[BUG] Cannot use U2F device for 2nd factor authentication

I cannot get my Yubikey Neo to work with git.handmade.network. I know my Yubikey works fine in browser, because I use it for my google and dropbox accounts.

When I press "Setup New U2F Device" on https://git.handmade.network/profile/two_factor_auth page, it shows "U2F Error Code: 2" error in JS console.
From https://developers.yubico.com/U2F/Libraries/Client_error_codes.html it seems that error code 2 is one of the following reasons:
  • The visited URL doesn’t match the App ID.
  • The App ID does not conform with the rules for App ID’s.
  • The U2F API is called with bad parameters (e.g. calling u2f.register with the parameters in the wrong order).
Is something wrong with gitlab configuration? Or something wrong on my end?

I want to use Yubikey, because its much easier to login than to type 2nd factor code from my phone.
GitLab's been updated just now. This may make a difference wrt. U2F.
Also, does U2F work if you visit the GitLab instance from https://git.handmadedev.org instead of https://git.handmade.network? If so, I'll need to reconfigure GitLab…

I've ordered a YubiKey 4 to debug this in case that isn't the problem.
(They're currently 20% off as a GitHub user, in case people are interested.)

Edited by Jeroen van Rijn on
It fails with exactly same error "There was a problem communicating with your device. (error code: 2)" on handmadedev.org.
But now I don't see "U2F Error Code: 2" error message in JS console.

I'm doing this on x86_64 Chrome in ArchLinux, btw.

What's the deal with two domains - git.handmadedev.org vs git.handmade.network? Could you make redirect from one to other so only one domain is used by everybody? Also http://git.handmadedev.org/ doesn't automatically redirect to https, but git.handmade.network does.

Edited by Mārtiņš Možeiko on
The deal with the two ways to access it is that it's a holdover from earlier times… It's one of the things on my todo list for this month. Rather than a redirect - which won't work for git+ssh anyway, I'll be removing git.handmadedev.org from DNS, making the handmade.network one the place to go.

Once I make the necessary configuration changes, I'll send current GitLab users an email informing them of the change and how to update the remote url in the git config in case it's set to handmadedev.org and they don't want to clone the repo again.

As for U2F, I've got the order confirmation for the Yubikey 4. That'll hopefully be with me next week, at which time I'll be in a position to debug this problem. I'll let you know when this problem's been solved, assuming I'll be able to replicate it.

And it makes for a good excuse to add 2FA to the site itself as well, with TOTP and U2F support (although that'll be post-v1, somewhere around March before I'll be able to get to that).

Edited by Jeroen van Rijn on
Cool, thanks! 2FA & U2F for site login would be awesome.