Unable to use YubiKey with passkey strategy

[max-baz]

Preflight checklist

• [x] I could not find a solution in the existing issues, docs, nor discussions.
• [x] I agree to follow this project's Code of Conduct.
• [x] I have read and am following this repository's Contribution Guidelines.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

I'm able to use Yubikey with Webauthn strategy, but not with Passkey strategy. Please correct me if I'm wrong, I expect the passkey strategy to create resident credential on my Yubikey, as per #2868 (and Webauthn to create non-resident credentials). Instead the browser seems to refuse my Yubikey altogether when I try to use it with Passkey strategy.

UPDATE: I noticed in the docs that WebAuthn is marked as deprecated, this means that my assumption is probably incorrect, that passkey is meant for creating resident credentials and webauthn is meant for creating non-resident credentials. Should passkey strategy then have a way for me to define whether I want people to create resident credentials or not? Maybe a topic for another discussion.

When I try on passkeys.io, it works and here's the Chromium prompt I get during registration:

When trying on either selfservice-ui-node or ory-elements/examples/nextjs-app-router, I get the following Chromium prompt instead:

Reproducing the bug

I tried both on localhost (basically the contrib/quickstart/kratos/passkey) and to deploy this on a proper domain, same result.

Let's say we use contrib/quickstart/kratos/passkey configs, and go through selfservice-ui-node: Registration > Enter email > Sign up > Sign up with passkey.

I don't really see any errors in browser console or kratos.

I tried with a couple of different YubiKey 5C, just to be sure.

Relevant log output

Relevant configuration

https://github.com/ory/kratos/tree/master/contrib/quickstart/kratos/passkey

Version

v1.3.1

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response

[max-baz]

Solution => remove the following line:

https://github.com/ory/kratos/blob/d5e0f6fd73e317eb2f7ec20b2ddf84b5cb8f59f4/driver/config/config.go#L1566

Having this line requires passkeys to only be created on the same device where the WebAuthn is running on (ref docs).

Without removing that line, the only way to use external devices like Yubikeys is with the deprecated webauthn strategy.

Removing this line permits the browser to communicate with external devices like Yubikeys. I confirm that this works.

I'm not willing to sign the mandatory CLA in order to submit this as PR, feel free to update the code yourself 🙂

[aeneasr]

Ok, it seems to be standard practice to allow roaming authenticators (yubikey) as passkey options.

[bboerkoel]

From what I can tell from w3.org roaming, w3.org authenticator selection and yubico dev authenticators this is safe to use indeed.

As of now this documentation seems incorrect: https://www.ory.com/docs/kratos/passwordless/passwordless

External authenticator: an authenticator provided by an external device, such as a Yubikey or a NFC device.

Is only true if you are using the deprecated webauthn method. But as @max-baz mentioned this does not work passwordless since it doesn't use the resident key requirement. But with the passkey method none of the external devices work.

Before the release of the passkey method a PR was made for the webauthn method to allow users to set it themselves: https://github.com/ory/kratos/pull/4047.

Although leaving it empty should work for all platforms. https://github.com/go-webauthn/webauthn/blob/master/protocol/authenticator.go#L94-L120. If possible I'd at least like to be able to choose the setting, or change it from it's potential default 'platform'. Like that PR was attempting to do for the webauthn method.