2FA Website Login

Nitrokey 3	Nitrokey Passkey	Nitrokey FIDO2	Nitrokey U2F	Nitrokey HSM 2	Nitrokey Pro 2	Nitrokey Start	Nitrokey Storage 2
✓	✓	✓	⨯	⨯	⨯	⨯	⨯

The Nitrokey FIDO2 supports two-factor authentication (2FA) and passwordless authentication:

• With passwordless authentication, entering a password is replaced by logging in with the Nitrokey FIDO2 and a PIN.

• With two-factor authentication (2FA), the Nitrokey FIDO2 is checked in addition to the password.

The Nitrokey FIDO2 can be used with any current browser.

Important

The Nitrokey App can not be used for the Nitrokey FIDO2.

Passwordless Authentication

1. Open a web page that supports FIDO2 (for example Google).

2. Log in to the website and go to “Passkeys and security keys” in the security settings of your account.

3. Click on Create passkey.

4. Click on Use a different device.

5. Follow the prompts to set a PIN for your Nitrokey FIDO2.

6. Touch the button of your Nitrokey FIDO2 when prompted.

7. Once you have successfully configured the device, you will need to activate your Nitrokey FIDO2 this way each time you log in, after entering your PIN.

Touch Button And LED Behavior

The first FIDO operation is automatically accepted within two seconds after connecting Nitrokey FIDO2. In this case touching the touch button is not required.

Multiple operations can be accepted by a single touch. For this, keep the touch button touched for up to 10 seconds.

To avoid accidental and malicious reset of the Nitrokey, the required touch confirmation time for the FIDO2 reset operation is longer and with a distinct LED behavior (red LED light) than normal operations. To reset the Nitrokey FIDO2, confirm by touching the touch button for at least 5 seconds until the green or blue LED lights up.

LED Color	Event	Time Period	Comments
Any (blinking)	Awaiting for touch	Until touch is confirmed or timed out
Any (blinking faster)	Touch detected, counting seconds	Until touch is confirmed or timed out
White (blinks)	Touch request for FIDO registration or authentication operation		Requires 1 second touch to complete; timeout is usually about 30 seconds
Yellow (blinks)	Touch request for configuration operation		Requires 5 seconds touch to complete; e.g. used for activating firmware update mode
Red (blinks)	Touch request for reset operation	Available only during the very first 10 seconds after Nitrokey is powered	Requires 5 seconds touch to complete; e.g. used for FIDO2 reset operation
Green (constant)	Touch accepted, Nitrokey is active and accepting further FIDO2 operations	After touch was registered, 10 seconds timeout	For the FIDO registration or authentication operations after a confirmation Nitrokey enters into “activation” mode, auto-accepting any following mentioned operations until touch button is released, but not longer than 10 seconds
Blue (constant)	Touch consumed - accepted and used up by the operation	Until touch is released	Touch consumption here means, that without releasing the touch button, and touching again the Nitrokey will not confirm any new operations
White (single blink)	Nitrokey ready to work	0.5 seconds after powering up
(no LED signal)	Nitrokey is idle
(no LED signal)	Auto-accept single FIDO registration or authentication operation	Within first 2 seconds after powering up	Nitrokey is automatically accepting any single FIDO registration or authentication operation upon insertion event - the latter is treated as an equivalent of the touch button registration signal (user presence); the conf iguration/reset operations are not accepted
All colors	Nitrokey is in Firmware Update mode	Active until firmware update operation is successful, or until reinsertion	If the firmware update fails, the Nitrokey will stay in the this mode until the firmware is written correctly

Note: white LED blinking is used as well to signalize the selected device (the so called WINK command). If you are using Windows, the first time you plug in the Nitrokey it may need some time to configure the device.

Troubleshooting (Linux)

• If the Nitrokey is not accepted immediately, you may need to copy this file 41-nitrokey.rules to etc/udev/rules.d/. In very rare cases, the system will need the older version of this file.

• After copying the file, restart udev via sudo service udev restart.