1770846 - Security key not recognized after a new method of pin code auth in Google (FIDO 2)

Status: UNCONFIRMED

(Thunderbird :: Account Manager, defect)

Description

[znaczki654]

Attachment: obraz_2022-05-23_231223212.png

Steps to reproduce:

1. Create a google account on PHONE in GMAIL APP (newest version) on ANDROID 10.
2. Omit phone 2 step verification
3. Add a security key (the prompt for pin appears as if it used FIDO 2 - > previously it was without pin)
4. Login via thunderbird
5. You can't because the key is not recognized

Actual results:

I've tested it on the previously made account I had 3 keys registered. When I deleted one and re-registered using this pin code new method of google authentication fido2-like I could not login using that key. However, the 2 other keys which used a different method without providing a pin code on the beginning worked.

Expected results:

You should be able to login via thunderbird using Security Key when using latest method of adding security key to Google. It's required for advanced protection program as you will be logged off and you can't have app passwords, less-secure apps, other methods of authentication and g.co/sc not always work.

It happens in both 91.9.0 and 91.9.1 of Thunderbird.
Windows 11 21h2 22000.675
Btw how to get Thunderbird 102 as 91.9.1 is the newest?

Comment 1

[znaczki654]

As per keys the issue can be replicated on but I think not limited to:
Yubikey 5 NANO
Yubikey 5 NFC (I have two instances)

Comment 2

[znaczki654]

https://support.mozilla.org/en-US/questions/1377210#answer-1507349
This article can be helpful as I was trying to ask for help there before I recognized it is a bug.

Comment 3

[znaczki654]

Ah and I just mention that on the web (gmail.com) or phone (gmail app or website) I can log in with either of these keys (the one registered previously without a pin in the setup and the one registered now with the pin).
So it's only thunderbird issue.

Comment 4

[Onno Ekker [:nONoNonO UTC+1]]

I don't have a hardware key, so I can't verify this.

Do you have cookies blocked in Thunderbird?
Thunderbird probably needs cookies for this to work.
Did you check if normal login with OAuth works?

Thunderbird 102 isn't yet in beta phase, so you can only download it from the Daily channel: go to https://www.thunderbird.net , scroll all the way to the bottom, select DAILY CHANNEL on the right and click DOWNLOAD DAILY.

Comment 5

[znaczki654]

I don't have cookies blocked, Oauth worked in previous method of security key authentication in Gmail and works until now, but if I re-register the key. The key is not recognized. I think that Thunderbird has only U2f implemented not FIDO 2 which Google might have used.

Did you check if normal login with OAuth works? - also normal password logins/via mobile token works on google it's security key and only the newest option that has a problem. Previous option didn't require the pin to provide.

Please consult someone who owns security key to search the bug further.

Comment 6

[Onno Ekker [:nONoNonO UTC+1]]

Well, I don't have an Android either, so that would also be a problem for me in testing.
Having said that... I do find fido2 in the source code for tb102, and not in tb91, so you might have luck checking out the daily version/alpha release.
https://searchfox.org/comm-esr91/search?q=fido2&path=
https://searchfox.org/comm-central/search?q=fido2&path=

Comment 7

[znaczki654]

Can I download them alongside each other? Do they behave like Chrome Canary - a separate instance or may use the same folders for accounts etc?

If I installed a daily version on the computer which has a stable release will all the accounts be moved from the release version or will it be a blank instance of the thunderbird?

Comment 8

[znaczki654]

Attachment: obraz_2022-05-26_160606658.png

It still doesn't work even on the daily version of Thunderbird 102.0a1.en

Comment 9

[znaczki654]

Attachment: obraz_2022-05-26_160855920.png

On the previously added security key to the different account with old implementation from Google it works as you can see. It recognizes my security key.