Closed Bug 1536544 Opened 6 years ago Closed 6 years ago

GitHub FIDO U2F "This browser doesn’t support security keys"

Categories

(Core :: DOM: Web Authentication, defect)

Product:
Core
Component:
DOM: Web Authentication
Version:
66 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: alistair, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

Try to login to GitHub using 2FA with FIDO U2F.

The issue appears on Linux and Windows hosts.

Actual results:

When attempting to login to a GitHub account that is configured with 2FA using FIDO U2F GitHub displays this error: "This browser doesn’t support security keys"

This is a very recent change (as it last few days). It happens on Firefox 66 and 68. Unfortunately I can't test if it still works on Firefox 65. Nightly GitHub support also worked until recently.

Expected results:

Assuming that GitHub didn't just blacklist Firefox as supported for U2F then I should be able to use a U2F key to login.

I understand this is possibly a GitHub issue, but I wanted to raise this here anyway as a way to track what is happening.

Component: Untriaged → DOM: Device Interfaces
Product: Firefox → Core

Status: NEW

Can confirm locally, and seeing reports from users on Reddit and Twitter.

At least one GitHub employee has confirmed that it's due to a change on their end, but no commitment to resolving it: https://twitter.com/lgarron/status/1108159347538849792

Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: DOM: Device Interfaces → DOM: Web Authentication

github seems to have fixed whatever was wrong. I logged in with my yubikey today.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED

Ahoy!

This was a side effect of refactoring that we made to get GitHub ready for webauthn support.

The fact that U2F worked for Firefox users with the security.webauth.u2f flag is more-or-less an accident — Firefox never officially supported U2F, so we never officially supported U2F for Firefox. However, we've deployed a fix to restore the old behaviour, so things should keep working for these users like before.

Off-topic, but..

@Lucas Somebody said on Reddit that "this should have only effected users who pirated Windows at one point". Should we expect other upcoming changes related to authentication, like merging the GitHub and Live logins?

The "pirated Windows" explanation from my coworker was a tongue-in cheek comment. Things don't actually work like that. ;-)

I can't comment on other auth changes, mostly because I don't know/make decisions on that kind of level. However, Microsoft contributes significantly to webauthn efforts, and we talk to the folks from Edge who have experience with it. We're eager to see if we can get GitHub working with some of the newer open standards. :-D

This appears to have regressed? Firefox 66 on OS X 10.14.3 and I'm seeing the "This browser doesn’t support security keys" message. I think it stopped working sometime in the last few days, though I'm not 100% sure.

I just tried, and from what I can tell the old behaviour continues to work (Firefox 66.0 on macOS 10.14.4). Are you certain nothing else has changed for you?

Whoops--looks like my u2f about:config setting toggled itself off somehow (possibly because I had to force-quit Firefox the last time I closed it). Sorry for not checking!

Security keys are hardware devices that can be used as your second factor of authentication. When signing in, you press a button on the device rather than typing a verification code. Security keys use the FIDO U2F standard.
This browser doesn’t support the FIDO U2F standard yet. We recommend updating to the latest Google Chrome to start using security key devices.

I am seeing this message this morning on Nightly. I've checked about:config and security.webauth.u2f is set to true.

I also tried turning off ETP in case that made a difference, which it didn't.

Github is close-ish to rolling out support for Web Authentication which will replace their FIDO U2F support -- but until that rolls out, we keep finding these breakages on their periodic code deploys. I'll ping Github!

(In reply to J.C. Jones [:jcj] (he/him) from comment #12)

Github is close-ish to rolling out support for Web Authentication which will replace their FIDO U2F support -- but until that rolls out, we keep finding these breakages on their periodic code deploys. I'll ping Github!

Should we reopen this while this is unreliably not working?

Flags: needinfo?(jjones)

I don't think so. There's no action that we can take. It's purely a Github issue.

Flags: needinfo?(jjones)

Hmm, I looked into this, and I can't reproduce the issue on stable or nightly — I seem to be able to auth using the U2F API.
I'm also not aware of code changes that I would expect to break this.

Given that we're trying to focus on WebAuthn functionality, I'm afraid we can't really dedicate time to debugging this. 😔

Currently Github checks the User-Agent and denies firefox with a message to """"Upgrade"""" to Chrome. Spoofing the User-Agent however allows you to use U2F just fine though.

We've officially launched WebAuthn support: https://github.blog/2019-08-21-github-supports-webauthn-for-security-keys/?utm_campaign=1566403234&utm_medium=social&utm_source=twitter&utm_content=1566403234

We're also working on turning down U2F. Hopefully this bug should be resolved, but please let me know if there are remaining issues!

You need to log in before you can comment on or make changes to this bug.