Locked out, key not working most of the time, multiple accounts

Back today, same problem. Perhaps this second description will be more clear, scroll down to see the description from yesterday. Note I have made edits on this post only for clarification.

This is Fedora Linux 33, and Chrome 90.

Logging into gmail with 2FA setup to use the hardware key:

1. put in PIN to unlock the key. The green LED flashes then remains on constantly.
2. I open the ONLYKEY app and see the slot configurations
3. log into gmail, give the username and password.
4. Immediately the “2-Step Verification … Verifying its you” screen appears, and Chrome pops up the dialog “Use your security key with google.com, Insert your security key and touch it”
5. The light on the security key just remains a solid green. Normally it would turn blue at this point. Touching a button and the green LED goes off, the key is dark, there is a long pause, then it comes back. Chrome does not react in any way, the dialog is still showing.

So … I clear the browser cookies, reload the key configuration on the key, close the app, pull the key out, put it in, and try again. This time at step 5 the LED turns blue. The slot 2a is configured for this, but for grins I hit button 3a. It works and I am logged in. Now if I go to another account I will be back to the situation where the green light never turns blue. I will then do everything I can think of to reset things, and probably it will work.

I am thinking either Chrome is unhappy with multiple accounts and is not doing the second handshake, somehow window focus is not on the browser (but I was just typing in it), or the key hardware is broken. The funny part is that the button slots seems to be mixed up (see bellow, things configured on one button are only working on a different one, or working on multiple buttons …)

They key does not reliably work with multiple accounts. If it is ´reset´ through the app (reloading the saved image or just going in and going out of the app), and buttons other than those that were set up are pushed, thus far it will eventually pass the 2FA challenge, but this is a messed up process. In detail:

1. To get started I only use the ONLYKEY as a yubikey stand-in. I use no other feature.

2. Four slots on the buttons 1a, 2a, 3a, and 4a. Used for 4 accounts, say: acct_1a, gmail_2a, acct_3a, and acct_4a.

I understood (really?) from reading the manual that I may replace two Yubi keys, not 4, but it let me set it up, and it tested and initially worked Why? What have I really done?

3. One day when logging into gmail_2a, I accidentally hit button 1a (instead of 2a) and it let me in!

So I figured that indeed there was really only 1 or 2 keys and I had somehow assigned the one (or two?) to the different buttons. What is really happening here?

4. After a couple of months I went back to acct_1a. This time when challenged for the key I typed the PIN on the key and it only flashed green instead of blue. I hit 1a but nothing happens. I am locked out of acct_1a!

5. I logged out everywhere, and opened and closed the ONLYKEY app on the key, and went back to acct_1a, and then it flashed blue. I hit button 1a and it says “You´re using a security key that´s not registered with this website” So I was locked out. In desperation I tried each button and upon hitting 3a it worked. But account act_1a was put on button 1a How can this be? Why did it do this? Why do I need to ´reset´ though the app?

6. Now it gets interesting. After going back to gmail_2a, the ONLYKEY only flashes green on the key challenge after the PIN is entered to unlock the ONLYKEY (not blue as before), and gmail does not accept the key - it only goes dark when the button is pushed. So I am locked out of gmail_2a It worked just a few minutes before with the exact same key strokes. What is going on here?

7. So I log out everywhere, back to the ONLYKEY app, then close it, go to gmail_2a, and then its flashes blue on the gmail challenge and accepts buttons 1a or 2a. Then going back to acct_1a, in a different tab in the browser, taking the key out and putting it back in, and the key is back to only flashing green after typing the PIN after the challenge, and I am locked out of acct_1a.

What am I not understanding about the ONLYKEY? I thought set up 4 slots on 4 buttons, then on a challenge, unlock the dongle with the PIN if it is not already unlocked, and hit the corresponding button, but it is not working like this. How is this supposed to be setup? What is happening when I am using the ONLYKEY? Is it broken?

It sounds like you are using FIDO2/FIDO U2F. For that you just hit any button to log in. For FIDO U2F you just register your key on an unlimited number of sites its unrelated to slots.

For configuring the slots I did the following:

1. ran the ONLYKEY app and unlocked the key
2. On the Cofigure Slots page, clicked on a slot.
3. That brought up a red menu for configuring the slot. The first option is for a Label, which I added. At the bottom it says “Options below are for two-factor authentication” and I selected “FIDO2/U2F”

I did that for four of the slots, 1a, 2a, 3a, and 4a and then enabled 2FA by hardware key on 4 different accounts corresponding to the lables I had set. For example, as mentioned 2a was for gmail.

If in fact these are actually all just one key pair, that explains why gmail opens on any of the buttons.

But there is still a problem, the key challenge is not working reliably. Only sometimes:

1. It never works when first used to log into gmail, then used to log into another account. When the Chrome key dialog comes up for the second login, the ONLYKEY often fails to turn blue, just stays green, and pushing a button does nothing.
2. Sometimes it will turn blue and then when I push a button it says I have the wrong key. Upon a retry, with the same ONLYKEY (I only have the one.) on the same account while pushing a different button it will accept it. This only happens when the LED turns blue when the Chrome key challenge dialog appears, and as noted it does not always do that.

Some things to try, do you have the latest firmware - Upgrade Guide | Docs

Have you tried a different computer maybe there are connection issues.

You are using the FIDO application, you only touch the key when it turns blue and flashing, otherwise, OnlyKey will work as a keyboard and type out characters.

OnlyKey’s FIDO application is not related to “slots”, it functions as 1 single FIDO2 security key, not 6 FIDO2 security keys. Setting “U2F” in the slot config just make OnlyKey “touch” the key for you, it will not help if the key is not flashing blue. If the key is not flashing, check if the key is registered to the account.

For more about the FIDO application, check these links:

• What is FIDO U2F?
• What is FIDO2?
• How FIDO Works

@Extrawdw @t11 talking to some people who know what to expect and have some experience is very helpful. I get it now, that it is a single FIDO key. That helps me articulate the problem better, but the problem is still existing:

“you only touch the key when it turns blue and flashing”

Problem is it only gives the blue light sometimes. Sometimes it does give the blue light and lets me in. Other times it stays green. Same account, no other variables, so clearly it is not an account registration problem.

Also, when it gives the blue light, touching a button only works sometimes, but not others. One of my accounts literally tells me that I have the wrong key. Yet, when trying a second time or sometimes third time with Nothing changed - same key, same account, same session - upon pushing the button it lets me in.

I have seen this same behavior on all the accounts. It is not account specific.

When the ONLYKEY does not flash blue, it seems it will never flash blue unless I pull it out, put it back in and unlock it again. It seems to help to open it in the ONLYKEY app and to reload the backup of the configuration, but that might just be a coincidence.

I only saw this problem when I decided to log into a second account the ONLYKEY was registered on after a long period of time. Initially it would not let me into the other account, no blue light. After many retries, I got into that account. Then when I went back to log into the first account again, same thing, no blue light, though it had been working for a month with no problem before that. It seems that it does not like to be used on more than one account. I don´t know how FIDO works, but can it even know it is being used on multiple accounts? Maybe it is just a coincidence as the key is going on the fritz at the same time as I decided to use it on another account after a long time of not doing so.

(If you read my prior notes, you will see that I am saying the exact same thing, just explaining it better in light of the feedback you all provided.)

@t11 I installed the updated firmware. For about a week it was working, though I only use it on one site now. After a week, it turned blue, I pushed the button, and it went dark and did not let me in. So I tried again a couple of time, then it got into a mode where it was flashing green and blue alternately. Pushing the button let me in. It has done this twice now.

Seems to me that the nv-ram on this key is going out. So funny, I just looked it up. The key started failing exactly one year after I purchased it.

This is normal behavior, for a FIDO U2F request (maybe you are using an old browser?) its Blue/Green

https://docs.crp.to/features.html#led-definitions-onlykey-color

• Blue blink then green blink = FIDO U2F request
• Blue blink on/off = FIDO2 request

When I say blinking blue and green, I mean cycling indefinitely: Blue, then green, then blue, then green …
This is the first time I have seen that behavior. Is that what you are describing for FIDO U2F request? This is only happening after the initial key challenge unexpectedly fails a time or two.

Yes, blue, then green, then blue is a FIDO U2F request from the browser.