webauthn_enable_softtoken ignored under Windows 10 1903+
Categories
(Core :: DOM: Web Authentication, defect, P3)
Tracking
()
People
(Reporter: sageptr, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Steps to reproduce:
- Use Windows 10 1903 or later
- Goto about:config
- Set security.webauth.webauthn_enable_softtoken = true
- Set security.webauth.webauthn_enable_usbtoken = false
- Open any u2f authentication website, for example, this demo: https://demo.yubico.com/webauthn-technical/registration and click next to ask for u2f key.
Actual results:
It shows Windows 10 window "Insert your security key into USB port", completely ignoring the fact webauthn_enable_usbtoken is set to false and webauthn_enable_softtoken is set to true.
Expected results:
It should use software-based token without calling WinWebAuthnManager actually.
The culprit seems to be here:
https://github.com/mozilla/gecko-dev/blob/master/dom/webauthn/WebAuthnTransactionParent.cpp
Instead of blindly doing this check:
#ifdef OS_WIN
if (WinWebAuthnManager::AreWebAuthNApisAvailable()) {
WinWebAuthnManager* mgr = WinWebAuthnManager::Get();
mgr->...
} else {
U2FTokenManager* mgr = U2FTokenManager::Get();
mgr->...
}
#else
U2FTokenManager* mgr = U2FTokenManager::Get();
mgr->...
#endif
it should also check whenever security.webauth.webauthn_enable_usbtoken is set to true and get WinWebAuthnManager instead of U2FTokenManager only if both conditions are met, not only if WinWebAuthnManager::AreWebAuthNApisAvailable() is true.
Comment 2•4 years ago
|
||
The software token available via that preference isn't really intended for real use... but it is definitely the case that this will eventually be a problem for running the tests on Windows10 if Hello gets enabled.
Easy enough to fix. Thanks!
Comment 3•7 months ago
|
||
Fixed in Bug 1546662.
Description
•