Cannot register FIDO2 Key

M.Kleemann 1 Reputation point
2022-11-03T16:29:16.847+00:00

Hello,

we enabled FIDO2 registration for our tenants. Tried it first with YubiKey Bio - FIDO Edition, which works flawless with TAP issued to the user, true passwordless as intended.
This Key is not cheap, so we went for a 15$ token2 FIDO2 Stick with only Pin Authentication.

Link: https://www.token2.com/shop/product/token2-t2f2-typec-fido2-and-u2f-security-key

But i cannot enroll the stick in any tenant via https://aka.ms/securityinfo

Error ist https://mysignins.microsoft.com/security-info#fidoProvisionError=InvalidCanary with some additional generic Error Message popping up "sorry we ran into a problem"

256911-image.png

Error appears on both tenants, both time it was tested with users where the YubiKey just works fine.

Has anyone had similar experiences or has a suggestion on how to fix this?

EDIT: Already disabled "Enforce attestation" in Azure AD

EDIT2: Checked Authentication methods | Registration and reset events, there is an event for FIDO2 registration which says "success". Key is not working nonetheless

Regards

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,057 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JimmySalian-2011 41,951 Reputation points
    2022-11-03T20:06:49.66+00:00

    Hi,

    Did you checked this article and followed the steps? Do you enrol in 10 seconds after plugging in? As per the article "Please note that as per Microsoft's requirement "FIDO2 reset commands are only valid in the first 10 seconds of one power cycle". While this is well documented in the FIDO2 manufacturer guide, this was not made evident for end-users in the UI of the current Windows 10 Control Panel. So, if during the reset operation you get an error, please redo the operation and try to complete the reset within 10 seconds after you plugged the key to USB.

    passwordless-authentication-in-azure-ad-with-token2-fido2-keys

    Hope this helps.
    JS

    ==
    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.