[GH-ISSUE #2027] Pangolin v1.12.3 - Can't authenticate with YubiKey #38849

Closed
opened 2026-06-22 02:22:15 -05:00 by GiteaMirror · 8 comments
Owner

Originally created by @c360e5f1 on GitHub (Dec 9, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2027

Originally assigned to: @miloschwartz, @water-sucks on GitHub.

Describe the Bug

I have a YubiKey Security Key NFC with firmware 5.2.6, which supports FIDO2 authentication. When registering a security key, I'm able to save it to my Google Password Manager and this works fine, I can log in using the security key credentials from Google Password Manager, but this isn't ideal because it's not offline

When I try to register my YubiKey, the registration is successful. I made sure to select the correct external USB YubiKey, entered my PIN, and pressed the gold disc. The key was then saved and listed in my security key dialog box. However, when I try to login with this registered YubiKey, even making sure I have the correct one selected, entering my PIN, and pressing the gold disc; I get a "This key doesn't look familiar" error and I can't login.

In all cases, password authentication still works.

Any ideas on where to look, what relevant log files to dig though?

Image Image Image

Environment

  • OS Type & Version: Windows 10 22H2 19045.6466
  • Pangolin Version: 1.12.3 / Docker
  • Gerbil Version: 1.3.0 / Docker
  • Traefik Version: 3.6 / Docker
  • Newt Version: 1.6.0 / Docker
  • Olm Version: (if applicable)

To Reproduce

  1. Attach a YubiKey to a Pangolin account
  2. Log out
  3. Attempt to log in with the registered YubiKey
  4. Receive "This security key doesn't look familiar" error message

Expected Behavior

  1. Attach a YubiKey to a Pangolin account
  2. Log out
  3. Attempt to log in with the registered YubiKey
  4. Authentication is successful and user logs in
Originally created by @c360e5f1 on GitHub (Dec 9, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2027 Originally assigned to: @miloschwartz, @water-sucks on GitHub. ### Describe the Bug I have a YubiKey Security Key NFC with firmware 5.2.6, which supports FIDO2 authentication. When registering a security key, I'm able to save it to my Google Password Manager and this works fine, I can log in using the security key credentials from Google Password Manager, but this isn't ideal because it's not offline When I try to register my YubiKey, the registration is successful. I made sure to select the correct external USB YubiKey, entered my PIN, and pressed the gold disc. The key was then saved and listed in my security key dialog box. However, when I try to login with this registered YubiKey, even making sure I have the correct one selected, entering my PIN, and pressing the gold disc; I get a "This key doesn't look familiar" error and I can't login. In all cases, password authentication still works. Any ideas on where to look, what relevant log files to dig though? <img width="608" height="453" alt="Image" src="https://github.com/user-attachments/assets/813278c7-f723-4574-b17d-95f14b9be37d" /> <img width="752" height="530" alt="Image" src="https://github.com/user-attachments/assets/d539ad67-6a60-40db-be5a-791d4e5f1992" /> <img width="536" height="426" alt="Image" src="https://github.com/user-attachments/assets/acb85633-7207-4872-8d82-ff2f3f0ec281" /> ### Environment - OS Type & Version: Windows 10 22H2 19045.6466 - Pangolin Version: 1.12.3 / Docker - Gerbil Version: 1.3.0 / Docker - Traefik Version: 3.6 / Docker - Newt Version: 1.6.0 / Docker - Olm Version: (if applicable) ### To Reproduce 1. Attach a YubiKey to a Pangolin account 2. Log out 3. Attempt to log in with the registered YubiKey 4. Receive "This security key doesn't look familiar" error message ### Expected Behavior 1. Attach a YubiKey to a Pangolin account 2. Log out 3. Attempt to log in with the registered YubiKey 4. Authentication is successful and user logs in
GiteaMirror added the authenticationpotential bugneeds investigating labels 2026-06-22 02:22:23 -05:00
Author
Owner

@oschwartz10612 commented on GitHub (Dec 10, 2025):

Could you do this again but watch the logs in Pangolin container? You could also turn on debug logs in the config/config.yml file under the app section set log_level: debug and restart the container and post the logs.

Also curious about browser logs. That looks like a windows dialog so I would like to see if the website get anything when you open dev tools.

Thanks!

<!-- gh-comment-id:3637586865 --> @oschwartz10612 commented on GitHub (Dec 10, 2025): Could you do this again but watch the logs in Pangolin container? You could also turn on debug logs in the `config/config.yml` file under the app section set `log_level: debug` and restart the container and post the logs. Also curious about browser logs. That looks like a windows dialog so I would like to see if the website get anything when you open dev tools. Thanks!
Author
Owner

@thutex commented on GitHub (Dec 13, 2025):

trying to replicate OP's issue, i have added a secondary yubikey, and have no issues with that one either.

my first key was added on 1.12.2, and now for the second one, i added it on 1.13.0
both keys work just fine.

used yubikeys are the 5 NFC ones.
account used to attach them to is the admin account.

<!-- gh-comment-id:3648660474 --> @thutex commented on GitHub (Dec 13, 2025): trying to replicate OP's issue, i have added a secondary yubikey, and have no issues with that one either. my first key was added on 1.12.2, and now for the second one, i added it on 1.13.0 both keys work just fine. used yubikeys are the 5 NFC ones. account used to attach them to is the admin account.
Author
Owner

@c360e5f1 commented on GitHub (Dec 13, 2025):

Thanks for confirming that it works. Something must be broken in my implementation. I turned on debug logging and when I attempt to authenticate with the YubiKey this is the only line I see:

pangolin | Making security key start request to: http://localhost:3000/api/v1/auth/security-key/authenticate/start

I don't see any errors in the log output, no more relevant lines, and I also don't see any errors in the dev tools on Chrome when i'm making that authentication request.

I'll try to delete the container and re-pull another image tonight and see if that helps.

edit:
upgraded to 1.13.0 by running docker compose pull and then relaunched the container with docker compose up -d, and still can't log in with YubiKey. Also of note, not sure if it matters for a YubiKey but my VPS' time is set to UTC and in my compose.yml I have TZ=America/Chicago in my environment for my local time zone.

<!-- gh-comment-id:3648732145 --> @c360e5f1 commented on GitHub (Dec 13, 2025): Thanks for confirming that it works. Something must be broken in my implementation. I turned on debug logging and when I attempt to authenticate with the YubiKey this is the only line I see: ```pangolin | Making security key start request to: http://localhost:3000/api/v1/auth/security-key/authenticate/start``` I don't see any errors in the log output, no more relevant lines, and I also don't see any errors in the dev tools on Chrome when i'm making that authentication request. I'll try to delete the container and re-pull another image tonight and see if that helps. edit: upgraded to 1.13.0 by running ```docker compose pull``` and then relaunched the container with ```docker compose up -d```, and still can't log in with YubiKey. Also of note, not sure if it matters for a YubiKey but my VPS' time is set to UTC and in my compose.yml I have TZ=America/Chicago in my environment for my local time zone.
Author
Owner

@c360e5f1 commented on GitHub (Dec 13, 2025):

I have performed additional testing and was able to reproduce this error when registering the YubiKey in my Chrome console:

3483-fb707677f36f6d45.js:20 startRegistration() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information.
m @ 3483-fb707677f36f6d45.js:20
H @ 5088-34bec4a60b311f5b.js:1
await in H
(anonymous) @ 8508-a46005c33ed6863f.js:1
await in (anonymous)
i8 @ 4bd1b696-c48fbfcd9ffe6117.js:1
(anonymous) @ 4bd1b696-c48fbfcd9ffe6117.js:1
nz @ 4bd1b696-c48fbfcd9ffe6117.js:1
sn @ 4bd1b696-c48fbfcd9ffe6117.js:1
cc @ 4bd1b696-c48fbfcd9ffe6117.js:1
ci @ 4bd1b696-c48fbfcd9ffe6117.js:1
<!-- gh-comment-id:3648795593 --> @c360e5f1 commented on GitHub (Dec 13, 2025): I have performed additional testing and was able to reproduce this error when registering the YubiKey in my Chrome console: ``` 3483-fb707677f36f6d45.js:20 startRegistration() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information. m @ 3483-fb707677f36f6d45.js:20 H @ 5088-34bec4a60b311f5b.js:1 await in H (anonymous) @ 8508-a46005c33ed6863f.js:1 await in (anonymous) i8 @ 4bd1b696-c48fbfcd9ffe6117.js:1 (anonymous) @ 4bd1b696-c48fbfcd9ffe6117.js:1 nz @ 4bd1b696-c48fbfcd9ffe6117.js:1 sn @ 4bd1b696-c48fbfcd9ffe6117.js:1 cc @ 4bd1b696-c48fbfcd9ffe6117.js:1 ci @ 4bd1b696-c48fbfcd9ffe6117.js:1 ```
Author
Owner

@thutex commented on GitHub (Dec 13, 2025):

given the error you get, it does look like there needs to be a change in 2 files:

8eb3f6aacc/src/components/SecurityKeyForm.tsx (L189)

8eb3f6aacc/src/components/SecurityKeyForm.tsx (L360)

strange that i don't seem to get the same message in the console though (tested with ms edge 142.0.3595.65 and firefox 144.0.2 on linux)

<!-- gh-comment-id:3649161799 --> @thutex commented on GitHub (Dec 13, 2025): given the error you get, it does look like there needs to be a change in 2 files: https://github.com/fosrl/pangolin/blob/8eb3f6aacc513fceb47911fdd586a14037e3d2c2/src/components/SecurityKeyForm.tsx#L189 https://github.com/fosrl/pangolin/blob/8eb3f6aacc513fceb47911fdd586a14037e3d2c2/src/components/SecurityKeyForm.tsx#L360 strange that i don't seem to get the same message in the console though (tested with ms edge 142.0.3595.65 and firefox 144.0.2 on linux)
Author
Owner

@c360e5f1 commented on GitHub (Dec 13, 2025):

I just did some more testing this morning and tried the following browsers on Windows 10 22H2 19045.6466:

  • Firefox 146.0
  • Edge 143.0.3650.80
  • Chrome 142.0.7444.177

In all cases, I can register a YubiKey with the error message in the console in https://github.com/fosrl/pangolin/issues/2027#issuecomment-3648795593 but when I attempt to log in with the same YubiKey, I get the error that this security key doesn't look familiar.

<!-- gh-comment-id:3649676783 --> @c360e5f1 commented on GitHub (Dec 13, 2025): I just did some more testing this morning and tried the following browsers on Windows 10 22H2 19045.6466: - Firefox 146.0 - Edge 143.0.3650.80 - Chrome 142.0.7444.177 In all cases, I can register a YubiKey with the error message in the console in https://github.com/fosrl/pangolin/issues/2027#issuecomment-3648795593 but when I attempt to log in with the same YubiKey, I get the error that this security key doesn't look familiar.
Author
Owner

@gogaman7 commented on GitHub (Jan 9, 2026):

i have pangolin v1.14.1 on server.

  • user already registered on server with yubikey storing passkey
  • i logged in with yubikey no problem
  • web client using chrome on ubuntu 24.04

i.e. no issues with v1.14.1 pangolin server.

<!-- gh-comment-id:3729497061 --> @gogaman7 commented on GitHub (Jan 9, 2026): i have pangolin v1.14.1 on server. * user already registered on server with yubikey storing passkey * i logged in with yubikey no problem * web client using chrome on ubuntu 24.04 i.e. no issues with v1.14.1 pangolin server.
Author
Owner

@oschwartz10612 commented on GitHub (Mar 26, 2026):

Verified working on 1.16. Please reopen if still an issue

<!-- gh-comment-id:4131589610 --> @oschwartz10612 commented on GitHub (Mar 26, 2026): Verified working on 1.16. Please reopen if still an issue
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#38849