed prominently.

[Gieted]

YubiKey 5 doesn't work, tried both on Windows with Firefox and Chromium and on Android. I have already setup the PIN.

[Gieted]

Hmm, it appears you cannot set the same YubiKey as both security key and passkey. What's the reasoning behind this limitation?

[hheinsoee]

Great to hear that passkeys have moved to general availability! Here's a summary of the known issues and troubleshooting steps, as well as a guide on filing a report:

Known Issues

1. Upgrade Flow Errors:

   • Some browsers and OS may not allow upgrading an existing security key to a passkey.
   • Solution: Delete the existing security key from your GitHub account and register it as a passkey by clicking "Add a passkey".

2. Old Security Keys in Autofill:

   • Old security keys like Touch ID might appear in the password autofill section but won't be accepted by GitHub.
   • Solution: Ensure the device is registered as a passkey and delete the old security key registration from your device settings.

3. Windows Hello Setup:

   • If Windows Hello is not set up, your browser might not indicate available passkeys to GitHub.com.
   • Solution: Set up Windows Hello or use a passkey on another device.

4. Firefox and Hardware Security Key Errors:

   • Firefox may show an error during setup or upgrade, indicating that the passkey registration failed.
   • Solution: Set up the PIN for your hardware key using an app like Yubico Authenticator before attempting setup again.

Filing a Report

When encountering a bug or undesirable behavior, please provide the following details:

• Operating System and Version: e.g., Mac OS Ventura 13.5.2
• Browser and Version: e.g., Google Chrome 117.0.5938.62

Useful Links

• About Passkeys
• Launch Blog Post
• Chrome's OS Support Matrix

Feel free to reach out if you have any questions or need further assistance!

[Xerxes-2]

Unable to register passkey on Pixel 7 Pro

• Android Version: Android 14; Pixel 7 Pro Build/AP2A.240705.004
• Browser Version: Chrome Android 127.0.6533.85

On-device encryption and Screen Lock enabled, tried logout and login github.com

after click Add passkey, the webpage immediately shows Passkey registration failed

[Firstyear]

This is a bug in both android and github. Github sends options that only allows a "google passkey stored in google password manager" to work, you can't use screen unlock. And android is broken because it only triggers the screen unlock if you specific options that most of the passkey-boosters don't want you to use.

[vanelizarov]

Just added Passkey through Firefox and then used it in Chrome
Pixel 8 and Android 14 Security Update from August 5

[mateuscarfe]

When using a Passkey to log in, the two-step verification process is typically bypassed. Wouldn’t it be beneficial to have an option to log in with a Passkey and then perform a second verification step using a hardware security key like YubiKey? This could add an extra layer of security for sensitive operations.

[MsdnUsrSince1994]

If you (wrongly) insist that a pin-code must be added on Yubikeys used with Firefox, then at least the error message must say so, instead of a generic failure message!

[MsdnUsrSince1994]

Just to clarify, What I commented in the discussion months ago was that when the known issue in your 4th bullet point occurs, the error message should say so, instead of the misleading error message you quoted in that same bullet point. The rest of your reply below is entirely irrelevant.

…

On 12/7/2024 11:05 PM, Mohammedalduhamshi wrote: We've taken passkeys from a public beta to general availability, with all users able to set up and use a passkey. This discussion is to track known ecosystem issues and get your feedback about passkeys. Previous feedback from the beta can be found here <#54450>. Known issues * Some browsers and operating systems may not allow you to upgrade an existing security key registration to a passkey. If you receive an error during the upgrade flow, you should delete the security key from your GitHub account and then register your authenticator as a passkey by clicking "Add a passkey". * Some browsers will show old security keys (i.e. Touch ID) in the password autofill section, but GitHub won't accept them. These keys have not been registered as passkeys and do not sync, but we cannot delete them from your device. To fix this, ensure that the device is registered as a passkey and then in your device settings, delete the old security key registration. * If you have not set up Windows Hello <https://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0>, your browser may not tell GitHub.com that you have an available passkey. If you see a warning that your browser doesn't support passkeys, and you are on Windows, try setting up Hello and trying again, or use a passkey on another device. * If you use Firefox and a hardware security key, you might get an error during setup or upgrade indicating |Passkey registration failed. This cannot be used as a passkey|. This is because Firefox doesn't support setting up the PIN for a hardware key <https://www.yubico.com/blog/firefox-support-for-fido2-authenticators-is-here/>. If you encounter this issue, you have to set up the PIN yourself, using an app like Yubico Authenticator to manage the key directly, before trying again. Filing a report If you've encountered a bug or undesirable behavior with how GitHub interacts with your device's passkey support , it's really helpful to know your operating system and browser version, I.e. Mac OS Ventura 13.5.2, Google Chrome 117.0.5938.62. You can learn more about passkeys at these useful links: * About Passkeys <https://docs.github.com/en/authentication/authenticating-with-a-passkey/about-passkeys> * Launch blog post <https://gh.io/passkeys-beta-blog> * Chrome's OS support matrix <https://developers.google.com/identity/passkeys/supported-environments> in case you see a warning that passkeys aren't supported in Chrome. Message ID: ***@***.***>

-- Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10 <tel:+4531131610> This message is only for its intended recipient, delete if misaddressed. WiseMo - Remote Service Management for PCs, Phones and Embedded

[xbis]

Authentication failed
I managed to successfuly add my smart-card passkey to the account, but was unable to login.
After request to tap the authenticator (over NFC reader) and entering PIN, the additional request to "tap it again" appeared.
There was no reaction on any attempt to tap and only option "cancel" was available.
The same behaviour was with MS Edge. OS - Win 11 x64.

[simX]

The situation has improved somewhat for me... it looks like passkeys now work on Safari (version 18.2) on macOS (Sonoma 14.7.1). I dunno if that's because of the minor updates to Safari/macOS or something on GitHub's end, but I am able to sign in with a passkey without first using a password.

However, the UI still leaves something to be desired. On the log in screen, Safari's autofill offers a passkey when the cursor is in the default username/password fields?

If you (somewhat blindly) click on the passkey entry in Safari's password list which is the default behavior, GitHub will attempt to log you in but give you the error message as before, which reads: "Unable to sign in with your passkey. Please sign in with your password."

You have to deliberately scrutinize the log in screen and realize... oh, I have to specifically click the "Sign in with a passkey" button, and then that works properly as passkeys should. I'm not sure if that's a problem with the implementation of password/passkey autofill on Safari's part or something that GitHub can fix on their end, but I think there still needs some improvement here.

[marcus-j-davies]

I have not read all the comments.

But currently - I don't find using hardware tokens on GitHub, to be of any benefit - when it can be skipped by the actor logging in.
I did set it up - and removed it, when it added no extra security whats so ever.

Once the ability to remove the option of using Password / TOTP (as long as a Hardware token is In use) - then it will make sense.

Currently - it serves no purpose

[plastikfan]

Actually you raise a very good point here. It never occurred to me that making the use of a pre-registered hardware key is optional at the time of login is really a huge design flaw in the login process. Perhaps it should only be made optional during an initial setup phase which gives the account holder the chance of alternative methods just whilst verifying that the hardware key is actually working as intended. When verified as such then it should be made mandatory otherwise what is the point. Of course the process must be rock solid in its reliability to make this leap otherwise the user could easily find themselves locked out of their account. So far, I have experienced inconsistent behaviour which has shaken my confidence in the process giving me no other option other than to use my previous method of using my personal access token, which in itself doesn't make sense and I just realised that after having read your comment.

[marcus-j-davies]

Yup...

All other services I have with my keys - lock out the ability to bypass its requirement.
Isn't that the point of hardware tokens?

It's true, those services I can get locked out of - if I lose both my keys, but really that's on me, and If I lose both, I need to have words with my self.

I like this is being implemented - but anyone can still gain access to my account, by skipping its requirement and brute forcing or social engineering.

[pm4rcin]

Yup...

All other services I have with my keys - lock out the ability to bypass its requirement. Isn't that the point of hardware tokens?

It's true, those services I can get locked out of - if I lose both my keys, but really that's on me, and If I lose both, I need to have words with my self.

I like this is being implemented - but anyone can still gain access to my account, by skipping its requirement and brute forcing or social engineering.

Other services give you backup codes so you have to do something really bad to be locked out of your account for real. Github also gives you backup codes but ONLY if TOTP is active which is just a bad design and it's still not fixed. I have asked several times about this and it's planned but no ETA.