This is also still happening to me, and the for the first time, the dedicated "Sign In With Passkey" button no longer works for me on macOS 14.4.1 and Safari 17.4.1. That also generates the "Unable to sign in with your passkey. Please sign in with your password." error. Now I am forced to sign in with my password, and then it also requires me to sign in with the passkey after that, at which point it works.

None of this happens on Safari on iOS, passkeys seem to work perfectly fine there.

Understanding how gh communities work. thank you for sharing

WEEEEEEEEEEE
🚀🚀🚀🚀🚀🚀

I have a similar issue as @simX : neither the safari-autofil nor the "sign with passkey" button works. I have to use my password then my 2FA code.

Necesito eliminar la contraseña cada vez que me subo al coche me pide contraseña y esto no puede seguir así. Además me ha inutilizado la cámara de visión de marcha atrás

@Firstyear I'd love to grab some more detail on why non-rk is considered the definition of passwordless. If you'll be at one of the upcoming summits such as the passwordless summit or Authenticate would be great to go in depth.

Hey there,

I'm Australian so I wont be attending either (I am not comfortable to enter the US due to a preexisting medical issue).

I'd be happy to talk more via email though if you want - it's on my profile :)

I, too, would like to be able to disable password authentication. I'm not sure what benefit passkeys provide if someone can still authenticate using less-secure methods.

I agree with @Firstyear.

Worth saying passwordless within webauthn specifically means non-resident authenticators as a self contained MFA

According to https://www.w3.org/TR/webauthn-2/#sctn-authenticator-taxonomy:

Passwordless multi-factor authentication requires an authenticator capable of user verification, and in some cases also discoverable credential capable.

And 'user verification' is:

The technical process by which an authenticator locally authorizes the invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations. User verification MAY be instigated through various authorization gesture modalities; for example, through a touch plus pin code, password entry, or biometric recognition (e.g., presenting a fingerprint) [ISOBiometricVocabulary].

So I think for example, if you type in your username and then use a 'user-verifying platform authenticator', e.g. fingerprint sensor on your laptop/phone + a security chip, with or without a resident key aka. client-side discoverable credential, it's already considered MFA.

Same goes for things like YubiKey Bio and PIN + touch:

User-verifying platform authenticators and first-factor roaming authenticators enable passwordless multi-factor authentication. In addition to the proof of possession of the credential private key, these authenticators support user verification as a second authentication factor, typically a PIN or biometric recognition. The authenticator can thus act as two kinds of authentication factor, which enables multi-factor authentication while eliminating the need to share a password with the Relying Party.

I'm not quite sure why in the table 'first-factor roaming authenticator' is defined as having 'client-side credential storage' though. I think whether the authenticator is user verification-capable is more important.

@Firstyear I'd love to grab some more detail on why non-rk is considered the definition of passwordless

I think @Firstyear meant non-rk is considered one of the forms of passwordless.

The problem here also is that there are a whole bunch of different terms in webauthn that have confusing or overlapping meanings. Passkeys for example, have 4 different definitions, all in use by various production IAM providers, with different behaviours.

Passwordless in webauthn actually specifically means non-resident keys as a self contained MFA. RK can exist, but it's opportunistic. It's because in webauth passwordless was the goal for a long time (mainly when security keys were the most common authenticator class), but then passkey hype took over and now everyone wants to force rk's everywhere so the definition fell by the wayside. Passkeys in the "common" definition forces rk's which pretty much excludes security keys.

I'm not quite sure why in the table 'first-factor roaming authenticator' is defined as having 'client-side credential storage' though. I think whether the authenticator is user verification-capable is more important.

It's because "one definition" of passkeys enforces credential storage in the device (resident keys) which allows the user-id to be stored in the credential. so you don't need a username entry, you just "pick the passkey" and it identifies and authenticates you. It also ties in with certain vendors attempts to lock you in to their synced passkey systems and browser features around username autocomplete (see conditional ui).

However, the flip side is that most of these workflows are actually pretty janky and confuse users. "Yes please I'd love to pick up my phone, scan a qr code and wait 30 seconds for it to authenticate me" (btw this workflow is an accessibility nightmare ... ). It also completely alienates and breaks security keys since they have so little rk storage, and now the browsers are pushing their sync ui's in front of security keys to make it extra clicks adding "forced friction". I already know of people who can't use passkeys because a certain cloud provider forces rk and it bricked their keys.

Generally the people pushing passkeys as resident keys are making assumptions that you are "all in on chrome+android" or "all in on safari and iphone" or "all in on edge and windows". But none of them account for the reality that people use android + mac with firefox, or other combinations, which means that none of these passkey sync mechanisms will interoperate. For example, my partner (a surgeon) has an iphone, a windows machine, and uses chrome. None of these can sync keys with each other, and so there is no passkey provider that would work except security keys - and we can't use those because rk obsession means we'll fill the devices up in no time. Can you imagine her needing to juggle 4 yubikeys to find which one she needs? She has ~80 accounts in her pw manager, and this is a nightmare. Once passkey hype kicks in, this will be the future for her.

Anyway, so passwordless is what we should be pursuing where the keys are opportunistically rk (iphone always makes rk even under discouraged for example). This way you still prompt with a username field. You can use conditional ui to opportunistically allow rk's to complete the username + authentication in one go. And then for users without those rk's such as yubikeys, you allow the username prompt to complete and then do the webauthn challenge with the credential id list set as normal for that user.

(Which incidentally why I have been repeatedly warning about rk's being required/preferred rather than discouraged since it can lead to devices filling their extremely limited storage, rather than rk being opportunistic to allow flows ontop of passwordless. )

I'm currently not using any TOTP slots on the key, only FIDO2 and PIV

Related to that storage space issue I mentioned, if you've hit max storage on your yubikey then it won't let you create the type of webauthn credential that we'd accept as a passkey.

You could check if that's the issue using the yubikey CLI depending on your hardware key version.

Edit: what @Firstyear said.

Oh another gotcha. Only CTAP 2.1PRE and 2.1 support credential management. If your key is older (like mine) and is CTAP2.0 only, you CAN NOT list rk's, and you can never delete them. Meaning you're "stuck". You'll see this if ykman errors with Error: Authenticator does not support Credential Management. If you get that, then you pretty much can't do anything at all. 🙃

I have same problem, but when I set a PIN for FIDO2.
It's working fine, I don't know why GitHub need the PIN set, because other website never care about that.

@xz-dev cos the PIN counts as a 'factor': https://www.w3.org/TR/webauthn-2/#authentication-factor-capability

You need a tpm on machine and a PIN enabled for win hello to work without the security key.

I'm pretty sure I have a TPM and a PIN and the passkey features works elsewhere, for example, Google.
I believe that if I don't have a TPM I can't even setup Security Key via Windows Hello.

Two possible problems:

• Windows hello isn't properly configured - you can try these instructions to see if this applies to you
• If you already have a security key registration via Windows Hello for GitHub, it will stop showing the "full" registration dialogue since it assumes you don't need it anymore. Deleting your existing security key should unblock you from registering a non-USB passkey

Can confirm that removing the existing security key first works :)

Pixel 7 Pro with Android 13. I am also hitting this error.

I also wasn't able to use passkeys on my Pixel 6 Pro and my new phone with my main Google Account. But it was working with another account, I just setup.
During the setup for the new account, I recognized Chrome requiring me to enable "Screen Lock" under Settings -> Password Manager.

What fixed the issue for me now, was to manually disable the Screen Lock setting for my main account (had this manually enabled before) and then starting the passkey registration on e.g GitHub. In the process of creating the passkey, I was the asked to enable screen lock again and the registration went through successfully. Tested the registration with latest Chrome on Android 14.

Hope it will fix the issue for others as well.

This is the setting to disable first:

This worked. Thanks!

I tried all of the steps proposed by @amoosbr, but I still get the webauthn-get-element.ts:187 Uncaught (in promise) DOMException: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client. error in the console.

I'm on Android 10 with a Samsung S9 OneUI (old, I know).

Likewise. Android device stopped working for roaming passkey registration and cannot see why. Tested everything i can think of.

if I don't set up 2FA or a passkey will I still be able to report bugs and contribute to discussions on github projects with a simple password

If you've been asked to enable 2FA by GitHub, and not by an organization that you belong to, then you won't be able to contribute on GitHub after the deadline if you haven't enabled 2FA. Passkey registration is separate from our 2FA rollout, so you can completely ignore it if you want. You just need to enable 2FA from your user settings. Passkeys are more like an additional benefit on top of 2FA to make your life easier. There are benefits to using passkeys without 2FA too but we're not asking or forcing anyone to do that.

If you're still interested in passkeys:
Linux doesn't support platform authentication yet, which is why you only saw the phone or USB options. USB is specifically referring to a "hardware security key" like a yubikey.

The QR code: you would have to scan it with your phone's camera. If your phone has passkey and bluetooth support then you could register a passkey for login. It's similar to the SMS flow that you described except using bluetooth - the benefit is better account security for folks that want it, and additional convenience for 2FA users or folks that don't like managing their passwords.

@hagould You should likely feed this back to the chrome team since the UI referenced by @rogercreagh is part of the browser, and this kind of usability issue will likely come up more often.

Thanks you @hagould that was clear and most helpful (if not quite what I hoped to hear)

Indeed. Still, even though it is not the same as keeping passwords and TOTP keys in the same password manager, it is a single vendor.
Well, that is my paranoid mind speaking.
In most cases, adding another 2FA for passkeys is overkill. But something good to have, even if not now or in the near future.

As a side note, it is quite cumbersome to use YubiKey with resident keys for git access on Windows. Because it requires 5+ confirmations for "git push". Because SSH on Windows does not support the ControlMaster option.

Huh, TIL, and I was on the team that added openSSH to Windows... Looking over some older issues from e.g. @roblourens looks like it's a deep compat issue with Windows itself.

Would a non-rk registration be easier to use? That's a bit surprising to me, but certainly it's something we want to make a good experience.

Would a non-rk registration be easier to use? That's a bit surprising to me, but certainly it's something we want to make a good experience.

Yes, non-residential keys can be stored in the SSH agent, removing the need to enter a password each time at the cost of less protection compared to residential keys.
For residential keys, the alternative is to use ControlMaster options with a short lifespan. For Windows, it is not an option. Well, it is possible to run a VM with Linux and proxy ssh through it. But...

Non-rk keys should protect against most attacks targeting credentials. And if there was an attack that was able to dump memory from the SSH agent and extract keys, then it could do much more damage than just steal credentials.

It seems I should reconsider my usage of rk and switch to non-rk instead.

(My paranoid mind does not make my life easier...)

So you're absolutely correct - it's that we have trusted [the passkey] to perform the second factor auth, and compromise of your passkey provider can be a total compromise. Picking a secure provider is an important choice that we leave to the user, letting them balance convenience, reliability, and threat model.

Isn't it a bit misleading (or a lot misleading) to call it a 'second factor', if it's a single passkey and therefore a single factor?

https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 section 5.1.9 defines multi-factor cryptographic devices.

adding a third button for passkey "Check/Test/Confirm" passkeys

You can actually do this today if you go to add a new passkey but auth with one of your existing ones.

The other suggestions are interesting, thank you for the feedback!

Periodically ask the user to check if he still has access to the passkey and if it is in a working condition by completing the test. If it is not already done. I never used keys for 2FA on GitHub. (pass+TOTP). And saw only messages about 2FA and backup codes.

This is something we're looking at adding to the existing checkup period! Right now there's a "security checkup" that's pretty useless - "you have security keys" is not a direct call to action. We would like to periodically check second factor freshness and warn on severely out of date factors that look like they're unused.

Interestingly we do expire unused GitHub Mobile keys for authentication, which can lead to more lockouts since it kills a possible recovery factor.

The next step will be to allow users to essentially disable/delete their passwords, but we haven't gotten there yet. Today you still need 2FA to keep your account secure with passkeys.

@hpsin is it still not possible to disable TOTP while having backup codes?

@hagould could you answer my question here? If it's not possible is there any ETA?

It's not possible today - we may allow this in the future but there is no ETA for it.

@hagould any plans for that or it's still not planned?

We want to get there, but today we only accept an authenticator app or SMS number for your "primary factor" for 2FA. To reduce lockouts we've starting asking folks to authenticate with that factor (for you, SMS) a month after enrolling to make sure that it was successfully configured and to reduce account lockouts. If you'd gone with an authenticator app you would've had to prove you still had access to it in the same way.

We're are working towards allowing folks to enroll with just a webauthn credential, we'll likely have some requirements that we're still working out.

We haven't changed anything about the request, so that's not a good sign. If you open Chrome, and navigate to the password manager, and locate GitHub.com in the list, there should be a passkey listed at the bottom of that entry. Do you see that?

Fwiw, I suspect I was in this category. I eventually deleted my things and started fresh. (This is a while ago, I'm here now because of another nudge.)

Note that the flows at the time didn't lead me to this discussions/the previous beta discussion.

As written above, this is a verification step to ensure you've saved them properly. If you can't pass, we register new credentials. Yes, this does result in an opportunity where someone who has stolen your session (or your password and SMS) can re-register your 2FA credentials. That's also true of anyone who has stolen your password and SMS in general.

You are not required to register SMS, and if you do not want to use it, please do not register it.

Oh, interesting, thank you! When we show the upgrade prompt we flag the presumed upgrading key for deletion on the next registration. We have to clear that when the upgrade is rejected. Cc @hagould

@Logiar This has been fixed for a bit! Let us know if you're having any other issues.

Correct me if I am wrong.

Behind the scenes, aren't Passkeys and SSH keys works the same way.

By using public and private key for authentication.

Actually you raise a very good point here. It never occurred to me that making the use of a pre-registered hardware key is optional at the time of login is really a huge design flaw in the login process. Perhaps it should only be made optional during an initial setup phase which gives the account holder the chance of alternative methods just whilst verifying that the hardware key is actually working as intended. When verified as such then it should be made mandatory otherwise what is the point. Of course the process must be rock solid in its reliability to make this leap otherwise the user could easily find themselves locked out of their account. So far, I have experienced inconsistent behaviour which has shaken my confidence in the process giving me no other option other than to use my previous method of using my personal access token, which in itself doesn't make sense and I just realised that after having read your comment.

Yup...

All other services I have with my keys - lock out the ability to bypass its requirement.
Isn't that the point of hardware tokens?

It's true, those services I can get locked out of - if I lose both my keys, but really that's on me, and If I lose both, I need to have words with my self.

I like this is being implemented - but anyone can still gain access to my account, by skipping its requirement and brute forcing or social engineering.

Yup...

All other services I have with my keys - lock out the ability to bypass its requirement. Isn't that the point of hardware tokens?

It's true, those services I can get locked out of - if I lose both my keys, but really that's on me, and If I lose both, I need to have words with my self.

I like this is being implemented - but anyone can still gain access to my account, by skipping its requirement and brute forcing or social engineering.

Other services give you backup codes so you have to do something really bad to be locked out of your account for real. Github also gives you backup codes but ONLY if TOTP is active which is just a bad design and it's still not fixed. I have asked several times about this and it's planned but no ETA.

Hi @Sumangal44,

We’ve clarified our stance on using generative AI tools like ChatGPT within our Community via this announcement. Please review the guidelines to ensure your post meets them as failure to adhere to those rules can result in action taken by our moderator team.  You can read our updated Code of Conduct and the announcement for more details. Thank you for helping us maintain an authentic and beneficial space for everyone.

It’s definitely frustrating when it fails like this. GitHub says they support passkeys, but without proper error messages or guidance, it just feels broken — especially when it silently fails or gives generic errors. I hope they improve the passkey flow and give more helpful feedback during registration.