Open Bug 1624255 Opened 8 months ago Updated 7 months ago

about:logins asks for my Windows password but not my PIN or fingerprint

Categories

(Firefox :: about:logins, defect, P2)

76 Branch
defect

Tracking

()

People

(Reporter: sollacea, Unassigned)

References

()

Details

Attachments

(3 files, 1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

Sorry if this isn't the right place, but I was unable to find anywhere through the normal channels that I was able to get help with this, or even a semi-human response.*

Since one of the last Nightly updates, the browser has started asking for my windows login credentials whenever I try to access the saved passwords. There's no way I could find to turn this off and it only asks for my windows password.

I don't remember my windows password. I use either the PIN (recommended) to sign in, or the fingerprint reader, as I have done for several years now. I also cannot get a password change as that would require me to purchase a flight to Germany so I can sign into the domain server that would allow me to do that.

So effectively I've lost access to all of my passwords because Mozilla decided to do something that was hardly necessary or desired.

Luckily I still have an instance of FF 74 running and I can get into lockbox through that, and my work laptop (thankfully) asks for my PIN instead, though at least I do remember the password on that one so even if it does break like this I'm not totally lost.

Steps:

  • open lockbox
  • pick an account (any account)
  • click the button to copy or view the password (or username)

[*] no options for Firefox Nightly on the main site, no direct chat to reach an agent, no Discord server, no IRC link, or anything. Best I could find was a Reddit board but God knows how that works and if anyone would actually see it, let along respond.

Actual results:

  • Firefox asked me for my windows sign in

Expected results:

  • Firefox should have asked me for my windows PIN, or at least offered the option to switch to an alternative authentication.

The option to disable this thing completely would also be appreciated, even if it does ask me for my PIN (NOT PASSWORD) before would be appreciated. Windows itself already has a login page. I never leave my laptop out in the open, unlocked in public, so I don't need the browser double guessing me.

As-is, if this is what's going to happen every time I update, I'd honestly be better off keeping everything in an Excel spreadsheet or a plastic binder like my father does.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

(In reply to Sollace from comment #0)

Since one of the last Nightly updates, the browser has started asking for my windows login credentials whenever I try to access the saved passwords. There's no way I could find to turn this off and it only asks for my windows password.

I don't remember my windows password. I use either the PIN (recommended) to sign in, or the fingerprint reader, as I have done for several years now.

The dialog should support the PIN and/or fingerprint reader options… did you click the link to see more options? Can you please attach a screenshot of the dialog you see after you click to view all options?

Luckily I still have an instance of FF 74 running and I can get into lockbox through that, and my work laptop (thankfully) asks for my PIN instead, though at least I do remember the password on that one so even if it does break like this I'm not totally lost.

So you're saying that on one machine it asks for your password and on the other it asks for your PIN, even though both have a PIN set up? Are you maybe running a different edition or version number of Windows? Can you post details about the Windows edition and version of the machine where it doesn't work?

[*] no options for Firefox Nightly on the main site, no direct chat to reach an agent, no Discord server, no IRC link, or anything. Best I could find was a Reddit board but God knows how that works and if anyone would actually see it, let along respond.

We don't have official live support but there is the Firefox Desktop Community channel at https://wiki.mozilla.org/Matrix#Specific_areas or in this case since you're running Firefox Nightly you can use the Nightly channel. There is also forums at https://support.mozilla.org/

The option to disable this thing completely would also be appreciated, even if it does ask me for my PIN (NOT PASSWORD) before would be appreciated. Windows itself already has a login page. I never leave my laptop out in the open, unlocked in public, so I don't need the browser double guessing me.

As-is, if this is what's going to happen every time I update, I'd honestly be better off keeping everything in an Excel spreadsheet or a plastic binder like my father does.

Feedback noted. We now have a delay before asking again so looking through many passwords in a row shouldn't be as annoying. Unfortunately providing a way to disable this would defeat the point of the protection as someone who was snooping would simply disable it.

Blocks: 1194529
Type: enhancement → defect
Component: Password Manager → about:logins
Flags: needinfo?(sollacea)
Product: Toolkit → Firefox
Summary: Unable to access lockbox/passwords in Nightly → about:logins asks for my Windows password but not my PIN or fingerprint
Attached image image.png
Attached image image.png

(In reply to Matthew N. [:MattN] (PM me if request are blocking you) from comment #2)

The dialog should support the PIN and/or fingerprint reader options… did you click the link to see more options? Can you please attach a screenshot of the dialog you see after you click to view all options?

So you're saying that on one machine it asks for your password and on the other it asks for your PIN, even though both have a PIN set up? Are you maybe running a different edition or version number of Windows? Can you post details about the Windows edition and version of the machine where it doesn't work?

I have attached a screenshot as requested. I've tried looking under "more options" and I see no way to switch. The "Use a different account" option just requests a username and password.

The other does indeed offer the option to select either PIN or password. They both are running the same version of windows to my best knowledge (both have recently installed the 1909 update)

https://support.mozilla.org/
I looked there (twice) and it took me down the path of [Firefox] > [Frequent Topics] none of which look particularly helpful to my situation. .-. I don't even know where I found the reddit link.

Unfortunately providing a way to disable this would defeat the point of the protection as someone who was snooping would simply disable it.
That is unfortunate, but understandable.

Sorry if I sounded a little frustrated by the tone of my initial report.

Flags: needinfo?(sollacea)

Thanks for your report. I'm going to look deeper in to this.

Assignee: nobody → jaws
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

P1 for now so we don't lose track of it but we can lower it once we investigate.

Priority: -- → P1
Attached image Expected

This is what people should be seeing and it's what I see on my local machine. I have Windows 10 1909 installed (build 18363.719).

I also cannot reproduce it in build 18363.720.

@Sollace, do you have any ideas that I could try to get me in a state similar to yours?

Flags: needinfo?(sollacea)
Attachment #9137511 - Attachment is obsolete: true

I may have just reproduced this once on a Windows 10 non-admin account I last used in 2018 for testing OS re-auth… I logged into Windows with a PIN and then when I got the re-auth dialog to reveal a password I only had the password option… I entered my password, reloaded the tab, revealed the password again and then it defaulted to the PIN option… I assume this is an intentional Windows security design… not allowing the non-password auth if the user never entered their password for the Windows session.

Sollace, for now you can set signon.management.page.os-auth.enabled to false in about:config but eventually when we work out the kinks we will remove that.

@Jared Weirn
Hi, sorry for the delay. I haven't been checking my email.

Seems like Mather has found a cause. I don't remember it working like that on my other laptop, but I will give it a try. It may be that it only disabled the non-password options once and after that never did again.

Flags: needinfo?(sollacea)

(In reply to Jared Wein [:jaws] (please needinfo? me) from comment #11)

@Sollace, can you please test this build and let me know if you now get a PIN prompt?

https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/B1u4NJwMRF2aX_P2KnBs1A/runs/0/artifacts/public/build/target.zip

Checked that build, and still the same thing. Only option show is for a password or a different account.

See Also: → 1630858

Lowering priority and unassigning since Chromium has this same issue with no progress in the past year.

Assignee: jaws → nobody
Status: ASSIGNED → NEW
Priority: P1 → P2
You need to log in before you can comment on or make changes to this bug.