Nitrokey FIDO2 with Windows¶
The Nitrokey FIDO2 supports two-factor authentication (2FA) and passwordless authentication:
- With passwordless authentication, entering a password is replaced by logging in with the Nitrokey FIDO2 and a PIN.
- With two-factor authentication (2FA), the Nitrokey FIDO2 is checked in addition to the password.
The Nitrokey FIDO2 can be used with any current browser.
The Nitrokey App can not be used for the Nitrokey FIDO2.
Check online if your Nitrokey FIDO2 has the latest firmware installed.
- Open a web page that supports FIDO2 (currently only Microsoft).
- Log in to the website and go to “Set up security key” in the security settings of your account.
- Now you need to set a PIN for your Nitrokey FIDO2.
- Touch the button of your Nitrokey FIDO2 when prompted.
- Once you have successfully configured the device, you will need to activate your Nitrokey FIDO2 this way each time you log in, after entering your PIN.
- Open one of the websites that support FIDO U2F.
- Log in to the website and enable two-factor authentication in your account settings. (In most cases you will find a link to the documentation of the supported web service at dongleauth.info)
- Register your Nitrokey FIDO2 in the account settings by touching the button to activate the Nitrokey FIDO2. After you have successfully configured the device, you must activate the Nitrokey FIDO2 this way each time you log in.
Checkout the various use cases and supported applications.
Factory Reset operation regenerates the secret material stored on the Nitrokey FIDO U2F / Nitrokey FIDO2, which makes it a completely new key logic-side. New owner cannot use it to login to account of the previous one. In case of the FIDO2 Resident Keys the material is erased.
To avoid accidental and malicious reset of the Nitrokey, the required touch confirmation time for the FIDO2 reset operation is longer and with a distinct LED behavior (red LED light) than normal operations. To reset the Nitrokey FIDO2, confirm by touching the touch button for at least 5 seconds until the green or blue LED lights up.
Make sure you use Windows 10 at least version 2004. Please follow Windows’ reset wizard.
If the total taken time for execution will be more than 10 seconds, the Windows OS’ user interface will report failure. Reset operation is executed on the Nitrokey even after the latter is reported failing, as long as the user’s touch will be registered before the Nitrokey’s internal operation timeout (touch confirmation is shown with the blue color).
In Windows 10 version 1909 or older the Nitrokey has to be reinserted right before the reset operation is executed. The reset operation has to be confirmed by touching the touch button twice.
- Reinsert the Nitrokey right before executing reset operation
- Start the reset operation in the user interface
- When the LED blinks white, touch the touch button for 1 second until it turns green.
- Release the touch
- When the LED blinks red, touch the touch button for 5 seconds until it turns blue.
Please keep in mind Nitrokey has internal timeout for accepting the FIDO reset operation of 10 seconds since powering up. If the Nitrokey will connect to a virtual machine later than that, it will return error and the operation will be aborted.