1479128 - Unable to Setup Yubikey with Facebook

Status: RESOLVED WORKSFORME

(Core :: DOM: Device Interfaces, defect, P3)

Description

[Alex Davis [:adavis]]

Attachment: yubikey-fb.png

Unable to complete Yubikey setup on Facebook's site.

Facebook seems to detect that we can setup the Yubikey with Firefox.


*Steps to reproduce*

- Security Login > Two-factor Authentication > Add a backup > Security key > setup
- Screen opens with instructions
- Tap Yubikey


*Expected results*
Yubikey is setup

*Actual Results*
The page detects something and the cancel button gets selected after I touch my Yubikey.

If I tap my Yubikey again, it toggles the selection to the X button of the opened screen.

It seems like something is being detected but the setup is just not working.

Attached are screenshots of the buttons being selected when I touch the Yubikey.

Comment 1

[Alex Davis [:adavis]]

Attachment: yubikey-fb2.png

Comment 2

[Alex Davis [:adavis]]

One other thing: 

I tried with and without FB containers just in case it might be related to that.

Comment 3

[Daniel Bodea [:danibodea]]

This issue cannot be tested without Yubikey account and tool(key), but it seems like it does not need confirmation, only supposedly, verification after the fix. 

To be certain that this issue valid and closely related to the Firefox browser, the same process should be attempted on 1 or 2 of the other popular browsers. 

I will set this bug's component to (Toolkit) Password Management: Site compatibility and hope I chose correctly. If incorrect, I ask developers to tolerate my low technical knowledge and set the correct component.

Alex, I hope you will be able to help us verify the fix when it gets resolved.

Thank you!

Comment 4

[Alex Davis [:adavis]]

- I tried to set it up quite a few times without success in Firefox.
- It did however work with other sites like LastPass and Github
- I was able to successfully set up the Yubikey on Facebook using Chrome.
- I tried to verify with another user since a few of us ordered Yubikeys from ServiceNow. Speaking to Devin Reams from Lockbox team, he did not encounter the same problem for Facebook using Firefox.

If anyone else has a Yubikey, I invite you to also try setting it up with Facebook using Firefox.

Comment 5

[Matthew N. [:MattN]]

> Component: Untriaged → Password Manager: Site Compatibility

This isn't related to Password Manager, it's probably related to WebAuthn

Comment 6

[Adi]

this is caused by Facebook itself not by anything Mozilla-related.

Facebook is using user-agent sniffing and is disabling on purpose the U2F functions when it detects Firefox as browser, because Firefox does not officially support U2F as a stable feature yet.


proof 1: install User-Agent switcher https://addons.mozilla.org/en-GB/firefox/addon/user-agent-switcher-revived/
and configure Firefox to pretend it's Chrome, and under about:config make sure these are enabled:
security.webauth.webauthn_enable_usbtoken
security.webauth.webauthn
security.webauth.u2f

and that security.webauth.webauthn_enable_softtoken is FALSE (this one forces U2F to use an emulated software token - this is used to test U2F functions when you don't have a hardware key available)

After these changes Facebook will magically work now with U2F keys under Firefox. (This is how i use it.)



proof 2: Brad Hill from the Facebook U2F team confirmed that Firefox is currently blacklisted for U2F (point 1 above) on 2017-01-26 in the main U2F tracking thread
https://bugzilla.mozilla.org/show_bug.cgi?id=1065729#c264

Comment 7

[Quentin Raynaud]

(In reply to Adi from comment #6)

I think you are mixing things up here Adi. The bug you are referring to (https://bugzilla.mozilla.org/show_bug.cgi?id=1065729) (and I think the security.webauth.u2f preference) are there to enable FIDO U2F support which is the « old » standard superseded by WebAuthn (FIDO 2).

If Facebook does not support FIDO 2 yet, it's only sensible that Firefox does not work since Fx never shipped with a fully compliant implementation of FIDO U2F (which is why it is disabled in about:config). This is also why the facebook team disabled the u2f authentication on Fx. You should not activate it in the pref if you don't really understand the security implications of the parts that are not implemented in Fx.

Since FIDO 2 is out, I don't think there will be any strong effort to make the current implementation fully compliant anyway.

So either Facebook is still using the old u2f API, and then it's normal it's not working and should be fixed on the Facebook side by switching to the new API, or either they switched to the new WebAuthn API and it should just work with Firefox (as is).

Comment 8

[Dennis Schubert [:denschub]]

Given that some time has passed and we did large steps towards finishing our implementation, we should re-ping Facebook to see if they are fine with us now. ni? myself so I don't forget to do that.

Comment 9

[Adi]

today's incident with disabled addons ( https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/ ) has also reset my all my Firefox Containers, including the Facebook session container, so i had to log back into Facebook.

When i logged back in Facebook did not accept to let me use any of my already-registered U2F keys for logon and neither the FIDO 2 keys, it only accepted SMS or "contact support".

I checked my FB security settings, the keys are still added to my profile and Facebook even accepts Firefox to add additional U2F keys (complains that a key is already added if i try to add it a second time)... but it's just security theater.

Facebook does not currently allow Firefox to actually use the FIDO / FIDO 2 keys for login.

Comment 10

[Dennis Schubert [:denschub]]

After chatting to :jcj, I did ran some tests on macOS and Linux using Firefox Release and Nightly, and I can happily confirm that it now just works. Because of that, I'll close this bug.

If you still have issues witih Facebook not offering you to use a FIDO2 key, please leave a comment. :)