Yubikey 5 NFC fails to authenticate on Android with NFC.

[vestyc]

Describe the bug When attempting to use 2-factor authentication with Yubikey 5 NFC via NFC scan, I get the following error from Authentik: Error: Error when creating credential: UnknownError: The operation failed for an unknown transient reason. The error occurs on Chrome and Firefox.

I also get Something went wrong. Try inserting your security key in your phone's USB port or connect it with a USB cable or adaptor error from the browser when scanning with NFC. Retrying the scan does eventually get a successful scan but then Authentik will throw the error I described above. Using the USB port on the phone works flawlessly.

To Reproduce Steps to reproduce the behavior:

0. Create an Authentik account and add a security key under MFA Devices with type "WebAuthn Device"
1. Open WebAuthn capable browser (Chrome, Firefox, etc)
2. Navigate to Authentik instance and attempt to log in with first factor of Username & Password.
3. When prompted for security key, select the NFC option.
4. Scan security key with NFC scanner. Try multiple times if you see the following error Something went wrong. Try inserting your security key in your phone's USB port or connect it with a USB cable or adaptor.
5. After the browser accepts the NFC scan, Authentik will throw the following error: Error: Error when creating credential: UnknownError: The operation failed for an unknown transient reason

Expected behavior After the browser accepts the security key's NFC scan, Authentik should successfully log the user in.

Logs Output of docker-compose logs: authentik-worker-1 | {"event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 33, "state": "SUCCESS", "task_id": "e589bb23ac0c4e93b56fb4a3449d5699", "task_name": "scim_sync_all", "timestamp": "2023-10-24T02:31:00.021249"} authentik-worker-1 | {"event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 37, "state": "SUCCESS", "task_id": "a9edfd62f4e7416eb21a1cff2525afb1", "task_name": "save_reputation", "timestamp": "2023-10-24T02:31:00.021859"} authentik-server-1 | {"auth_via": "unauthenticated", "event": "/if/flow/default-authentication-flow/?next=%2F", "host": "REDACTED", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 21, "remote": "2600:6c56:4000:ac7:b5ac:c08e:1bda:1356", "request_id": "a7a3e61240d54f2491af2436fdf9da79", "runtime": 40, "scheme": "https", "status": 200, "timestamp": "2023-10-24T02:31:09.015452", "user": "", "user_agent": "Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/118.0 Firefox/118.0"} authentik-server-1 | {"event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 22, "remote": "172.69.65.108", "scheme": "ws", "timestamp": "2023-10-24T02:31:09.154311", "user_agent": "Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/118.0 Firefox/118.0"} authentik-server-1 | {"auth_via": "unauthenticated", "event": "/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F", "host": "REDACTED", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 21, "remote": "2600:6c56:4000:ac7:b5ac:c08e:1bda:1356", "request_id": "bb7e61e4418a4634b4449d476d97b597", "runtime": 177, "scheme": "https", "status": 200, "timestamp": "2023-10-24T02:31:09.578651", "user": "", "user_agent": "Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/118.0 Firefox/118.0"} authentik-server-1 | {"event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 22, "remote": "172.71.166.242", "scheme": "ws", "timestamp": "2023-10-24T02:31:09.630314", "user_agent": "Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/118.0 Firefox/118.0"} authentik-server-1 | {"auth_via": "unauthenticated", "event": "/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F", "host": "REDACTED", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 21, "remote": "2600:6c56:4000:ac7:b5ac:c08e:1bda:1356", "request_id": "5e2e90e56c094f5aa40a83797acbb027", "runtime": 31, "scheme": "https", "status": 200, "timestamp": "2023-10-24T02:31:09.704673", "user": "", "user_agent": "Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/118.0 Firefox/118.0"} authentik-server-1 | {"event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 22, "remote": "172.69.65.120", "scheme": "ws", "timestamp": "2023-10-24T02:31:10.073241", "user_agent": "Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/118.0 Firefox/118.0"} authentik-server-1 | {"auth_via": "unauthenticated", "event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 22, "remote": "127.0.0.1", "request_id": "ea30d110e58e487c8ef7ac6edeafee70", "runtime": 13, "scheme": "http", "status": 204, "timestamp": "2023-10-24T02:31:22.788165", "user": "", "user_agent": "goauthentik.io/proxy/healthcheck"} authentik-server-1 | {"auth_via": "unauthenticated", "event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 21, "remote": "127.0.0.1", "request_id": "1163b305b5964809b83e55b2f9e6cb30", "runtime": 11, "scheme": "http", "status": 204, "timestamp": "2023-10-24T02:31:52.781421", "user": "", "user_agent": "goauthentik.io/proxy/healthcheck"} authentik-worker-1 | {"event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 32, "task_id": "b7f4b0cfc1b14a549d45baa21a2a66cc", "task_name": "authentik.core.tasks.clean_expired_models", "timestamp": "2023-10-24T02:32:00.002025"} authentik-worker-1 | {"event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 39, "task_id": "b7f4b0cf-c1b1-4a54-9d45-baa21a2a66cc", "task_name": "clean_expired_models", "timestamp": "2023-10-24T02:32:00.004307"} authentik-worker-1 | {"event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 39, "state": "SUCCESS", "task_id": "b7f4b0cfc1b14a549d45baa21a2a66cc", "task_name": "clean_expired_models", "timestamp": "2023-10-24T02:32:00.049692"} authentik-server-1 | {"auth_via": "unauthenticated", "event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 21, "remote": "127.0.0.1", "request_id": "92542413187e4b8f834b57edbb228ed5", "runtime": 10, "scheme": "http", "status": 204, "timestamp": "2023-10-24T02:32:22.781398", "user": "", "user_agent": "goauthentik.io/proxy/healthcheck"} authentik-server-1 | {"event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 21, "remote": "172.71.166.205", "scheme": "ws", "timestamp": "2023-10-24T02:32:40.837854", "user_agent": "Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/118.0 Firefox/118.0"} authentik-server-1 | {"auth_via": "unauthenticated", "event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 22, "remote": "127.0.0.1", "request_id": "e16b0690fb7542078c7e29270f444b77", "runtime": 10, "scheme": "http", "status": 204, "timestamp": "2023-10-24T02:32:52.781305", "user": "", "user_agent": "goauthentik.io/proxy/healthcheck"} authentik-worker-1 | {"event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 32, "task_id": "1695d330fc2c493983cebc5ea9276850", "task_name": "authentik.outposts.tasks.outpost_service_connection_monitor", "timestamp": "2023-10-24T02:33:00.002044"} authentik-worker-1 | {"event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 39, "task_id": "1695d330-fc2c-4939-83ce-bc5ea9276850", "task_name": "outpost_service_connection_monitor", "timestamp": "2023-10-24T02:33:00.003909"} authentik-worker-1 | {"event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 39, "task_id": "e3cb8e8c891a4865bf4fa57e826de9f9", "task_name": "authentik.outposts.tasks.outpost_service_connection_state", "timestamp": "2023-10-24T02:33:00.017343"} authentik-worker-1 | {"event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 39, "state": "SUCCESS", "task_id": "1695d330fc2c493983cebc5ea9276850", "task_name": "outpost_service_connection_monitor", "timestamp": "2023-10-24T02:33:00.020497"} authentik-worker-1 | {"event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 39, "task_id": "e3cb8e8c-891a-4865-bf4f-a57e826de9f9", "task_name": "outpost_service_connection_state", "timestamp": "2023-10-24T02:33:00.160342"} authentik-worker-1 | {"event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 39, "state": "SUCCESS", "task_id": "e3cb8e8c891a4865bf4fa57e826de9f9", "task_name": "outpost_service_connection_state", "timestamp": "2023-10-24T02:33:00.204907"}

Version and Deployment (please complete the following information):

• authentik version: 2023.8.3
• Deployment: docker-compose
• Chrome version: 118.0.5993.80
• Firefox version: 118.2.0
• Phone: Samsung Galaxy Note20 Ultra 5G running Android 13

[kashalls]

I'm seeing this as well on a Pixel 6 Pro. Saw this issue on Android 13 and 14. Maybe an issue because I registered the YubiKey on desktop then tried to use it on mobile?

[Misterbabou]

Same issue : Version and Deployment (please complete the following information):

authentik version: 2023.8.3
Deployment: docker-compose
Chrome version: 118.0.5993.80
Firefox version: 118.2.0
Phone: Pixel 8 running Android 14

Webauthn Yubikey registered on desktop -> NFC not working but usb on phone work and usb on computer work Webauthn Yubikey registered on Smartphone via NFC -> NFC and usb on phone and usb on computer work Webauthn Yubikey registered on Smartphone via usb -> NFC and usb on phone and usb on computer work

[Badbird5907]

Also having this issue with a Galaxy S21 & Yubikey 5c nfc

[authentik-automation[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[kashalls]

This issue still persists in 2023.10.x and should not be marked as stale.

[jonade]

Also having this issue still with 2023.10.6

[authentik-automation[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.