Yubico
Security Key Passkeys not listed in Authenticator v.7.1.1
in Yubico Authenticator v7.1.1 the FIDO2 passkeys stored on a Security Key NFC are not listed OS: Windows 11 Pro x64 23H2, with 2024-12 updates installed too.
There are definitely passkeys there (i use that on GitHub, for example)
but in the PDF features matrix it says it should be supported (the "not supported" bit is about fingerprints)
https://docs.yubico.com/software/yubikey/tools/authenticator/auth-guide/_static/Yubico-Authenticator-Functionality.pdf
note: it works OK on a YubiKey 5 NFC, it lists some passkeys (but i'm not sure exactly how many passkeys i should have on this key ... seems correct though)
tested with another (a bit older) Security Key, non-NFC model, with firmware 5.0.2 ... still does not list the passkeys.
this non-NFC model does not even appear in that PDF file, even if it has FIDO2 passkeys functions.
Thank you for reporting this. Unfortunately I think the PDF matrix is a bit too generic as some features like Credential Management which is required to list the discoverable credentials was introduced first with firmware 5.2.1 (2019). It could absolutely be more clear in the UI that it's not possible to list them. If you run ykman fido credentials list you will get an error message.
me again..with another hidden passkey bug. this time on YK firmware 5.4.3
this yubikey is configured as a FIDO2 passkey for a Google account, but that passkey does not appear in the list of passkeys in the authenticator app
i have also raised a related passkey issue with Google Security. they apparently see nothing wrong in the fact that a passkey is created on a key but its "last used" timestamp is not updated for years, despite the fact it has been used this week multiple times - this is probably related to this hidden FIDO2 passkey.
I guess this means everyone enrolled in the Advanced Protection program, especially journalists should check their safe deposit boxes (or equivalents) and verify they still contain the actual backup passkey tokens they stashed in there - just in case they were compromised and used to access their data.
This hidden passkey usage can probably be a gold mine for various intelligence agencies worldwide to exfiltrate data.
update: while reading more on the hidden passkey issue... i found out that FIDO2 passkeys can also exist where they are not stored on the key, but rather the key can reconstruct them on-the-fly only when needed.
https://docs.yubico.com/yesdk/users-manual/application-fido2/fido2-credentials.html
quote: There are two kinds of credentials:
Discoverable (FIDO2 version 2.0: resident keys)
Non-discoverable or server-side (FIDO2 version 2.0: non-resident credentials)
[...]
A non-discoverable credential is not stored on the YubiKey (hence the FIDO2 version 2.0 term "non-resident"). The credential is not stored anywhere, rather, the YubiKey can reconstruct a non-discoverable credential if it has enough information. That includes the credential ID. If you build a non-discoverable credential, then you must manage the credential ID yourself. Then, when you need an assertion for that credential, supply the credential ID and the YubiKey will be able to get an assertion. /quote
and a related advisory: https://www.yubico.com/support/security-advisories/ysa-2024-02/
This explains why the passkey is not listed in the Authenticator app when checking the passkeys, but does not explain why Google does not update the 'last used' key timestamp. Oh well. ¯\_(ツ)_/¯