For maybe a year or so I've been locked out of my old Codeberg account, which has MFA enabled using two Solo2 USB-A FIDO2 keys. Neither key works; both yield the same cryptic error. I've attached a screenshot of the error message in addition to the failed request in the network tab of Microsoft Edge, showing that the "assertion" endpoint returns a 403. I'm withholding the payload section because I'm not sure if there's any compromising information associated with it, and maybe notably, there is no response payload; just the 403 HTTP response code.
Codeberg MFA page during login flow. The network tab is open, and a failed "assertion" fetch request is being shown. The request yielded no payload but a 403 HTTP response code
Things I've attempted
- It is not a browser issue. I've reproduced the issue on a recent version of both Edge, Chromium and Firefox
- It is not an OS issue. I've reproduced the issue across Debian 12, Fedora and Windows 11
- It is not a key issue. I've attempted to log in with both my Solo keys and they've had the exact same issue. I'm able to use both keys for other services
- It doesn't appear to be a Forgejo issue. I have a personal Forgejo instance that accepts the keys without issue (Forgejo version string: 1.21.3+0 built with GNU Make 4.4.1, go1.21.5 : bindata, timetzdata, sqlite, sqlite_unlock_notify)
- It may be a Solo-specific issue as I've never tried using Codeberg with e.g. a Yubi key, though it'd be strange to me as I've never had this issue with another platform
The old account that I can't get into in question, in case someone wants to take a look on the back-end:
https://codeberg.org/njms
If you need any additional information I'd be more than happy to help; I can't test this directly because I can't reproduce it on my own instance but if there's any directions you folks have for me to dig I can keep digging. I have vested interest in this being resolved as I'd eventually like my old Codeberg account back :)
### Comment
For maybe a year or so I've been locked out of my old Codeberg account, which has MFA enabled using two Solo2 USB-A FIDO2 keys. Neither key works; both yield the same cryptic error. I've attached a screenshot of the error message in addition to the failed request in the network tab of Microsoft Edge, showing that the "assertion" endpoint returns a 403. I'm withholding the payload section because I'm not sure if there's any compromising information associated with it, and maybe notably, there is no response payload; just the 403 HTTP response code.

## Things I've attempted
- It is not a browser issue. I've reproduced the issue on a recent version of both Edge, Chromium and Firefox
- It is not an OS issue. I've reproduced the issue across Debian 12, Fedora and Windows 11
- It is not a key issue. I've attempted to log in with both my Solo keys and they've had the exact same issue. I'm able to use both keys for other services
- It doesn't appear to be a Forgejo issue. I have a personal Forgejo instance that accepts the keys without issue (Forgejo version string: 1.21.3+0 built with GNU Make 4.4.1, go1.21.5 : bindata, timetzdata, sqlite, sqlite_unlock_notify)
- It *may* be a Solo-specific issue as I've never tried using Codeberg with e.g. a Yubi key, though it'd be strange to me as I've never had this issue with another platform
The old account that I can't get into in question, in case someone wants to take a look on the back-end:
https://codeberg.org/njms
If you need any additional information I'd be more than happy to help; I can't test this directly because I can't reproduce it on my own instance but if there's any directions you folks have for me to dig I can keep digging. I have vested interest in this being resolved as I'd eventually like my old Codeberg account back :)