U2F doesn't work on Windows 10 19H1/20H1 Insider builds
Categories
(Core :: DOM: Web Authentication, defect, P1)
Tracking
()
People
(Reporter: chris.lawrence, Assigned: akshay.sonu)
References
Details
(Keywords: regression)
Attachments
(3 files)
|
47 bytes,
text/x-phabricator-request
|
lizzard
:
approval-mozilla-beta+
|
Details | Review |
|
47 bytes,
text/x-phabricator-request
|
lizzard
:
approval-mozilla-beta+
|
Details | Review |
|
584.34 KB,
image/jpeg
|
Details |
20190312_095512.jpg
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Steps to reproduce:
Disclaimer: I've tested this on two sites, AWS console login page, and Twitter login page.
- Install either the latest Windows 10 Insider 19H1 build, or the latest 20H1 build.
- Go to either AWS or Twitter, where you have a Yubikey/U2F capable hardware key configured for MFA
- Login with credentials.
- Windows 10 security prompt appears, asking you to press the button on your key.
Actual results:
Web page reports that the authentication information is incorrect.
Expected results:
Web page authenticates correctly.
|
||
Updated•6 years ago
|
|
||
Comment 1•6 years ago
|
||
This is using U2F support, via the enabled "security.webauth.u2f" flag, for those websites.
Akshay, can you reproduce?
|
|
||
Comment 2•6 years ago
|
||
Confirmed, i get an errorCode: 1 back after completing the Windows Hello dialogs.
|
Assignee | |
Comment 3•6 years ago
|
||
|
||
Updated•6 years ago
|
|
|
||
Comment 5•6 years ago
|
||
[Tracking Requested - why for this release]:
This would be a nice-to-have due to a regression in a pref'd-off feature (FIDO U2F Support) on Windows 10 1H19. This patch lands code behind the pref, so it's likely safe, but we'll exercise it on Nightly before we request uplift.
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
||
Comment 6•6 years ago
|
||
| bugherder | ||
|
Reporter | |
Comment 7•6 years ago
|
||
I see this bug was fixed and pushed to the 67 branch nightly build. However, I'm still running into the issue.
|
|
Assignee | |
Comment 8•6 years ago
|
||
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
||
Comment 10•6 years ago
|
||
| bugherder | ||
|
|
||
Comment 11•6 years ago
|
||
I have verified U2F support works on my Windows 10 builds.
|
|
||
Comment 12•6 years ago
|
||
Comment on attachment 9047976 [details]
Bug 1528097 : U2F doesn't work on Windows 10 19H1/20H1 Insider builds
Beta/Release Uplift Approval Request
- Feature/Bug causing the regression: Bug 1508115
- User impact if declined: Failures using u2f on Windows 10 insider build 1100+
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: Get the most recent Windows 10 insider build
Get a u2f-compatible device (e.g. yubikey)
Set "security.webauth.u2f" to true in about:config
Go to https://u2fdemo.appspot.com/
Click "Register U2F Authenticator"
A dialog titled "Windows Security" should appear. Follow its prompts.
Expect a "box" with a "delete" button to appear describing the authenticator.
Then click "Test Authentication"
A dialog titled "Windows Security" should appear. Follow its prompts.
Expect the box from before to flash green to indicate success. - List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): Comparatively small patches for a behind-pref experimental feature. That said, it's a behind-pref feature some people care about, and not taking this yields a regression.
Note: We'll need both patches that were on this bug uplifted.
- String changes made/needed: None
|
|
||
Updated•6 years ago
|
|
|
||
Comment 13•6 years ago
|
||
Comment on attachment 9047976 [details]
Bug 1528097 : U2F doesn't work on Windows 10 19H1/20H1 Insider builds
Verification would be nice. But I'll take this anyway for the RC build since it's behind a pref.
|
||
Comment 14•6 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 15•6 years ago
|
||
Comment on attachment 9048916 [details]
Bug 1528097 U2F doesn't work on Windows 10 19H1/20H1 Insider builds
Beta/Release Uplift Approval Request
- Feature/Bug causing the regression: None
- User impact if declined: Same argument as above.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String changes made/needed:
|
|
||
Updated•6 years ago
|
|
|
||
Comment 16•6 years ago
|
||
| bugherder uplift | ||
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Comment 17•6 years ago
|
||
Unfortunately we can't do much in verifying this issue. For some reason the yubikey we have can't be used and we are prompted to use a different one.
@Jones: Do we need to have a 'personal' yubikey that is assigned to a specific account in order for this to work?
Worse case scenario, Chris, could you maybe help us in verifying the fix on the latest nightly and beta builds?
|
|
||
Comment 18•6 years ago
|
||
Huh; no, nothing bound like that. This will require an old-style yubikey, if you have one of the green pre-release ones, I could see that not working.
In a short while here I'll take my Win10 box and my collection of U2F tokens and test/list them all. Keeping the n-i active.
|
|
Reporter | |
Comment 19•6 years ago
|
||
I can verify that the issue has been fixed in the latest nightly builds. I have not tested this on beta builds.
|
||
Comment 20•6 years ago
|
||
I've been experiencing some flakiness with U2F/WebAuthn even after this particular issue was theoretically fixed in code (related bug, filed after I thought this issue was fixed the first time: https://bugzilla.mozilla.org/show_bug.cgi?id=1532605). I can seem to reliably authenticate with keys that are already registered, but registering keys seems to fail sporadically (I've got a mix of a couple dozen YubiKey 4s and YubiKey 5s). These issues do not crop up on non-Insider builds of Windows that don't go through the OS-integrated WebAuthn code path.
|
|
||
Comment 21•6 years ago
|
||
I've tested a collection of security keys, here's what I found:
Yubikey Neo 3: Works
Yubikey Neo 4: Works
Yubikey test CTAP1 key: Works
Yubikey test CTAP2 key: Works
Plug-Up U2F key: Works
U2F-Zero: Does not work. We had problems with this device, too, so perhaps Microsoft probably has a bug. It's not a common device, though.
3 Feiten test devices -- All of these are CTAP2-only, so they do not work in U2F mode. That's expected.
I also did hotplugging tests and window focus/unfocus tests, they seemed OK.
|
|
||
Comment 22•6 years ago
|
||
:jcj Any YubiKey 5 tokens? Those support FIDO2 and take a different code path, IIRC
|
|
||
Comment 23•6 years ago
|
||
Steven: The green CTAP2 Yubikey is a prerelease Yubikey 5, and it seems to work consistently. I don't have any production 5's.
Unfortunately, in using the OS code paths, we're at their mercy for compatibility issues. If there is something wonky there, we can't fix it, just report upstream. Similarly, since this new build of Win10 prohibits use of our existing Rust implementation (and all other direct access), we can't fallback, either. It just is what it is.
|
|
||
Comment 24•6 years ago
|
||
Chris could you maybe take a look on the beta build (that is now the RC)? It would be greatly appreciated since we can't do it on our end.
You can find the latest RC build here or the last Fx 66 beta here.
|
|
Reporter | |
Comment 25•6 years ago
|
||
I can confirm that both enrollment and sign-on work on the latest RC of the 66 branch with a Yubikey Neo.
|
|
||
Comment 26•6 years ago
|
||
Thank you Chris!
|
||
Comment 29•6 years ago
|
||
See bug 1508115 comment 23 - uplifting this and its dependencies to esr60 would be difficult and risky.
|
|
||
Comment 30•6 years ago
|
||
Thanks very much for checking on it! Let's leave this for ESR 68 then.
Description
•