authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

Passwordless login using a security key doesn't work

Open filliravaz opened this issue 2 years ago • 9 comments

Describe the bug After having setup passwordless login, which I can confirm to be working by using Face ID on my phone, on either iOS or Chrome (Win11), won't allow login with my YubiKey ("This security key doesn't look familiar, please try a different one" error on the Windows security popup)

To Reproduce Steps to reproduce the behavior:

  1. Set up a Webauthn security key on your account
  2. Set up a flow as described in the documentation, and apply it to the main login flow
  3. Try to log in using the security key added above
  4. See error

Expected behavior The security key login should work normally, as does the Face ID login I have set up.

Screenshots CredentialUIBroker_O653xCOE7F iwmequ8PW2

Logs No relevant logs have been found - Only health checks.

Version and Deployment (please complete the following information):

  • authentik version: 2023.10.2
  • Deployment: Docker compose, under Traefik

Additional context If any additional information/screenshots is required, please let me know.

filliravaz avatar Nov 05 '23 15:11 filliravaz

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Jan 05 '24 01:01 authentik-automation[bot]

no stale

minionflo avatar Jan 06 '24 20:01 minionflo

This bug is affecting me as well.

jroose avatar Feb 17 '24 15:02 jroose

I think I've figured out a workaround, or maybe this issue is just a documentation problem. I had to bind an identification stage to my passwordless login flow, so the user has a chance to enter their username. Then the WebAuthn authentication can proceed as normal. However, this does lead to a pretty confusing flow of:

  1. Being prompted for a username, but clicking the passwordless option instead
  2. Being prompted for a username again, entering it here
  3. Authenticaiton via WebAuthN
  4. Successful login

Going directly to the passwordless authentication flow URL avoids step 1.

In short, I think it works, but I think I'll have to do some learning on how to make it work well in Authentik. Either way, I'm now able to log in using my Yubikey.

jroose avatar Feb 17 '24 15:02 jroose

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Apr 18 '24 01:04 authentik-automation[bot]

No stale

filliravaz avatar Apr 18 '24 06:04 filliravaz

I also had this problem and implemented the workaround by @jroose.

After some more digging, I changed my WebAuthn setup stage settings: "Resident key requirement" and "User verification" was "Preferred", I changed them to "Required". Then I unregistered the WebAuthn device from my account and re-added it.

Now the passwordless flow works without the additional identification stage.

napiat avatar May 28 '24 14:05 napiat

We'll be adding some UI improvements and docs improvements to better clarify which settings in the stages should be set to what values for different use-cases/platforms/authenticators

BeryJu avatar Jul 25 '24 16:07 BeryJu