Can't login to google with solo1 as 2FA

[solsticedhiver]

I was able to setup my solokey (v1) as security usb key, and as 2FA on my google account.

But when I try to login, I am asked to use the key/press the button, it seems ok at first.

But then google finally display a message

A problem happened.
Try to reuse your security key or confirm you identity in any other way

This happens both on firefox 98 or chromium 99.0.4844.51

I have done a similar setup on github or dropbox and this wokrs without any issue.

[ghost]

Is this a Solo hacker?

[solsticedhiver]

No, a regular solokey

$ solo1 key version
4.1.5 locked

[solsticedhiver]

OK. I found out why.

There is a difference when I setup the security key in firefox and chromium onggole/gmail. In chromium, I have a dialog (coming from the browser), that asks me to authorise google to check the make and model of the key.

If I choose pass (or refuse), then I cannot login later on with the solkey (both on chromium and firefox)

I don't get such a dialog prompt on firefox I think.

If I choose, autohorize (to get make and model), I got no problem to use the solokey as expected.

[solsticedhiver]

I am about to close the issue, because it is not an issue with the key, I guess, but more a browser or GUI issue.

But I have liked an opinion of somone and/or a dev. Somone more knowledgable than me, in FIDO2:webauthn matter and all those subjects.

[solsticedhiver]

For the record, the message is:

Authorize this site to read information from your security key ?

google.com wants to to see the make and model of your security key

Skip / Authorize

It should be more obvious that, by declining, you will be unable to login later on; is it a chromiun issue then ?

Edit: If I understand correctly, this message is displayed when an attestation is required (either direct, or indirect ?) during registration in webauthn API. There is a message too in firefox, but there is more explanation and a link to a doc;

[nickray]

I'm not really sure, but (I think?) for a while Firefox by default did a flavor of obfuscation of your "make + model". They may still be doing that, and Google may not like this.

If a little context helps, creating a credential means creating a key pair, but on top there's an "attestation", which is intended to be mean that the device "attests" (promises/guarantees) that the key pair was generated on it (and not e.g. by some random software). For this, devices have "batch" keys + certificates; these are used when the website asks for "direct attestation", which is what triggers browsers to give you this additional popup. There's a little bit of privacy dance going on here (the website shouldn't get this device info without your consent, a "batch" is supposed to a production run of a large number of the "same" devices, e.g. Solo 1 USB-A no-NFC made in 2020, or Solo 2 USB-C yes-NFC made in 2022). When you consent to this "make+model" info, the batch key signs the generated keypair's public key, and passes along this signature and the batch cert. This allows (in principal) websites to lookup the device "make+model" in metadata databases (the AAGUID is shared among these "batches" and is the ID for a batch).

[solsticedhiver]

During my test, I tried both options (masquerading or not) as asked in firefox. I don't remember if it makes a difference.

The dialog in firefox, is only asking about masquerading the information given to the site, or not. But something is given, whatever your choice.

The issue is more, in chromium/chrome, where the browser is asking you to give some info or not. If you pass, and refuse to give anything (a.k.a an attestation), the key does not work after that.

It should be made obvious, somewhere that refusing cause problem. At the very least, in the google process to add the key, and in some documentation, i don't know where. In solokeys doc ??, in webauthn doc ? I don't know.

I would have like to know this before discovering it the "hard" way.

Note: it is ironic that it is the very own google browser that is misleading, and allow to pass on something required.