Admin troubleshooting FIDO2 WebAuthn error and warning messages

Intended audience: Administrators

Applies to the Identity Platform release 21.04

Use this topic to learn about the FIDO2 WebAuthn user experience, and under what conditions certain error and warning messages could occur.

Note

FIDO2 authenticators could be known as external security keys or built into devices like phones and laptops. In the Identity Platform UI, the term device is interchangeble to mean either device or security key.

This table lists conditions and messages end users could experience during FIDO2 device registration.

Condition

Error / Warning message

Solution

Browser canceled, closed, or lost connection

Browser page was canceled, closed, or lost internet connection before completing FIDO2 security key registration.

Message: "We couldn't verify your device. Try again later or use a different browser, device, or operating system."

70487676.png

Try registering device again.

Browser not supported

Browser is not compatible with WebAuthn for FIDO2 devices.

Message: "Looks like your browser is not compatible with WebAuthn"

70487677.png

Use another browser that supports FIDO2 WebAuthn. For example:

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Edge

  • Apple Safari

Device deletion failed

The system could not delete the device due to a connection issue or the FIDO2 service could be down.

Message: "An error has occurred trying to delete your device"

70487666.png

Try deleting the device later.

Device update failed

The system could not update the device information due to a connection issue or the FIDO2 service could be down.

Message: "An error has occurred trying to update your device"

70487675.png

Try updating the device later.

Device limit settings – Max device limit, can remove device, cannot replace device

The user already has the maximum number of registered devices. They can remove, but not replace a device.

Message: "You have enrolled the maximum number of devices. To add another device, first remove one."

70487668.png

Click the Delete icon to remove a device.

Then, to register a different device, click Add New Device.

Device limit settings – Max device limit, can remove or replace device

The user already has the maximum number of registered devices. They can remove or replace a device.

Message: "You have enrolled the maximum number of devices. You can remove and add another device, or replace a device."

70487670.png

Options are:

To remove a device, click the Delete icon for that device. Then, you can add/register a different device.

To replace a device, click the Replace Device button to replace the oldest device.

NOTE: The oldest device is determined by the administrator setting:

  • Oldest by creation date/ time - the device with the earliest date of registration is classified as the oldest device

  • Oldest by date time last accessed - the device with the earliest date of last activity is classified as the oldest device

Device limit settings – Max device limit, cannot remove or replace device

The user already has the maximum number of registered devices. They cannot remove or replace a device.

Message: "You have enrolled the maximum number of devices. To add or replace a device, contact your admin."

70487667.png

To remove or replace a device, contact your admin.

After admin removes a device, this enables the Add New Device button, and you can register a different device.

Device limit settings – Max device limit, cannot remove, can replace device

The user already has the maximum number of registered devices. They cannot remove, but can replace a device.

Message: "You have enrolled the maximum number of devices, but you can replace a device. To add a device, first ask your admin to remove one."

70487669.png

Options are:

To register a another device, first contact your admin to remove one.

To replace a device, click the Replace Device button to replace the oldest device.

NOTE: The oldest device is determined by the administrator setting:

  • Oldest by creation date/ time - the device with the earliest date of registration is classified as the oldest device

  • Oldest by date time last accessed - the device with the earliest date of last activity is classified as the oldest device

Device limit settings – No device limit, cannot remove or replace device

The user can have an unlimited number of registered devices. They cannot remove or replace a device.

Message: "To remove or replace a device, contact your admin."

70487673.png

To register a another device, click Add New Device.

To remove or replace a device, contact your admin.

Device limit settings – No device limit, cannot remove, can replace device

The user can have an unlimited number of registered devices. They cannot remove, but can replace a device.

Message: "To remove or replace a device, contact your admin."

70487674.png

To register another device, click Add New Device.

To remove or replace a device, contact your admin.

Device name field is empty

Message: "Device name must not be empty"

70487672.png

Enter name of FIDO2 device.

Device name exists

The device name is already being used for another FIDO2 device in the system.

Message: "Sorry, the name is already in use for another device. Please use a different name."

70487671.png

Enter a different name for the FIDO2 device.

FIDO service is not available

FIDO metadata service or the API call fails.

Message: "We couldn't verify your device. Try again later or use a different browser, device, or operating system."

70487676.png

Try again later.

Incorrect PIN

The PIN entered for the device is incorrect.

Message: "The PIN is incorrect. Try again."

70487678.png

Try entering the PIN again.

Register duplicate device

User is trying to register a device that is already registered in the system.

Message: "We couldn't verify your device. Try again later or use a different browser, device, or operating system."

70487676.png

Register a different FIDO2 device.

Unsupported device, browser, and operating system

These conditions could cause this error message:

  • Device does not support FIDO2

  • FIDO2 device does not support PIN verification

  • Certain browser and operating systems are not supported when used together for FIDO2 devices

Message: "We couldn't verify your device. Try again later or use a different browser, device, or operating system."

70487676.png

For administrators, to learn more about PIN, browser, and OS support for FIDO2 WebAuthn, see Admin troubleshooting PIN support for FIDO2 WebAuthn.

For end users, the Learn more link in the UI directs end users to this topic for end user troubleshooting: End user troubleshooting FIDO2 security key verification issues.

This table lists conditions and messages end users could experience during two-factor authentication using FIDO2.

Condition

Warning/Error Message

Solution

Browser canceled, closed, or lost connection

Browser page was canceled, closed, or lost internet connection before completing FIDO2 two-factor authentication.

Message: "We couldn't verify your device. Try again later or use a different browser, device, or operating system."

70487655.png

Try two-factor authentication again.

Browser not supported

Browser is not compatible with WebAuthn for FIDO2 devices.

Message: "Looks like your browser is not compatible with WebAuthn. Some methods are currently unavailable."

70487665.png

Use another browser that supports FIDO2 WebAuthn. For example:

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Edge

  • Apple Safari

Device not recognized

User tries to authenticate with an unregistered FIDO2 device.

The following messages could appear:

Message: " This security key doesn't look familiar. Please try a different one."

70487656.png

Message: "We couldn't verify your device. Try again later or use a different browser, device, or operating system."

70487664.png

Message: "Found no credentials on this device."

70487657.png

Register the FIDO2 device for use in two-factor authentication.

Device not supported – PIN verification on FIDO2 device

Administrator has turned on PIN verification for FIDO2 device. User attempts to authenticate with a previously registered device that does not support PIN verification.

Message: "We couldn't verify your device. Try again later or use a different browser, device, or operating system."

70487655.png

Use a different FIDO2 device that supports PIN verification, or register another device and try two-factor authentication again.

Incorrect PIN

The PIN entered for the device is incorrect.

The following messages could appear:

Message: "The PIN is incorrect. Try again."

70487660.png

Message: "Unrecognized PIN code. Please try again."

70487661.png

Message: "Try again:"

70487662.png

Try entering the PIN again.

Fingerprint not recognized

Fingerprint reader on FIDO2 device does not recognize fingerprint.

The following messages could appear:

Message: "Your device couldn't recognize you. Try cleaning your fingerprint sensor."

70487658.png

Message: "Fingerprint not recognized. Try again."

70487659.png

Try fingerprint reader again.

Request timed out

User took too long to respond to two-factor verification with a FIDO2 device.

The following messages could appear:

Message: "Something went wrong. The request timed out"

70487663.png

Message: "We couldn't verify your device. Try again later or use a different browser, device, or operating system."

70487664.png

Try again.