Do more on the web, with a fast and secure browser!

Download Opera browser with:

  • built-in ad blocker
  • battery saver
  • free VPN
Download Opera

U2F registration issues

  • In Opera 53 stable they apparently tried to make U2F even more secure by pulling out a prompt whenever a page wants to register a U2F token about whether the site may see the "serial number" of the Security key.

    but there are 2 problems with that whole thing:

    1. apparently this thing is kinda broken and doesnt come down on every site leaving a client error 1 (unknown error) instead
    2. The serial number doesnt even get transmitted as U2F sticks usually pull keypairs out of nowhere (aka generating them by using random and deterministic data), the only thing that CAN even remotely trance a U2F stick is the attestation cert, although that isnt always 1 cert per stick (which would also completely crash the anonymity point of U2F)

    I have now so far seen this issue on both Github and dropbox, 2 sites which are fairly big, and therefore should really have a proper U2F implementation.

  • This issue is not isolated to Windows alone. The same thing occurs on Opera 54 on MacOS. I've tried it with Gitlab and Google and run into the same issues as described above.

    However, if you set-up the U2F through a different browser, actual authentication with it works just fine.

  • @vashiru go to opera flags..

    Enable this Flag - Web Authentication API
    Enable Web Authentication API support – Mac, Windows, Linux

    #enable-web-authentication-api

  • @nvmjustagirl This doesn't solve the issue. The Web Authentication API is already enabled. I can use it to authenticate. It's just the registration of new U2F keys that's broken.

  • @vashiru said in U2F registration issues:

    @nvmjustagirl This doesn't solve the issue. The Web Authentication API is already enabled. I can use it to authenticate. It's just the registration of new U2F keys that's broken.

    well funnily enough I now cant even auth anymore in Opera (Beta 55.0.2994.29) the U2F device wont even blink. Chrome and Vivaldi on the other hand just do both registering and Authing.

  • @my1xt said in U2F registration issues:

    In Opera 53 stable they apparently tried to make U2F even more secure by pulling out a prompt whenever a page wants to register a U2F token about whether the site may see the "serial number" of the Security key.

    Are you on a desktop computer.. laptop..

    Note - Since this computer lacks a platform authenticator, the website may require the user to present their USB security key from time to time or each time the user interacts with the website. This is at the website’s discretion

    thats normal..

    i wonder if an user agent extension switch it to chrome may help sum peeps
    since ya have no troubles on chrome...

    @vashiru even tho the page lets you.. opera has that flag.. & its set to the default setting.. Enable may help *all i was try 'n to say..

    make sure authentication with the same entity it was registered with..

  • @my1xt I can confirm that recently we fixed issue with U2F not working on on our beta (55) and developer (56) streams. It was already fixed in latest developer release and should be available with next beta update. Will have to look into the registration issue.

  • @mgeffro Thankyou for update 'n us !.. * cheers Opera Team..

  • @mgeffro said in U2F registration issues:

    @my1xt I can confirm that recently we fixed issue with U2F not working on on our beta (55) and developer (56) streams. It was already fixed in latest developer release and should be available with next beta update. Will have to look into the registration issue.

    Okay nice to know that at least login will work again.

    Regarding U2F Register while I did state it a bit weirdly I still believe this is an issue which has been brought from chrome but opera not having been prepared for it!

    0_1533713445433_Screenshot (492).png

  • @nvmjustagirl said in U2F registration issues:

    Are you on a desktop computer.. laptop..
    Note - Since this computer lacks a platform authenticator, the website may require the user to present their USB security key from time to time or each time the user interacts with the website. This is at the website’s discretion

    desktop but irrelevant, it isnt the website kicking me out but the U2F not triggering (recent) or the registration triggering but failing hilariously (earlier issue), with the recent one being confirmed by opera meaning it isnt the website doing weird stuff.

  • @my1xt we done some internal testing on v55 and v56. Registration seems to be at least partially working on v55. Adding key on github and google works just fine, but at least on Dropbox there are problems. This is due to old code for handling permissions dialogs still being used on v55. It was refactored in v56, but as it's lot of changes and unfortunately it will have to wait till v56 hits stable stream.

  • @mgeffro Github and Google don't really surprise me. if I remember correctly, these weren't being asked on chrome meaning the registration just passed. although it might be worth a look for the recent chrome source since it changed the result of that dialog. Deny is now no longer an error but instead chrome changing the attestation cert and masking the U2F device.

    it in general might be good to let all dialogs from chrome pass through somehow (if possible) even if they look awkward, unless opera properly replaced or otherwise dealth with them, better awkward than not working

  • @mgeffro I ran into issues on Gitlab and I thought on Google as well. The rest I've just done through Chrome to get it all set up. Glad to hear you guys are on top of this. Looking forward to the fix! 🙂