mirror of
https://github.com/pocket-id/pocket-id.git
synced 2026-07-16 05:54:01 +03:00
🐛 Bug Report: Unable to select NFC when registering a passkey #292
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Tagnard on GitHub (May 23, 2025).
Reproduction steps
When I try to register a passkey I cannot select a NFC device, so I cannot use a Yubikey NFC on an android phone.
Expected behavior
Display an option to use NFC when registering a passkey
Actual Behavior
NFC option is not shown
Version and Environment
v0.51.0
Log Output
No response
@Artemigos commented on GitHub (May 25, 2025):
I experienced the same with version
0.53.0. I'm not deeply familiar with those protocols, but after reading the code a little, it seems the authentication request from Pocket ID to the browser might include info about allowed authentication methods (but don't quote me on that, I'd have to spend much more time to properly grasp the whole passkey + FIDO situation). I can provide some comparison screenshots between GitHub's MFA and Pocket ID on Android, but not in English, so I'll add translations below.GitHub asking for security key:
First Android asks to pick a saved passkey, I click "use other method" and this is what it gives me:
The prompt at the top boils down to "pick a device with your key" and the options are:
For comparison, this is what my instance of Pocket ID gives:
As you can see, the "USB" and "other phone/tablet" option is there, but NFC is missing (and my YubiKey is USB-A, so NFC is the only option I have to use it with my phone).
Also, just for context, in both cases I added the security key to my accounts on PC via USB and I'm now trying to log in on my phone via NFC. For GitHub it works perfectly fine and I assume it would also work with Pocket ID if it gave me the option 😄
Hopefully this helps understand the issue better.
@RealOrangeOne commented on GitHub (May 25, 2025):
My understanding is that this is actually a feature, not a bug. NFC keys don't let you do 2FA to access the passkey (or at least, Android doesn't support it), so they're not exposed as an option. Pocket ID requires a key which requires MFA to access. See also #446
@Artemigos commented on GitHub (May 25, 2025):
@RealOrangeOne Yeah, I was worried that this might be by design.
In the meantime, I experimented a little with https://webauthn.io on my phone. If I provide a username, I can register and authenticate with NFC fine. However, when I leave the username empty, the website still allows me to authenticate, but this time NFC is gone from options. This implies to me that in the "discoverable credentials" mode, NFC isn't supported by something up the chain.
This is just a guess (and a tangent) but seeing how, even when the user is known ahead of time, it takes a solid second or two of contact for NFC to work, this might actually be a transfer speed/reliability limitation of NFC itself.
@stonith404 commented on GitHub (May 25, 2025):
Could you test the
ghcr.io/pocket-id/pocket-id:developmentimage and let me know if the NFC option gets displayed?@stonith404 commented on GitHub (Jun 2, 2025):
Yeah @Artemigos I think you're right, I've found this issue which may be related. There isn't much we can do on Pocket ID's side. We are using the Webauthn API and we can control the passkey behavior with a few options but the actual passkey implementation is controlled by the Webauthn API.
@Artemigos commented on GitHub (Jun 7, 2025):
@stonith404 nope, the
developmentimage doesn't change anything, NFC is still missing. I also updated my main instance to 1.2.0 and get the same result. Just in case I also tested with Chrome (was using Firefox previously) - no difference there.