Closed Bug 1716859 Opened 3 years ago Closed 2 years ago

Firefox generates credentials using TPM with Windows Hello - but does not send TPM attestation

Categories

(Core :: DOM: Web Authentication, defect)

Product:
Core
Component:
DOM: Web Authentication
Platform:
Desktop
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1631010

People

(Reporter: dveditz, Assigned: rmf)

References

(Blocks 1 open bug)

Details

From https://github.com/w3c/webauthn/issues/1620:

In some recent testing, using the following:

Laptop with fingerprint reader
Windows Hello configured with a fingerprint
Windows 10 Pro - Version 1909, Build 1863.1440
Firefox (64-bit) 89.0
Chrome (64-bit) 91.0.4472.77
Edge (64-bit) 91.0.864.37
Opera (64-bit) 76.0.4017.177
Brave 1.25.70 (64-bit) Chrome 91.0.4472.77
Test site: https://demo4.strongkey.com/basicserver

All listed browsers use the TPM to generate platform keys when registering at this site; however, only Firefox does not provide a TPM attestation - it returns "none" - while the remaining three return TPM attestations. We can confirm that the TPM was used by Firefox because certutil -csp NGC -key shows a new key in the list after successful registration with Firefox; when the key is deleted with certutil, the credential cannot be found for authentication and Firefox prompts for a Security Key. At other times (when the TPM key is not deleted), Firefox continues to work with TPM generated keys - even when not created by Firefox - to authenticate users to the site.

The FIDO2 server on the back-end is StrongKey's FIDO Certified implementation, and sends registration challenges with the declaration that it will accept any attestation format in this web-application.

Severity: -- → S3
Assignee: nobody → bugs

I think this will be fixed along with https://bugzilla.mozilla.org/show_bug.cgi?id=1631010 but I don't have a fingerprint reader at hand (haha, get it?); I can only verify it when configured with a PIN.

A fingerprint is not relevant for this use-case, Martinho - it just so happened I had a laptop with a fingerprint reader so I reported it. Given that Windows Hello works even with just a PIN, your testing with a PIN is sufficient and valid. The nature of FIDO/WebAuthn protocols only incorporate biometric templates for localuser- verification to the device when such biometric devices are available; when they are not, the PIN is used to verify an authorized user locally within the context of FIDO protocols.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.