Google again, again, and again. #251

New Issue

2026-01-29T19:38:07+08:00

aleytus commented

2026-01-29 19:38:07 +08:00

(Migrated from github.com)

Let me start from the beginning.
Around Christmas, with the release of version 7.2, I decided to update two keys from version 6.6.
After the update, I noticed that both of my Google accounts on each of the keys were not working, while other accounts were working fine.
I thought something had gone wrong during the update, so I installed a clean version of 7.2.
I configured both keys and both accounts, checked that the keys were working, and then removed the second key and left it alone.
A week later, version 7.4 was released, and I decided to update only one key, afraid to update both at once, as I did last time.
After the update, I tried to log into my account, but couldn't.
I thought that either the firmware or the key was glitching, or the author was reworking the project.
I tried to log in with the main key on 7.2, and the situation repeated itself: the key was not accepted.
I tried both keys and both Google accounts, but I couldn't log into either of them.
At the same time, ya.ru, github.com, and discord.com are working.

It seems that the Google key works for a week and then expires.
I have a few ideas.

A new signature is generated approximately every week.
The signature has an expiration date and therefore cannot be used for authentication.

I want to try forcing if (self_attestation == false || is_nk) { in cbor_make_credential.c, but I don't know how to do it correctly.

Let me start from the beginning. Around Christmas, with the release of version 7.2, I decided to update two keys from version 6.6. After the update, I noticed that both of my Google accounts on each of the keys were not working, while other accounts were working fine. I thought something had gone wrong during the update, so I installed a clean version of 7.2. I configured both keys and both accounts, checked that the keys were working, and then removed the second key and left it alone. A week later, version 7.4 was released, and I decided to update only one key, afraid to update both at once, as I did last time. After the update, I tried to log into my account, but couldn't. I thought that either the firmware or the key was glitching, or the author was reworking the project. I tried to log in with the main key on 7.2, and the situation repeated itself: the key was not accepted. I tried both keys and both Google accounts, but I couldn't log into either of them. At the same time, ya.ru, github.com, and discord.com are working. It seems that the Google key works for a week and then expires. I have a few ideas. 1. A new signature is generated approximately every week. 2. The signature has an expiration date and therefore cannot be used for authentication. I want to try forcing if (self_attestation == false || is_nk) { in cbor_make_credential.c, but I don't know how to do it correctly.

aleytus commented

2026-01-29 21:15:16 +08:00

(Migrated from github.com)

If I understand correctly, I corrected it.

    //WebAuthn key for Google
    .label = “google.com”,
    .use_sign_count = NULL,
    .use_self_attestation = pfalse,

I will check how it works...

If I understand correctly, I corrected it. //WebAuthn key for Google .label = “google.com”, .use_sign_count = NULL, .use_self_attestation = pfalse, I will check how it works...

aleytus commented

2026-02-01 01:43:08 +08:00

(Migrated from github.com)

That didn't help...
After enabling 2FA
Google blocks keys after 48 hours

That didn't help... After enabling 2FA Google blocks keys after 48 hours

aleytus commented

2026-02-09 08:44:14 +08:00

(Migrated from github.com)

The problem went away on its own after I left one key in the account.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dearsky/pico-fido#251