Passkeys don't work on mobile / TOTP from password manager fails
Meta
4
Post
2
Autori
0
Visualizzazioni
-
The flow for passkeys ends up blocking mobile browsers from authenticating if the passkey is stored in a tool like 1password, even if 2FA via TOTP is enabled.
When trying to use 1password to fill a 2FA TOTP on mobile, the form field doesn't fill.
I've not had this problem with 1password on any other site that I use, so it seems specific to something nodebb is doig.
-
The flow for passkeys ends up blocking mobile browsers from authenticating if the passkey is stored in a tool like 1password, even if 2FA via TOTP is enabled.
When trying to use 1password to fill a 2FA TOTP on mobile, the form field doesn't fill.
I've not had this problem with 1password on any other site that I use, so it seems specific to something nodebb is doig.
thisismissem mm, I've only ever tested the 2factor plugin using a physical Yubikey, not a digital one.
Is that what you're referring to, or did you mean a TOTP string?
For those I only tested against Bitwarden, not 1Password.
Were you able to register the token but not able to pass the screen when challenged?
-
Yeah, but both, if I have a yubikey enabled, I can't use TOTP instead of yubikey from my tests.
And yeah, I'm using a 1password passkey, instead of a yubikey — normally 1password handles those fine. On iOS Safari I received the system prompt, and it bypassed 1password completely.
-
Yeah, but both, if I have a yubikey enabled, I can't use TOTP instead of yubikey from my tests.
And yeah, I'm using a 1password passkey, instead of a yubikey — normally 1password handles those fine. On iOS Safari I received the system prompt, and it bypassed 1password completely.
thisismissem okay, it sounds like there are two separate issues.
I'll give my Yubikey a try again and see if I have issues getting a TOTP challenge.
Gli ultimi otto messaggi ricevuti dalla Federazione
-
thisismissem@hachyderm.io hmm that's fair. I don't think it precludes interested parties from having these discussions though.
I'm not sure what the right solution is.
-
@julian we've definitely seen that before, but also people might not realize that they're discussing a vulnerability
-
thisismissem@hachyderm.io how so? In the sense that discussed vulnerabilities might be exploitable cross-implementation?
-
@julian It would be great to have a collection of these that I could look through, to make sure I'm not making easily preventable mistakes myself.
Of course, potential bad guys would be able to look through it too...
-
@julian @smallcircles that'd probably be a bad idea, as you'd likely get irresponsible disclosure happening.
-
Just a thought as I work through some bugs reported to NodeBB... would there be interest in ActivityPub.space hosting a "security" category for discussion around vulnerabilities, CVEs, and such that are related to ActivityPub?
For example, if NodeBB were to receive a bug bounty report and responsibly disclose the details, it would be ideal to have it archived in a place where it won't just disappear off the feed in a matter of minutes.
-
25 September 2025
A new category has appeared! Moderation & Server Administration is up and running for your questions and discussion about all things instance admin related. This category is a bit of a catch-all but I am happy to discuss splitting the category into additional categories given usage. fediadmin no longer auto-categorizes to General, it now goes to the Moderation category fedimod and fedimods will now auto-categorize to the Moderation category.
-
24 September 2025
This week, a new logo was uploaded for the site NodeBB now supports nicknaming remote categories so the three identically-named "Fediverse" communities are now nicknamed to show their instance origin (PieFed.social, Lemmy.world, and Lemmy.ml) ― thanks django@social.coop for letting me know
