Problem with Keycloak (26.3.0) and FIDO2 keys

Posted on Mo 07 Juli 2025 in Blog

Today I had a nasty little problem with Keycloak.

Before I go into detail, a little warning. To solve the problem, some minor changes need to be made to the database. So it is recommended to make a backup before making the changes. And since I'm not a Keycloak developer, I can't rule out side effects 100%.

A long time ago, I added two FIDO2 tokens to my Keycloak account. At that time, of course, I did not label the tokens. That was the reason why I had two tokens with the same name assigned to my account.

After I updated Keycloak to version 26.3.0, I could no longer log in because I always received an error message after using the FIDO2 tokens.

The log files showed entries like this:

WARN [org.keycloak.events] (executor-thread-12) type="LOGIN_ERROR", realmId="master", realmName="master", clientId="security-admin-console", userId="null", ipAddress="127.0.0.1", error="invalid_user_credentials", credential_type="webauthn", auth_method="openid-connect", auth_type="code", redirect_uri="https://localhost/admin/master/console/", code_id="ead81f49-da0c-3d16-9e4f-a900474d876f"

Failed authentication: org.keycloak.models.ModelDuplicateException: Device already exists with the same name

I looked around a bit and found the following section in the docs:

When adding an OTP, WebAuthn or any other 2FA credentials, the name the user assigns to this credential needs to be unique for the given user. This allows the user to distinguish between those credentials, and either update or delete them later. If a user tries to create a credential with an already existing name, there is an error message and the user is asked to change the name of the new credential.

So I thought this could also be the problem with the login. That was why I checked the database and changed the labels assigned to the two keys in the login table. The labels can be changed in the credential table. In this table all tokens are listed and are assigned to users.

After I had changed a label, I was able to log in again.