FIDO2 Troubleshooting


Support for FIDO2 (and WebAuthn API) is built into many browsers and platforms, and typically doesn’t require any device configuration to work. However, when failures do occur it can be difficult to troubleshoot and resolve any issues.

 

This article outlines troubleshooting steps for FIDO2.

 

Basic Device Troubleshooting

Prior to testing the FIDO2 functionality of the YubiKey, there are a few simple tests which can be done:

 

  • Check to see if the YubiKey’s LED is lit - if not, the YubiKey may not be receiving power. The issue may be as simple as the YubiKey is inserted upside down for USB-A connectors. Alternatively, the USB port may not be functioning correctly - if that is the case, try on a different USB port or computer
  • View the LED - it should not be flashing. If the LED starts to flash as soon as the YubiKey is inserted, try on a different USB port or machine. If the flashing persists across multiple devices, contact Yubico support.
  • Check the behavior of the YubiKey on a known supported platform - Windows 10/11 and MacOS 13 or later. Support on Linux and mobile platforms may not be consistent depending on the environment.

Test the YubiKey online

The first troubleshooting step for FIDO2 is to identify if the issue resides with the YubiKey, the browser, or the site being authenticated with. The easiest and fastest way to verify that the YubiKey is working properly is to use the Yubico Genuine test site (available here) with a supported browser and platform, using a USB connection. This site will test the YubiKey to ensure that it is functioning correctly for FIDO2 and is a genuine Yubico product.

 

Information about operating system and browser support can be found here

 

If you are able to complete the process and see the type of YubiKey you have connected, then you’re all set! Your YubiKey is working properly and can be used with the browser and operating system you’ve used to complete the test. The next step is to use your YubiKey as a security key with a widely supported site. Microsoft, Apple and Google all support using security keys to protect access to your cloud account. This test should be repeated on the browsers you are having issues with to narrow down if the issue resides there. If that is the case, updating the browser may resolve it.

 

If the test did not complete and you’re sure you’re using a supported browser and operating system, proceed with the troubleshooting steps.

 

Verify YubiKey connectivity with Yubico Authenticator Windows or MacOS

Although its main purpose is to access TOTP codes stored on the YubiKey, Yubico Authenticator is an app that’s available on all major platforms, and has the ability to see the make and model of a connected YubiKey, and can do some lightweight configuration on desktop operating systems. As a known good FIDO2/WebAuthn client on desktops, Yubico Authenticator can be used in place of a browser to verify the FIDO2 functionality of a YubiKey.

 

Install Yubico Authenticator from one of the links at the bottom of this page.

 

Once the authenticator is installed, open the app and connect the YubiKey.

 

Click on the menu icon (≡) in the upper left hand corner to see details about the currently connected YubiKey.

 

f2t-i1.gif

 

If a device model and firmware version are visible, that means your computer can successfully communicate with the security key.

 

Once that’s done, click Toggle applications.

 

f2t-i2.png

 

Ensure that FIDO U2F and FIDO2 are selected, and then click Save. Note that if FIDO U2F and FIDO2 are already selected, and no changes are made, the Save button will be grayed out, and you can safely cancel.

 

If it’s still not working correctly with a web site, visit the browser and operating system support article to make sure you’re on a supported platform. 

 

If Yubico Authenticator can’t see the key, there may be an issue with the device’s USB port. Try repeating these steps on a device with known good ports.

 

If that still doesn’t solve the issue, continue reading for more in-depth troubleshooting.

 

Advanced connection troubleshooting on Windows

If you’re still having trouble using your YubiKey on Windows, Device Manager can be used to determine if the YubiKey is being detected by the operating system.

 

Open Device manager, and expand the entry for Human Interface Devices, and look for an entry that says HID-compliant fido. If this entry is present, it means that Windows is able to detect the security key, and is able to communicate with it.

 

f2t-i3.png

 

Viewing the FIDO/WebAuthn logs on Windows 10 or 11

Once you have established that the YubiKey is correctly communicating with a Windows computer, the Windows event log may be useful in determining the cause of issues using the YubiKey with specific websites or applications.

 

Windows logs all WebAuthn transactions, even when using a browser. Use Event Viewer to view or export these logs.

 

  1. Open Event Viewer.
  2. Navigate to Application and Services Logs -> Microsoft -> Windows -> WebAuthN -> Operational.
    Note: be careful to select the appropriate section. There is also a WebAuth section under Application and Services Logs -> Microsoft -> Windows, but this is not the correct folder.
  3. To export the log, right click on Operational and select Save all Events as... and use the *.evtx file format.
  4. To export a subset of the logs, select multiple log entries using Shift or Ctrl + click in the center log view panel. Right click on your selection and choose Save selected events...
  5. If you have chosen to export the entire log file, make a note of the approximate time you encountered the issue.
  6. Always inspect logs to ensure they don’t contain sensitive information before sending them to support.

Viewing the FIDO device logs within the Chrome browser

Logging has to be enabled in Chrome before the issue occurs. Ensure logging is turned on, and then reproduce the issue to capture the logs.

 

  1. Open Chrome.
  2. Navigate to chrome://device-log/?refresh=5
  3. Select the following settings:

f2t-i4.png

 

  1. Open another Chrome tab and conduct your test to reproduce the issue.
  2. Navigate back to the Device Log tab.
  3. Right click on the page and select save Save as… to save the log as an html file.
  4. Always inspect logs to ensure they don’t contain sensitive information before sending them to support.

Troubleshooting FIDO2 authentication with Azure / Microsoft 365 / Entra ID

For troubleshooting problems with FIDO2 passwordless authentication with Microsoft Cloud products, refer to this Microsoft article.