Onlykey not detected in browser when setting up FIDO2 Security Key on ProtonMail

Hello all, new OnlyKey user here. After configuring my OnlyKey with the Linux app (set a PIN, passphrase, and a test account in one of the slots), I tried to use my OnlyKey in my browser as a security key in ProtonMail.

I’m using LibreWolf (most recent version). During the setup on ProtonMail’s website, I reach the point where a browser pop-up asks me to plug in my security key and touch it. I expect my OnlyKey to light up blue per the documentation, but it does not. Touching it does not enroll it as a security key after the fact.

Anybody else running into similar issues? As far as I can tell:

  1. OnlyKey is FIDO2 Certified
  2. Proton supports FIDO2 security keys
  3. LibreWolf is based on Firefox, which now supports security keys (otherwise I wouldn’t see the popup)

So I don’t understand why it is not working as simply as the documentation says it will. I also tried https://webauthn.io/ to test the OnlyKey being detected, but get similar results.

Thanks for the help in advance!

I don’t know much about LibreWolf. Are you able to test on another computer and browser?

Hi t11,

Yes, I tested the webauthn test website in plain-jane Firefox and my OnlyKey lit up blue and worked as intended. This leads me to think it is a LibreWolf issue. I tried adjusting some settings in the about:config with no real luck.

I may have to move to hardened Firefox as my daily driver for sensitive activities that involve my OnlyKey, and just use LibreWolf for casual browsing.

Hell, I might end up on Brave again. I haven’t tested OnlyKey on Brave and I do have worries about it’s reliance on Chromium, but maybe things have changed in the past year for it.

I have used Brave with FIDO2 it works fine. Some custom browser like the LibreWolf one might not support FIDO2.

Update: was recently able to use fido2 on both Brave and LibreWolf in the past week. A recent update to the browser must have fixed it. In any case, I wanted to let everyone know so that these options are out there!

hey, i’m having the same problem (fido2, linux, librewolf, proton, CTAP2 enabled in about:config and notification comes up in browser for the key check, working fine on other browsers) but updating the browser hasn’t fixed the issue.

Were you on the flatpak version?

…and I worked out my problem- flatpak’s sandboxing.

the solution for flatpak librewolf (or any browser without the permission, i guess) is passing the --device=all option when launching the app. I don’t know enough to say whether security key support is worth the tradeoff of giving the browser access to all devices though.

EDIT: the more granular device permissions (dri, input, kvm, shm) were tested, and none worked.