Back today, same problem. Perhaps this second description will be more clear, scroll down to see the description from yesterday. Note I have made edits on this post only for clarification.
This is Fedora Linux 33, and Chrome 90.
Logging into gmail with 2FA setup to use the hardware key:
- put in PIN to unlock the key. The green LED flashes then remains on constantly.
- I open the ONLYKEY app and see the slot configurations
- log into gmail, give the username and password.
- Immediately the “2-Step Verification … Verifying its you” screen appears, and Chrome pops up the dialog “Use your security key with google.com, Insert your security key and touch it”
- The light on the security key just remains a solid green. Normally it would turn blue at this point. Touching a button and the green LED goes off, the key is dark, there is a long pause, then it comes back. Chrome does not react in any way, the dialog is still showing.
So … I clear the browser cookies, reload the key configuration on the key, close the app, pull the key out, put it in, and try again. This time at step 5 the LED turns blue. The slot 2a is configured for this, but for grins I hit button 3a. It works and I am logged in. Now if I go to another account I will be back to the situation where the green light never turns blue. I will then do everything I can think of to reset things, and probably it will work.
I am thinking either Chrome is unhappy with multiple accounts and is not doing the second handshake, somehow window focus is not on the browser (but I was just typing in it), or the key hardware is broken. The funny part is that the button slots seems to be mixed up (see bellow, things configured on one button are only working on a different one, or working on multiple buttons …)
They key does not reliably work with multiple accounts. If it is ´reset´ through the app (reloading the saved image or just going in and going out of the app), and buttons other than those that were set up are pushed, thus far it will eventually pass the 2FA challenge, but this is a messed up process. In detail:
-
To get started I only use the ONLYKEY as a yubikey stand-in. I use no other feature.
-
Four slots on the buttons 1a, 2a, 3a, and 4a. Used for 4 accounts, say: acct_1a, gmail_2a, acct_3a, and acct_4a.
I understood (really?) from reading the manual that I may replace two Yubi keys, not 4, but it let me set it up, and it tested and initially worked Why? What have I really done?
- One day when logging into gmail_2a, I accidentally hit button 1a (instead of 2a) and it let me in!
So I figured that indeed there was really only 1 or 2 keys and I had somehow assigned the one (or two?) to the different buttons. What is really happening here?
-
After a couple of months I went back to acct_1a. This time when challenged for the key I typed the PIN on the key and it only flashed green instead of blue. I hit 1a but nothing happens. I am locked out of acct_1a!
-
I logged out everywhere, and opened and closed the ONLYKEY app on the key, and went back to acct_1a, and then it flashed blue. I hit button 1a and it says “You´re using a security key that´s not registered with this website” So I was locked out. In desperation I tried each button and upon hitting 3a it worked. But account act_1a was put on button 1a How can this be? Why did it do this? Why do I need to ´reset´ though the app?
-
Now it gets interesting. After going back to gmail_2a, the ONLYKEY only flashes green on the key challenge after the PIN is entered to unlock the ONLYKEY (not blue as before), and gmail does not accept the key - it only goes dark when the button is pushed. So I am locked out of gmail_2a It worked just a few minutes before with the exact same key strokes. What is going on here?
-
So I log out everywhere, back to the ONLYKEY app, then close it, go to gmail_2a, and then its flashes blue on the gmail challenge and accepts buttons 1a or 2a. Then going back to acct_1a, in a different tab in the browser, taking the key out and putting it back in, and the key is back to only flashing green after typing the PIN after the challenge, and I am locked out of acct_1a.
What am I not understanding about the ONLYKEY? I thought set up 4 slots on 4 buttons, then on a challenge, unlock the dongle with the PIN if it is not already unlocked, and hit the corresponding button, but it is not working like this. How is this supposed to be setup? What is happening when I am using the ONLYKEY? Is it broken?