After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 791144 - Google Online Account Two Factor with hardware key fails immediately
Google Online Account Two Factor with hardware key fails immediately
Status: RESOLVED NOTGNOME
Product: gnome-online-accounts
Classification: Core
Component: general
3.26.x
Other Linux
: Normal normal
: ---
Assigned To: GNOME Online Accounts maintainer(s)
GNOME Online Accounts maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2017-12-02 20:42 UTC by Jonathan Brier
Modified: 2020-05-27 09:04 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Jonathan Brier 2017-12-02 20:42:27 UTC
The hardware key authentication two factor fails immediately with a web based retry dialogue when connecting a Google account to the online accounts in settings using a hardware key second factor.

Steps to reproduce:
1. Set Google Account to default to a hardware security key like a Yubikey or other FIDO standard key after having two factor authentication enabled on your Google Account.
2. Open Online accounts
3. Add a Google Account
4. Enter google email address
5. Enter google password
6. (this is the login flow of two factor, if default is the hardware key the error should appear).

Work around:
Choose use another method to authenticate: enter the authentication code and you will proceed.

Expectations were:
The ability to use the hardware key to authenticate as the second factor.

Initial reported to Ubuntu bugtracker against gnome-online-accounts version 3.26.1-1ubuntu1 on Ubuntu 17.10 on the date reported 2017-11-17: https://bugs.launchpad.net/ubuntu/+source/gnome-online-accounts/+bug/1733002
Comment 1 Debarshi Ray 2018-10-03 13:20:03 UTC
I recall discussing something similar with Nathaniel McCallum [1] at Flock some years ago. However, I don't recall the details clearly.

Does the login flow with the hardware key involve the web browser? I am asking because one of the things Nathaniel pointed out was missing support in WebKit.

[1] https://npmccallum.gitlab.io/about/
Comment 2 Debarshi Ray 2018-10-03 16:01:45 UTC
I found these:
https://bugs.webkit.org/show_bug.cgi?id=143491
https://lists.webkit.org/pipermail/webkit-dev/2017-February/028755.html

Assuming that I am not completely wrong, I am closing this as NOTGNOME because the necessary work needs to happen in WebKitGTK+ and that's hosted outside GNOME infrastructure.
Comment 3 dumahk21 2020-05-27 09:04:13 UTC
I'm using gnome-online-accounts 3.36.0-1 and I also stumble in this limitation. 

The bug indicated in webkit is now fixed and in theory supports u2f (https://trac.webkit.org/changeset/243193/webkit), but unfortunately  I still can't use u2f with my google account. 

Something must be missing in the gnome side to activate this feature.