Hello,
I have some throwaway accounts without recovery phrases that I use for testing various things. Haven’t touched them any of them in about a month. Just tried to sign into one and I’m getting the error “You’re using a security key that is not registered with this website”. Then tried a couple others, and they’re all giving me that message. Tried both identity.internetcomputer.org and identity.ic0.app, same issue.
Tried to create a fresh one, works without issue and can sign into it just like normal after creation. Using bulwark/virtual-fido for all these accounts since they don’t contain any funds or anything important, and I can see the keys are in fact still in there.
Did the internet identity service just remove them on their end? Maybe because it identified it as spam since multiple were created on the same day with the same ip? Or what’s likely going on here?
Bit worrisome that you can just randomly lose access to an account for which you still have the key.
Identity data like configured passkeys can only be managed by the users themselves, there’s no anti-spam or admin of that sort that removes data. In other words, Internet Identity is a decentralized service.
You can check how many passkeys and recovery phrases are registered for a given identity number with a public lookup method here: https://dashboard.internetcomputer.org/canister/rdmx6-jaaaa-aaaaa-aaadq-cai#lookup
Another way that identity data could possibly change is through NNS proposals to upgrade the Internet Identity implementation. But we haven’t had any proposals that could have possibly affected passkey data in a long while.
A possible cause could be that your browser has been updated since these identities were created. Support for the older u2f standard has been gradually phased out of browser support.
This doesn’t affect the common vendor passkey implementations, but it does likely affect the older virtual u2f implementation you’ve mentioned.
You can try using an older browser version to access these identities, see if this older version is still able to authenticate using the virtual u2f implementation.
Doubt it’s a browser issue, since I could use the same software to create a new key and then login with that. Though tried a different browser just to be sure and also failed there with my old identities.
Very strange
Could you share a screenshot or screen recording of this message: You're using a security key that is not registered with this website?
As far as I’m aware this doesn’t seem to be an error coming from Internet Identity itself, but rather from your browser or OS.
Sure, just this. Pops up as soon as I click the identity number I want to log in with.
Somehow something seems to be going wrong on the browser/OS side.
Narrowing down the exact cause is going to be a challenge, particularly since you seem to indicate it’s not happening to newly created accounts, which means reproducing the issue won’t be trivial 
To help me narrow things down further, could you help me with the following:
- Try to authenticate at https://identity.ic0.app/?feature_flag_domain_compatibility=false and see if that makes a difference.
- This helps me narrow down, to see if the issue might be related to the more recent cross domain passkey authentication implementation.
- This URL only toggles a feature flag temporarily for the browser tab it’s opened in, the flag is back to default when you reload the page or open another tab.
- When were these identities created? When did it stop working?
- This helps me narrow down the code changes in that time window, to see if there’s any change that could potentially be related.
- Could you share the identity numbers with me in a DM?
- This would help me lookup the credential ids of the passkeys in this identity, see if there’s anything that stands out there that might cause any issues.
- To clarify, as mentioned with the link above, the credential ids of passkeys linked to an Internet Identity are public information, since the WebAuthn browser API needs these to know which passkeys a user would like to authenticate with.
That url with the feature_flag_domain_compatibility=false url parameter also same error.
When they were created, probably some time around april this year. When they stopped working, some time between today and last month, since last month was the last time I used one and it worked fine then.
Maybe a stupid question, but how can I DM things here? Clicked your profile, but don’t see any DM options?
There’s a “Message” button on the profile popup on my end. No idea if that’s a available for all users, or if it’s only available after a given amount of forum activity.
I’ve sent you a DM, hopefully you’re able to respond there.
