I noticed that Crowdin supports WebAuthn via FIDO2 hardware tokens, so I wanted to register my Yubikey 5. But trying to do so repeatedly fails with “Authentication failed“.
Are Security Keys even available for free accounts? I guess 2FA is only available for paid Pro accounts and above?
This is the register page, and the browser states “Tap your security key to continue with accounts.crowdin.com”. Doing so immediately results in the error message below:
Security Keys are indeed available for all Crowdin users, including those with free accounts. The issue you’re experiencing with your Yubikey 5 might be related to browser compatibility or a temporary glitch.
Please ensure that you are using the latest version of a compatible browser like Chrome, Firefox, or Edge. If the problem persists, try the following steps:
Clear your browser cache and cookies.
Restart your browser and attempt to register your Yubikey again.
Try using a different compatible browser to see if the issue is browser-specific.
Hi,
Thanks for confirming that 2FA is available. (I saw a few listing sites where some services are listed as supporting 2FA only for premium accounts, so I kinda assumed that it may apply here.)
I tested on a different machine, and ran the network analysis tool built into Firefox (currently running the latest version 123), and upon hitting the Register button, the server returns a HTTP 422 Unprocessable Content error:
Required two-factor authentication is indeed a feature available from the Team+ subscription, but if we talk about Security keys, it should be available on the free plan.
Can you please tell us all the steps you do to add the key, so I can pass that on to our team?
I follow the steps as presented by the web interface:
Account settings → Security Keys and Passkey → Button “Register Security Key” → “Confirm credentials to continue”, entered password, hit “Confirm” → Enter a name, hit “Register Security Key”.
Then Firefox tells to touch the button on the key, which then results in the error.
For the record, the device in question is a YubiKey 5 NFC with firmware 5.4.3, plugged in via USB.
I installed Chromium from the Ubuntu Linux repository and tried again with that browser.
Apparently having a PIN set on the key is required, which I do not have done. Firefox does not tell that at all, it simply fails after touching the touch button on the device.
I messed up a bit, and accidentally skipped the registration step.
Registration works and I got the confirmation E-Mail “Your account’s Two-Factor Authentication (Security key Primär) has been successfully set up, adding an extra layer of security.”
But trying to log in after receiving the confirmation mail still results in the aforementioned HTTP 404. I’ll double check, if I have done something wrong.
Yes, I messed up hard after setting the PIN. It works.
Ok. At the login page, I use the tabulator key to move between the inputs: “username” [Tab] “Password” [Tab] [Space] to hit the button. But that moves focus to the Passkey button, which looks like it initializes a 2FA login, but does not. I have to explicitly click on “Log In”, which then performs the USB key in a second step.
This works different to all other sites I used before, so it threw a wrench into the login procedure
When I tried to add a security key (Yubico FIDO2 only blue key) a month ago I had similar issues like OP. I don’t remember exact details but I think I also got message about “authentication failed”. I think I also got the “Set PIN” dialogue in Chrome. I’m using the latest versions of Safari, Firefox, and Chrome.
So, here’s my opinion:
I have no PIN set on my keys (although it is capable of one) and I do not want to set one, since I only use my keys as a 2nd factor in addition to my password. Setting a PIN should only be required if the security key is used in “passwordless” or “passkey” mode (like Microsoft uses them), but not when it’s a 2nd factor only.
I have successfully added my security keys without PIN on services like Google, Apple ID, Dropbox, Facebook, and more. Crowdin is the first site that needs a PIN set even when using the key as a 2nd factor only. This could be a mistake, but if it’s a design decision I think it’s bad design that deviates from every other mainstream sites’ use of FIDO2 security keys.
We do align both in experience and opinion on the matter.
I did set a PIN though. And afterwards tried to use it to log in on PyPI and it did not ask for the PIN.
It seems most websites use the U2F part of the spec, which does not provide single factor auth and thus does not require a PIN. And they continue to work without PIN, even after setting one.
If you set a PIN, register the device on Crowdin, and then open your Yubikey in the Yubico Authenticator app, you’ll notice the crowdin login is listed in the app in the WebAuthn menu. Other logins on sites not requiring the PIN do not show up there.
That means Crowdin is saving a so called discoverable credential (also called resident key) which is expected if using the key in passwordless mode.
Many years ago I did set a PIN and registered this PIN enabled key on sites to take note of which required the PIN (require I enter it, not require to set one in the first place).
Dropbox, Facebook, Wordpress and some others required the PIN, but not Google. I never tried using the PIN enabled key with Apple ID, but I’ve read from other users that it creates a discoverable credential (if a PIN is set) even though the key is used as a 2nd factor only. So while you’re right that not all sites will ask for the PIN, it’s too many for me.
Thanks for supporting the hardware tokens in the first place.
On the account settings page, Crowdin offers to upgrade the registered security key to a Passkey for password-less login. I think the best course of action is to register the FIDO2 token in the pin-less second factor mode, and when the user wants to upgrade to a Passkey, re-register it with a discoverable credential and require the PIN.
Imho, a PIN-less hardware token, where you have to merely touch the device button, is the best UX for 2FA. Way better than time-based TOTP, especially if the site does not offer some slack with those (i.e. accepts the PIN for the current, last and next time slot).
