U2F doesn't work on Windows 10 19H1/20H1 Insider builds

VERIFIED FIXED in Firefox 66

Status

()

defect
P1
normal
VERIFIED FIXED
4 months ago
2 months ago

People

(Reporter: chris.lawrence, Assigned: akshay.sonu)

Tracking

({regression})

67 Branch
mozilla67
x86_64
Windows 10
Points:
---
Dependency tree / graph
Bug Flags:
behind-pref +

Firefox Tracking Flags

(firefox-esr60- wontfix, firefox65 unaffected, firefox66+ verified, firefox67+ verified)

Details

Attachments

(3 attachments)

Reporter

Description

4 months ago

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

Steps to reproduce:

Disclaimer: I've tested this on two sites, AWS console login page, and Twitter login page.

  1. Install either the latest Windows 10 Insider 19H1 build, or the latest 20H1 build.
  2. Go to either AWS or Twitter, where you have a Yubikey/U2F capable hardware key configured for MFA
  3. Login with credentials.
  4. Windows 10 security prompt appears, asking you to press the button on your key.

Actual results:

Web page reports that the authentication information is incorrect.

Expected results:

Web page authenticates correctly.

Updated

4 months ago
Component: Untriaged → DOM: Web Authentication
OS: Unspecified → Windows 10
Product: Firefox → Core
Hardware: Unspecified → x86_64

This is using U2F support, via the enabled "security.webauth.u2f" flag, for those websites.

Akshay, can you reproduce?

Flags: needinfo?(akshay.sonu)

Confirmed, i get an errorCode: 1 back after completing the Windows Hello dialogs.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Attachment #9047976 - Attachment description: Bug 1528097 : U2F doesn't work on Windows 10 19H1/20H1 Insider builds → Bug 1528097 : Fix FIDO U2F support on Windows 10 19H1/20H1 Insider builds

Comment 4

4 months ago
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ce7738b3a35d
Fix FIDO U2F support on Windows 10 19H1/20H1 Insider builds r=keeler,jcj

[Tracking Requested - why for this release]:
This would be a nice-to-have due to a regression in a pref'd-off feature (FIDO U2F Support) on Windows 10 1H19. This patch lands code behind the pref, so it's likely safe, but we'll exercise it on Nightly before we request uplift.

Flags: behind-pref+
Assignee: nobody → akshay.sonu
Status: NEW → ASSIGNED

Comment 6

4 months ago
bugherder
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Reporter

Comment 7

4 months ago

I see this bug was fixed and pushed to the 67 branch nightly build. However, I'm still running into the issue.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment 9

4 months ago
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bfe72a7c57bd
U2F doesn't work on Windows 10 19H1/20H1 Insider builds r=jcj,keeler

Comment 10

4 months ago
bugherder
Status: REOPENED → RESOLVED
Closed: 4 months ago4 months ago
Resolution: --- → FIXED

I have verified U2F support works on my Windows 10 builds.

Status: RESOLVED → VERIFIED
Flags: needinfo?(akshay.sonu)

Comment on attachment 9047976 [details]
Bug 1528097 : U2F doesn't work on Windows 10 19H1/20H1 Insider builds

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: Bug 1508115
  • User impact if declined: Failures using u2f on Windows 10 insider build 1100+
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Get the most recent Windows 10 insider build
    Get a u2f-compatible device (e.g. yubikey)
    Set "security.webauth.u2f" to true in about:config
    Go to https://u2fdemo.appspot.com/
    Click "Register U2F Authenticator"
    A dialog titled "Windows Security" should appear. Follow its prompts.
    Expect a "box" with a "delete" button to appear describing the authenticator.
    Then click "Test Authentication"
    A dialog titled "Windows Security" should appear. Follow its prompts.
    Expect the box from before to flash green to indicate success.
  • List of other uplifts needed: None
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): Comparatively small patches for a behind-pref experimental feature. That said, it's a behind-pref feature some people care about, and not taking this yields a regression.

Note: We'll need both patches that were on this bug uplifted.

  • String changes made/needed: None
Attachment #9047976 - Attachment description: Bug 1528097 : Fix FIDO U2F support on Windows 10 19H1/20H1 Insider builds → Bug 1528097 : U2F doesn't work on Windows 10 19H1/20H1 Insider builds
Attachment #9047976 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9047976 [details]
Bug 1528097 : U2F doesn't work on Windows 10 19H1/20H1 Insider builds

Verification would be nice. But I'll take this anyway for the RC build since it's behind a pref.

Attachment #9047976 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9048916 [details]
Bug 1528097 U2F doesn't work on Windows 10 19H1/20H1 Insider builds

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: None
  • User impact if declined: Same argument as above.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String changes made/needed:
Attachment #9048916 - Flags: approval-mozilla-beta?
Attachment #9048916 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

Unfortunately we can't do much in verifying this issue. For some reason the yubikey we have can't be used and we are prompted to use a different one.
@Jones: Do we need to have a 'personal' yubikey that is assigned to a specific account in order for this to work?

Worse case scenario, Chris, could you maybe help us in verifying the fix on the latest nightly and beta builds?

Flags: needinfo?(jjones)
Flags: needinfo?(chris.lawrence)

Huh; no, nothing bound like that. This will require an old-style yubikey, if you have one of the green pre-release ones, I could see that not working.

In a short while here I'll take my Win10 box and my collection of U2F tokens and test/list them all. Keeping the n-i active.

Reporter

Comment 19

3 months ago

I can verify that the issue has been fixed in the latest nightly builds. I have not tested this on beta builds.

Flags: needinfo?(chris.lawrence)

Comment 20

3 months ago

I've been experiencing some flakiness with U2F/WebAuthn even after this particular issue was theoretically fixed in code (related bug, filed after I thought this issue was fixed the first time: https://bugzilla.mozilla.org/show_bug.cgi?id=1532605). I can seem to reliably authenticate with keys that are already registered, but registering keys seems to fail sporadically (I've got a mix of a couple dozen YubiKey 4s and YubiKey 5s). These issues do not crop up on non-Insider builds of Windows that don't go through the OS-integrated WebAuthn code path.

Posted image 20190312_095512.jpg

I've tested a collection of security keys, here's what I found:

Yubikey Neo 3: Works
Yubikey Neo 4: Works
Yubikey test CTAP1 key: Works
Yubikey test CTAP2 key: Works
Plug-Up U2F key: Works

U2F-Zero: Does not work. We had problems with this device, too, so perhaps Microsoft probably has a bug. It's not a common device, though.
3 Feiten test devices -- All of these are CTAP2-only, so they do not work in U2F mode. That's expected.

I also did hotplugging tests and window focus/unfocus tests, they seemed OK.

Flags: needinfo?(jjones)

Comment 22

3 months ago

:jcj Any YubiKey 5 tokens? Those support FIDO2 and take a different code path, IIRC

Steven: The green CTAP2 Yubikey is a prerelease Yubikey 5, and it seems to work consistently. I don't have any production 5's.

Unfortunately, in using the OS code paths, we're at their mercy for compatibility issues. If there is something wonky there, we can't fix it, just report upstream. Similarly, since this new build of Win10 prohibits use of our existing Rust implementation (and all other direct access), we can't fallback, either. It just is what it is.

Chris could you maybe take a look on the beta build (that is now the RC)? It would be greatly appreciated since we can't do it on our end.

You can find the latest RC build here or the last Fx 66 beta here.

Flags: qe-verify+
Reporter

Comment 25

3 months ago

I can confirm that both enrollment and sign-on work on the latest RC of the 66 branch with a Yubikey Neo.

Ckean you request uplift to ESR? Thanks.

Flags: needinfo?(dkeeler)

Looking into it.

Flags: needinfo?(dkeeler)

See bug 1508115 comment 23 - uplifting this and its dependencies to esr60 would be difficult and risky.

Thanks very much for checking on it! Let's leave this for ESR 68 then.

You need to log in before you can comment on or make changes to this bug.