PIN protected Yubikey isn't recognized

Exists

I can reproduce the issue with a few exceptions

The vast majority of sites behave in the way described this post, prompting for the key & causing it to blink, but not recognizing a press.

I've noticed that this isn't an issue with some sites, such as GitHub and GitLab (only ones I've found so far)

Same versions & YubiKey model as the initial report

gp

Exists

Would you be able to check if GitHub and GitLab behave in this way in another browser?

I suspect GH and GL are requesting userVerification = DISCOURAGED, which would not request a PIN, even if one is set. Best test would be to use Safari or another browser to log in, on a key with a PIN (which I assume you have based on your notes above), and see if it proceeds in another browser without PIN?

Exists

Looks like that is the issue

Both GH and GL didn't require a pin while testing on Safari, other sites that don't work on Orion did request a pin

gp

To record my testing notes here. Note that I have tested with a Yubikey, but this is all standardised under FIDO2/webauthn as a PIN, so you don't have to use a Yubikey.

Set up a fresh Yubikey 5C (firmware 5.4.3, current latest). Disabled all the applets other than FIDO2 and U2F.
Set up a FIDO2 PIN on the device via the Yubikey manager app.
In Safari, browse to https://webauthn.io
Register a new "user" on this testing site, using the default settings. Settings captured below (note that user verification is the relevant one here, which is on by default).

Safari asks how you'd like to authenticate. Pick the option for an external security key.

Press the button on your token when prompted, to confirm user presence.

Enter your PIN when prompted

Tap the button on the key again when prompted

Done registering

Log in again using Safari - enter username, hit authenticate
Tap the button when prompted.

Enter your FIDO2 PIN

Tap the button again

Successful login in Safari

Now let's use Orion to login, attempting the same username as before

Some useful docs from Yubico looking at compatibility of different browsers and OSs.

https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/

To resolve this issue, we need to ensure user verification is implemented.

I suspect the "next" feature request would be discoverable credentials (i.e. passwordless login). For example, if I try to log in to webauthn.io without entering a username, then press the button and enter PIN, I can see the following (after telling Safari I want to use an external key):

Allowing me to pick an "account" to log in as - via the "discoverable credentials" feature of Webauthn/FIDO2 - where the credential gets stored on the key itself.

Ota

I just also ran into this issue and no idea how to solve it, besides using a different browser. It would be lovely if this can be tackled for a browser that considers privacy and security first.

aycaramba

Reporting same problem; pin-ed Yubikey is not being recognized on e.g. dropbox.com. Donated $50 for this effort specifically as it's the only real blocker for my switching to this browser. Thanks for the amazing work you're doing!

P.S. I do encourage folks affected to register to vote on the issue and make a donation to sponsor this as well.

httpjames

I am also sponsoring this issue as I need pin protected yubikeys for work, and I'd love to fully switch to Orion instead of switching between browsers.

Vlad

Thanks to both, we will give this issue attention asap.

prpl

I'm also experiencing this issue with my SoloKey, so it's not just limited to YubiKeys.

twadds

I just paid for a year subscription to Orion and I'm a Kagi search subscriber. I'd love to get this issue sorted. I have a couple of PIN protected YUbiKeys and am having this issue also

dino

@twadds @gp @httpjames @Ota can you please try this Dev(test) build and check if that works (we updated some code)

https://www.icloud.com/iclouddrive/0b7WgHZqUgn0-Jms4kkRiyhsQ#Orion-13.0-124.4.6

Vlad

We are looking for a yes/no 🙂 We do not have a key to test so we need your guidance.

aycaramba

I have attempted the download from 3-4 different browsers and it doesn't -- some log spew in the console. I assume something is temporarily broken on icloud drive side. I will retry in a bit, or if you guys could upload elsewhere, I can try that

dino

aycaramba Uploaded build to dropbox (with few more fixes to WebAuthn)

https://www.dropbox.com/s/5vtbublfyb718yz/Orion-13.0-124.4.6.2-Dev.zip?dl=0

aycaramba

I have tested the RC on a website that checks for the Yubikey's PIN (dropbox) and on a website that doesn't (proton mail) and can confirm that those two worked! Thank you!!!

gp

Confirmed working in the "release" of the RC, using a resident (Webauthn passwordless login) key on a test MS 365 account, using a Yubikey with PIN. Sorry dino, I didn't spot the mentions here the last couple of days.

🙂