🐛 Bug Report: Unable to select NFC when registering a passkey #292

Closed
opened 2026-02-04 18:37:06 +03:00 by OVERLORD · 6 comments
Owner

Originally created by @Tagnard on GitHub (May 23, 2025).

Reproduction steps

When I try to register a passkey I cannot select a NFC device, so I cannot use a Yubikey NFC on an android phone.

Expected behavior

Display an option to use NFC when registering a passkey

Actual Behavior

NFC option is not shown

Version and Environment

v0.51.0

Log Output

No response

Originally created by @Tagnard on GitHub (May 23, 2025). ### Reproduction steps When I try to register a passkey I cannot select a NFC device, so I cannot use a Yubikey NFC on an android phone. ### Expected behavior Display an option to use NFC when registering a passkey ### Actual Behavior NFC option is not shown ### Version and Environment v0.51.0 ### Log Output _No response_
OVERLORD added the bug label 2026-02-04 18:37:06 +03:00
Author
Owner

@Artemigos commented on GitHub (May 25, 2025):

I experienced the same with version 0.53.0. I'm not deeply familiar with those protocols, but after reading the code a little, it seems the authentication request from Pocket ID to the browser might include info about allowed authentication methods (but don't quote me on that, I'd have to spend much more time to properly grasp the whole passkey + FIDO situation). I can provide some comparison screenshots between GitHub's MFA and Pocket ID on Android, but not in English, so I'll add translations below.

GitHub asking for security key:

First Android asks to pick a saved passkey, I click "use other method" and this is what it gives me:

Image

The prompt at the top boils down to "pick a device with your key" and the options are:

  1. NFC security key
  2. USB security key
  3. Use another phone or tablet

For comparison, this is what my instance of Pocket ID gives:

Image

As you can see, the "USB" and "other phone/tablet" option is there, but NFC is missing (and my YubiKey is USB-A, so NFC is the only option I have to use it with my phone).

Also, just for context, in both cases I added the security key to my accounts on PC via USB and I'm now trying to log in on my phone via NFC. For GitHub it works perfectly fine and I assume it would also work with Pocket ID if it gave me the option 😄

Hopefully this helps understand the issue better.

@Artemigos commented on GitHub (May 25, 2025): I experienced the same with version `0.53.0`. I'm not deeply familiar with those protocols, but after reading the code a little, it seems the authentication request from Pocket ID to the browser **might** include info about allowed authentication methods (but don't quote me on that, I'd have to spend much more time to properly grasp the whole passkey + FIDO situation). I can provide some comparison screenshots between GitHub's MFA and Pocket ID on Android, but not in English, so I'll add translations below. GitHub asking for security key: First Android asks to pick a saved passkey, I click "use other method" and this is what it gives me: ![Image](https://github.com/user-attachments/assets/5266cbad-f377-4653-94a9-73085b05593f) The prompt at the top boils down to "pick a device with your key" and the options are: 1. NFC security key 2. USB security key 3. Use another phone or tablet For comparison, this is what my instance of Pocket ID gives: ![Image](https://github.com/user-attachments/assets/2d8c76b2-2f52-4623-a90a-c7bd49ea40b4) As you can see, the "USB" and "other phone/tablet" option is there, but NFC is missing (and my YubiKey is USB-A, so NFC is the only option I have to use it with my phone). Also, just for context, in both cases I added the security key to my accounts on PC via USB and I'm now trying to log in on my phone via NFC. For GitHub it works perfectly fine and I assume it would also work with Pocket ID if it gave me the option 😄 Hopefully this helps understand the issue better.
Author
Owner

@RealOrangeOne commented on GitHub (May 25, 2025):

My understanding is that this is actually a feature, not a bug. NFC keys don't let you do 2FA to access the passkey (or at least, Android doesn't support it), so they're not exposed as an option. Pocket ID requires a key which requires MFA to access. See also #446

@RealOrangeOne commented on GitHub (May 25, 2025): My understanding is that this is actually a feature, not a bug. NFC keys don't let you do 2FA to access the passkey (or at least, Android doesn't support it), so they're not exposed as an option. Pocket ID requires a key which requires MFA to access. See also #446
Author
Owner

@Artemigos commented on GitHub (May 25, 2025):

@RealOrangeOne Yeah, I was worried that this might be by design.

In the meantime, I experimented a little with https://webauthn.io on my phone. If I provide a username, I can register and authenticate with NFC fine. However, when I leave the username empty, the website still allows me to authenticate, but this time NFC is gone from options. This implies to me that in the "discoverable credentials" mode, NFC isn't supported by something up the chain.

This is just a guess (and a tangent) but seeing how, even when the user is known ahead of time, it takes a solid second or two of contact for NFC to work, this might actually be a transfer speed/reliability limitation of NFC itself.

@Artemigos commented on GitHub (May 25, 2025): @RealOrangeOne Yeah, I was worried that this might be by design. In the meantime, I experimented a little with <https://webauthn.io> on my phone. If I provide a username, I can register and authenticate with NFC fine. However, when I leave the username empty, the website still allows me to authenticate, but this time NFC is gone from options. This implies to me that in the "discoverable credentials" mode, NFC isn't supported by something up the chain. This is just a guess (and a tangent) but seeing how, even when the user is known ahead of time, it takes a solid second or two of contact for NFC to work, this might actually be a transfer speed/reliability limitation of NFC itself.
Author
Owner

@stonith404 commented on GitHub (May 25, 2025):

Could you test the ghcr.io/pocket-id/pocket-id:development image and let me know if the NFC option gets displayed?

@stonith404 commented on GitHub (May 25, 2025): Could you test the `ghcr.io/pocket-id/pocket-id:development` image and let me know if the NFC option gets displayed?
Author
Owner

@stonith404 commented on GitHub (Jun 2, 2025):

Yeah @Artemigos I think you're right, I've found this issue which may be related. There isn't much we can do on Pocket ID's side. We are using the Webauthn API and we can control the passkey behavior with a few options but the actual passkey implementation is controlled by the Webauthn API.

@stonith404 commented on GitHub (Jun 2, 2025): Yeah @Artemigos I think you're right, I've found [this issue](https://issues.chromium.org/issues/328710551) which may be related. There isn't much we can do on Pocket ID's side. We are using the Webauthn API and we can control the passkey behavior with a few options but the actual passkey implementation is controlled by the Webauthn API.
Author
Owner

@Artemigos commented on GitHub (Jun 7, 2025):

@stonith404 nope, the development image doesn't change anything, NFC is still missing. I also updated my main instance to 1.2.0 and get the same result. Just in case I also tested with Chrome (was using Firefox previously) - no difference there.

@Artemigos commented on GitHub (Jun 7, 2025): @stonith404 nope, the `development` image doesn't change anything, NFC is still missing. I also updated my main instance to 1.2.0 and get the same result. Just in case I also tested with Chrome (was using Firefox previously) - no difference there.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#292