To protect your privacy: email us with billing or account questions instead of posting here.

Yubico 5Ci not working on website

This discussion was created from comments split from: macOS 10.15 + Security Key (YubiKey 5ci / NFC) not working.

Comments

  • rbondi
    rbondi
    Community Member

    The Yubico 5Ci doesn't work on the Webapp for me: I have to generate a code on my iPhone, using the Yubico app and 5Ci key.
    On macOS, I get prompted to use the key, but then get the message: "Try a different security key. You're using a security key that is not registered with this website".

    When I test the key https://demo.yubico.com/playground on macOS however, the key works fine.

    I'm using this Chrome version and hardware/macOS:

    • 79.0.3945.130 (Official Build) (64-bit)
    • Revision e22de67c28798d98833a7137c0e22876237fc40a-refs/branch-heads/3945@{#1047}
    • OS macOS Version 10.15.3 (Build 19D76)
    • MacBook Air 2017
    • A USBc-to-USB connector, so I can plug the 5Ci into the MacBook Air (this works fine on demo.yubico.com/playground)

    I'd include a screenshot of the 1P error message, but when I click on this textbox's picture icon menu, almost none of the menu appears, so I can't select an option to upload the screenshot.

    Can you advise on what might be wrong?

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @rbondi!

    Is this the same key that you have added to your 1Password.com user profile following these instructions?

  • rbondi
    rbondi
    Community Member
    edited February 2020

    Hi ag_ana,
    Yes, it is:

  • ag_ana
    ag_ana
    1Password Alumni

    @rbondi:

    Thank you for the confirmation. Please upload the screenshot of the error message if you don't mind. You can do it by clicking on the little picture icon above the message area:

    Thank you!

  • rbondi
    rbondi
    Community Member

    Here it is:

  • Thanks @rbondi. Here is what I would suggest:

    1. Turn off 2FA for your 1Password account entirely
    2. Re-enable it
    3. Set up TOTP as required
    4. Set up only the Yubikey 5Ci for U2F using Chrome on the MacBook

    Please let us know how that turns out.

    Ben

  • rbondi
    rbondi
    Community Member

    Hi Ben,

    That worked on a Mac, thanks. I still have to try Linux tomorrow.

    I discovered one minor bug: whenever I have successfully added a security key, another Chrome tab opens immediately prompting me to log in to my 1Password account. I stay logged in in the original tab, so it is only annoying: I can just close the second tab.

    Regards, |r:b:

  • Thanks @rbondi. :)

    Ben

  • rbondi
    rbondi
    Community Member
    edited February 2020

    Hi Ben,

    I've got good news and bad news.

    The good news is that logging in on Linux with Chrome by touching the 5ci Yubikey worked.

    The bad news is that on macOS, 1Password is now behaving incorrectly and possible insecurely.

    To reproduce:

    1. Follow your instructions above to set up the 5ci with 1Password, using Chrome on macOS.
    2. Wait 24 hours (go to work).
    3. Come home, and try to log in to 1P on macOS using my master password (mp)

    Expected behavior

    1. macOS 1P prompts me to insert the 5ci, and lets me in when I do so and touch the 5ci.

    Actual behavior

    1. macOS 1P visually indicates I've typed in the mp incorrectly, by shivering and going red.
    2. Triple check that I've got the correct mp, by typing it in a text editor, and pasting it successfully into Chrome to log in to 1P, but continuing to get the wrong mp visual in macOS 1P with the same pasted mp.
    3. Quit macOS 1P completely, using the icon in the Mac's screen's top menu with the option key held down.
    4. Restart macOS 1P by double-clicking it.
    5. When prompted for the mp, paste it in and press Enter.
    6. Get a prompt not for the 5ci, but to type in the six digit code.
    7. I type it in, by getting it from iOS iPhone using the Yubico Authenticator app and the 5ci, and press Enter
    8. macOS 1P unlocks -- showing all passwords -- but immediately prompts me again to type in a six digit code.
    9. Type in a new six digit code, from iOS, press Enter.
    10. Receive a dialog showing three fields: my login and master key filled in (in plaintext!!!), but the mp field empty, and error message saying that I've typed in one of my three identifiers incorrectly, and prompting me for a six digit code again.
    11. Type in the mp, and a fresh six digit code.
    12. Receive a dialog just for the six digit code. Type it in.
    13. Repeat step 14 three more times: each time, the dialog for the six digit code comes back.
    14. The fourth time, instead of filling in the six digit code, click Cancel in the six digit code dialog.
    15. The six digit code dialog disappears, and I'm able to use 1P as intended: clicking any entry shows the password panel.

    So that's really bad news:

    • I was never prompted to insert and touch the 5ci
    • The master key plaintext was displayed
    • The UX was confusing and incorrect

    I'm happy to experiment some more, but first please confirm that you can reproduce this behavior.

    Kind regards, |r:b:

  • rbondi
    rbondi
    Community Member
    edited February 2020

    The bad news continues:

    1. Quit macOS 1P completely.
    2. Open it again by double-clicking.
    3. When prompted for the mp, paste it in, press enter.

    Expected behavior:

    1. I'm able to use 1P as intended.

    Actual behavior:

    1. 1P opens, showing all entries and password panel, apparently working as intended.
    2. But immediately be prompted for six digit code, this time without a Cancel button. Screenshot:
    3. Type in a new six digit code, press Confirm.
    4. Get step 13: the master key plaintext is shown again. Screenshot with master key redacted:
    5. Enter mp, press Enter.
    6. Get Device Rate Limited dialog. Screenshot:
    7. Click OK.
    8. Dialog from step 25 re-appears, this time with mp in mp field, but obfuscated with ••••• symbols.
    9. But somewhat horrifyingly, I'm still able to use macOS as intended, even though the dialog from step 25 is still showing.
    10. Try to log in via Chrome, to disable 2FA -- but I can't, I get a Data Rate Limited warning there too now:
  • rbondi
    rbondi
    Community Member

    FYI the version of macOS 1P I have is 7.4.4:

  • rbondi
    rbondi
    Community Member

    A few hours later, I was able to log in via Chrome, and turn of 2FA, and then use macOS 1P normally. Let me know if you can reproduce the above bug. Regards, |r:b:

  • @rbondi

    Thank you for the detailed report. The Secret Key is not intended to be secret within your system. It is assumed that someone with access to your system will have access to the Secret Key. Additionally the 1Password for Mac app doesn't have any U2F support at this point, so it is normal that it would fallback to TOTP. I don't have a U2F Yubikey so I wouldn't personally be able to reproduce this but I will file an issue so my colleagues can attempt to do so. It does sound like there are some UX issues.

    Ben

  • @rbondi

    In filing the report for the team it would be helpful to have:

    1. A diagnostic report
    2. The times at which these screenshots were taken, so we can correlate them with log entries

    I'd like to ask you to create a diagnostics report from your Mac:

    Sending Diagnostics Reports (Mac)

    Attach the diagnostics to an email message addressed to support+forum@agilebits.com.

    With your email please include:

    • A link to this thread: https://discussions.agilebits.com/discussion/111378/yubico-5ci-not-working-on-website#latest
    • Your forum username
    • The time stamps for each screenshot above

    That way I can "connect the dots" when I see your diagnostics in our inbox.

    You should receive an automated reply from our BitBot assistant with a Support ID number.  Please post that number here so I can track down the diagnostics and ensure that this issue is dealt with quickly. :)

    Once I see the diagnostics I'll be able to file the issue. Thanks very much!

    Ben

  • rbondi
    rbondi
    Community Member

    CJZ-42759-362

    Um... The 1P support email looks generic, and immediately suggests that I turn on U2F for 1P. You might want to stop doing that in the emails until my issue is resolved!

  • Ben
    Ben
    edited February 2020

    @rbondi

    Um... The 1P support email looks generic, and immediately suggests that I turn on U2F for 1P. You might want to stop doing that in the emails until my issue is resolved!

    That's because you sent the email to support@agilebits.com instead of support+forum@agilebits.com. :) But no worries, we received it. We'll be in touch via email soon.

    As for the discussion on the Secret Key... we're getting a bit off topic. I'm going to split that discussion into its own thread so we can give each situation the attention it deserves. You can find the new thread here: https://discussions.agilebits.com/discussion/comment/549394/#Comment_549394

    Thanks!

    Ben

This discussion has been closed.