Closed Bug 1726824 Opened 3 years ago Closed 2 years ago

U2F Does not work for microsoft accounts

Categories

(Core :: DOM: Web Authentication, enhancement, P3)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 91
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tom, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Steps to reproduce:

This may be an issue with the website itself, however, using User-Agent Switcher to report itself as Chrome the issue persists implying it's a missing API or something else rather than the site turning features off for firefox on purpose.

  1. Set up U2F in a microsoft account on https://accounts.microsoft.com (Advanced security, Add a new way to sign in or verify).
  2. You cannot register U2F here as the option is missing, however even doing so in Chromium does not allow using it to sign in from Firefox once set up.
  3. Log out and try to log in through Firefox. In chrome there is a "Sign in with a security key"

Actual results:

This option is missing in Firefox. As changing the user agent does not fix it, it would appear the site is looking for an API which is not yet implemented in Firefox.

The YubiKey demo site works fine so it would appear to be an issue either with the microsoft site or firefox.

Expected results:

U2F should be available as a login option.

While this might be an issue with the site itself and require microsoft to fix, from a Firefox user perspective this looks like firefox is behind chrome because it works fine there.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core
Severity: -- → S3
Priority: -- → P3
Depends on: 1803832
Depends on: enable-ctap2

It can register with nightly now, but still get error when try to login with hardware key in passwordless mode.

jschanck, how can I get the log of webauthn module?

If you're building from M-C you can do MOZ_LOG=authenticator::*:5 ./mach run. I'm not sure the relevant info is available in actual nightly builds (I'll look into fixing that).

I was able to reproduce the issue. Using ykman fido credentials list I can see that registration created a discoverable credential for login.microsoft.com. But when I try to authenticate the RP ID in the GetAssertion request is login.microsoftonline.com. Not clear to me whether this is a bug in our code or not. Might be Bug 1460986.

without bug 1460986 implemented wouldn't attempts to use WebAuthn from a cross-origin frame return an early error? Are you thinking the site might have "if Firefox" or fallback code that then tries to do the auth from the parent document?

Yes, my guess is that we're seeing some fallback mechanism.

(In reply to John Schanck [:jschanck] from comment #5)

Yes, my guess is that we're seeing some fallback mechanism.

I think we should add https://bugzilla.mozilla.org/show_bug.cgi?id=1460986 to depends of this bug as well.

I filed Bug 1820016 to work on the issue that Celeste reported in comment 2 (FWIW, it doesn't seem to be related to cross-origin frames. I'm redirected to the correct site on Chrome.)

This bug was originally about the option to sign in not being presented, and that part is fixed in Firefox 112.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.