After upgrading the firmware to the latest, I can no longer register OnlyKey to Microsoft/Office 365 Accounts, the following error message shows:
We couldn’t verify your identity or you are using private mode. Please ensure you are not in a private browsing window and please try again.
I tried to register a YubiKey in the same environment, it could go through. I also tried to register on another computer. another browser, no luck.
I get my Firefox and it worked, weird…
What OS/Browser did you find that did not work? We have tested in all major OS/Browser combinations but there are still some issues where FIDO2 does not always work.
Chrome and Edge
I suspect that the cause of the problem is not the browser, but OnlyKey FIDO2 seems to have some problems with the Attestation Certificate.
When I tried WebAuthn on Yubico demo website, it has Attestation Certificate related errors (in the “technical details”) of OnlyKey.
Thats odd, here is a screenshot of me accessing this site in chrome, it shows no errors just comes up as unknown device since its not a Yubikey.
Did you maybe set a custom attestation certificate? This is a feature we used to support but removed recently.
Scroll down to see Attestation Certificate part, for YubiKey I use, there is one, but for OnlyKey, it says " There was a problem parsing the attestation certificate, please check the console logs". For Azure Active Directory, the default option is “require Attestation”. In this case, OnlyKey cannot be registered. User have to contact their directory administrator to disable Attestation, which is sometimes difficult to do.
I’m having the same issues that you are. If it’s a chromium based browser, it doesn’t work, while Firefox it does work.
@Extrawdw it always says there is a problem with all keys I have tested except Yubikeys, I think they are looking for a Yubico cert. @tfluthy Are you having issues on Linux or a different OS?
I found that even successfully register on Firefox, cannot login on Chome…
If the Azure AD Admin turn off the “Requite Attestation” in Azure AD login options, then OnlyKey will work fine for Office 365 accounts. However no way for personal Microsoft Account.
What happens with my systems, if you register on firefox, in may or may not work in chrome, but the first time it fails in chrome, the security key vanishes out of MS account security portal
T11,
Windows 10 enterprise, newest version. Firefox is reliable, chromium is not
For Azure AD yes you can disable ‘Enforce Attestation’ more info here - Error adding Yubikey to Security Info - Microsoft Q&A
Currently Azure AD only supports security keys from a handful of providers and even that seems to sometimes not work with ‘Enforce Attestation’ enabled.
For the 2nd issue with Chrome and Microsoft account, this is a legitimate issue caused by new version of Chrome. A fix will be included in the next OnlyKey firmware update.
