webauthn token - no passkey is written on the yubikey

Hi there,

I have Privacyidea 3.11 and I’m trying to enroll a webauthn token with a yubikey. The policy with webauthn_relying_party_name and webauthn_relying_party_id is active, everything is running as expected, no error in webui, the token is successfully enrolled, but no passkey is written to the yubikey…
The only info I see in the log is: “[privacyidea.api.lib.postpolicy:1012] No serial number found in response. Can not do check_verify_enrollment”… but in the webui, by tocken infos, the serial is shown
Does this have anything to do with the fact that there is no passkey written on the Yubikey?
Is there anyone else with the same problem, or does anyone know a solution?

Thank you!

Hi,
in privacyIDEA, the webauthn token is not a passkey, because it does not create a resident key on the authenticator, but requires the credential_id from the server to be passed to the authenticator for authentication.
For a passkey, there is the passkey token type, introduced in 3.11, which will do what you except.
The log info you see is from the policy “check_verify_enrollment” which you have enabled, but it can not be used for that type of token (if im not mistaken, i havent checked in detail). But it does not block/crash anything right? If you were just wondering why there is no key saved on the yubikey → use the passkey token type.

The Passkey enroll token option was not displayed, I had to add it in the admin policy first. Thank you!

1 Like