Is there a recent problem with the FIDO2 2FA app no longer working?

I have both the TOTP and FIDO2 2FA methods enabled and set up on several accounts. Up until recently, the FIDO2 method worked but it no longer does. The TOTP method works consistently.

What happens when I log in is, I get the panel that pops up (after entering UN and PW) and where I need to select which 2FA method to utilize. I select Hardware key, but I don’t get a prompt saying “Insert hardware key” or similar. I insert the key, the light (Yubikey) flashes briefly, but pressing the key doesn’t do anything.

If I log in with this same Yubikey FIDO2 key on other (Non-NC) apps it works flawlessly.

Any ideas?

Sorry to hear you’re facing problems.

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

• Official documentation (searchable and regularly updated)
• How to topics and FAQs
• Forum search

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

[/details]

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can.

The Basics

• Nextcloud Server version (e.g., 29.x.x):
  • 31.0.7 (but it was not working on 31.0.6 also)
• Operating system and version (e.g., Ubuntu 24.04):
  • Ubuntu 24.04 LTS
• Web server and version (e.g, Apache 2.4.25):
  • Apache
• Reverse proxy and version _(e.g. nginx 1.27.2)
  • None
• PHP version (e.g, 8.3):
  • 8.3
• Is this the first time you’ve seen this error? (Yes / No):
  • No, started about 1 or 2 months ago I believe
• When did this problem seem to first start?
  • About 1 or 2 months ago
• Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
  • Bare metal
• Are you using CloudfIare, mod_security, or similar? (Yes / No)
  • No

Summary of the issue you are facing:

[What happens when I log in is, I get the panel that pops up (after entering UN and PW) and where I need to select which 2FA method to utilize. I select Hardware key, but I don’t get a prompt saying “Insert hardware key” or similar. I insert the key, the light (Yubikey) flashes briefly, but pressing the key doesn’t do anything.

If I log in with this same Yubikey FIDO2 key on other (Non-NC) apps it works flawlessly.]

Steps to replicate it (hint: details matter!):

1. At NC logon screen, enter UN and Password and hit Enter
2. At NC ‘Select 2FA method’ select Security key
3. Insert security key, no message appears on screen to press the button. Pressing the button anyway does nothing. **Note: the ‘Use security key’ lable is not clickable, the way the ‘Use TOTP’ button is.

Log entries

Nextcloud

PASTE HERE

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

I see this error when the screen appears where I select with 2FA method to use:
**Manifest: Line: 1, column: 1, Syntax error.**

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

PASTE HERE

Apps

The output of occ app:list (if possible).

Tips for increasing the likelihood of a response

• Use the preformatted text formatting option in the editor for all log entries and configuration output.
• If screenshots are useful, feel free to include them.
  • If possible, also include key error output in text form so it can be searched for.
• Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.

Hi,

I’ve tested it myself — I used a YubiKey to log in via FIDO2, and it did accept the key.
But after that, it still asked me for a TOTP code in the next step, so I couldn’t get in anyway.

Something’s definitely wrong with the current FIDO2 app behavior.

Just tested this, and can’t reproduce the issue.

Is it possible that you maybe still have the old deprecated Two-Factor U2F app enabled? If so you should switch to the Two-Factor WebAuthn app.

Other than that, I’m not sure what could cause the issue.

Are you referring to passwordless login via FIDO2?

As far as I know, when both passwordless login and TOTP are enabled, the TOTP prompt has always appeared. Whether this behavior makes sense is, of course, a separate question. But I tested this as well, and was able to log in using passwordless FIDO2 with TOTP enabled. Of course I had to enter the TOTP code for it to work

Yes, exactly — I’m referring to passwordless login via FIDO2.

And I fully agree with you: it doesn’t really make sense to require a TOTP code after successful FIDO2 authentication, especially when the point of passwordless login is to simplify and secure access with one factor.

I had the same experience — FIDO2 worked, but then it asked for TOTP anyway, which defeats the purpose a bit.

On the one hand, you could argue that if you’re using passwordless login, there’s no real need to enable TOTP. That said, since password-based login is still active, you might still want TOTP as an extra layer of security. However, if you set an extremely long, randomly generated password and never actually use it anywhere, you can probably skip TOTP altogether.

Of course, if you want to use both password-based and passwordless logins interchangeably, the current implementation is indeed suboptimal.

No, I think you are misunderstanding me. Most likely, I didn’t explain it properly. I am not using passwordless login. I am using a regular UN and PW login, followed by a 2FA step. The 2FA step (using my Yubikey) is what is no longer working.

Again:

1. Enter UN and PW and press Enter
2. At the popup where it asks whether I want to use my Security Key or a TOTP, I click Security Key
3. Now I get the ‘Use security key’ and ‘Use backup code’ popup. Only the ‘Use backup code’ option is “clickable”. It’s like it doesn’t recognize that I am able to use a security key, at this step.
4. I insert the security key anyway, press the button on it, but nothing happens.

I have tested this on my server and a client PC. Same exact behavior. Also, to repeat, the Yubikey works perfectly with other apps on these same machines, where I have 2FA using the security key configured.

No, I didn’t actually — that’s why I made two separate posts. This one was meant as a reply to your issue, and the one below was directed at @vawaver, who is using passwordless login.

Sorry if that caused confusion!

Either way, as I mentioned in my first reply to you, I actually tested your exact setup. I enabled both TOTP and the Two-Factor WebAuthn on a test instance of mine, and it worked perfectly fine with a YubiKey — I couldn’t reproduce your issue where the security key option isn’t clickable.

So, my question to you was, and still is: could it be that you still have the old, deprecated Two-Factor U2F app enabled? If so, please switch to the Two-Factor WebAuthn app instead.

If not — i.e., if you’re already using the Two-Factor WebAuthn app — then unfortunately, I’m not sure what’s causing the issue.

Ah thanks for clarifying.

No, I do not have the old U2F app installed. Never did; my NC instance is only about 6 months old. And again, the 2FA WebAuthn app worked fine up until a month or so ago. I cannot confirm if it stopped right after the June updates, and don’t want to speculate.

Why do not investigate the only error message presented?

Hmm, not sure then. I also tried Googling the error message you posted, but couldn’t find anything concrete at a glance. So here are just a few random (and possibly too obvious) things that came to mind:

• I assume you’re accessing Nextcloud via HTTPS with a valid certificate — if not, that could be the issue.

• Try using incognito mode, refreshing the page with Shift+F5 or Ctrl+F5, or using a completely different browser.

• Try removing and re-adding the security key.

• Remove/uninstall the app and reinstall it.

It’s also possible that another, completely unrelated app is causing the problem. So maybe try disabling apps, one by one and see if the issue goes away. If you’ve force-enabled any older, potentially incompatible apps, start with those. Then continue with non-featured apps you may have installed since the issue occured etc…

Other possible causes for issues like this could be the web server configuration, a reverse proxy, or something like a Cloudflare Tunnel. However, if you haven’t changed anything in that area since it last worked, that’s rather unlikely.

I’ll check those things. I was away for a few days and didn’t get a chance yet.

Will advise. Thanks for the help!

So:

Using Brave.

1. Using an incognito window, worked fine. The browser launched the WebAuthn process and the Yubikey worked perfectly.
2. Using a standard window, I reset (Shift-F5 and Ctrl-F5) but the problem persisted.
3. I cleared all cookies for NC, but the problem persisted in a regular browser window.

So at this point I’m leaning towards this being a Brave issue, in that it isn’t kicking off the WebAuthn process properly in a regular window. I’ll research that.

And I am using https: with a valid Let’s Encrypt certificate.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.