GitHub's signin form's 2FA does not work with Yubikey 5 series when `security.webauthn.ctap2 = true`
Categories
(Core :: DOM: Web Authentication, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox107 | --- | unaffected |
| firefox108 | --- | unaffected |
| firefox109 | --- | disabled |
| firefox110 | --- | disabled |
| firefox111 | --- | fixed |
People
(Reporter: tetsuharu, Assigned: jschanck)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
Summary
After fixed bug 1804624, Firefox does not work GitHub sign in form's 2FA with Yubikey 5.
Environments
- Firefox Nightly
- build id 20221209044848
- source https://hg.mozilla.org/mozilla-central/rev/408707dd85c50c8acc6f7ae0fdba5ee32295beb0
- macOS Ventura (13.0)
Steps to reproduce
- Open https://github.com/login
- Input your login name & password and click "sign in".
- GitHub moves to 2FA page if you enable it for your account.
- Click "Use Security Key" green button
- Firefox open door hanger.
- Activate my yubikey inserted to my laptop
Expected Result
Works fine.
Actual Result.
- GitHub says " Security key authentication failed. "
- Firefox's devtools shows the error:
Uncaught (in promise) DOMException: The operation failed for an unknown transient reason webauthn-get.ts:110:19
prompt webauthn-get.ts:110
AsyncFunctionThrow self-hosted:949
(Async: async)
i bind.js:73
(Async: EventListener.handleEvent)
k bind.js:98
h bind.js:59
connectedCallback bind.js:10
connectedCallback core.js:12
CatalystDelegate register.js:12
CatalystDelegate core.js:33
w controller.js:9
fx behaviors-52d339beed84.js:132
87580 webauthn-get.ts:16
Webpack 8
c
b
<anonymous>
O
<anonymous>
b
b
<anonymous>
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 1•3 years ago
|
||
Set release status flags based on info from the regressing bug 1530373
:jschanck, since you are the author of the regressor, bug 1530373, could you take a look? Also, could you set the severity field?
For more information, please visit auto_nag documentation.
|
Assignee | |
Comment 2•3 years ago
|
||
Thanks, we're disabling CTAP2 support in Nightly by backing out Bug 1752089 while we work on a fix. It seems that we have a number of issues with CTAP2 capable devices being used in a compatibility mode. The login works if a PIN is set on the token.
|
|
Assignee | |
Updated•3 years ago
|
Can confirm this comment on latest nightly.
The login works if a PIN is set on the token
It works with the newest Yubikey series 5, however Yubikey Neo(and series 4) don't support pin-based auth. Firefox correctly distinguishes whether to ask for Pin, however i'm also seeing the same auth error with no pin set/no fido2 support
|
||
Updated•3 years ago
|
|
|
||
Comment 4•3 years ago
|
||
Set release status flags based on info from the regressing bug 1530373
|
||
Comment 5•3 years ago
|
||
John, can you please take a look and update 'affected' flags accordingly?
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 6•3 years ago
|
||
msirringhaus, could you take a look on this problem? You should be more familiar with these code.
|
|
Assignee | |
Comment 7•3 years ago
|
||
msirringhaus has a patch for this issue here. I plan on vendoring a new version of authenticators into M-C in the Firefox 111 cycle, but there are a few other issues I want to take care of at the same time.
|
|
Assignee | |
Comment 8•3 years ago
|
||
|
||
Comment 10•3 years ago
|
||
| bugherder | ||
|
|
Reporter | |
Comment 11•3 years ago
|
||
I seem this is not fixed in https://hg.mozilla.org/mozilla-central/rev/20512741e7b60f3f6791002d8311d681f9242e68
|
|
Assignee | |
Comment 12•3 years ago
|
||
Can you tell me a bit more about your configuration? Which applications are enabled on your Yubikey? What's the value of security.webauthn.ctap2?
For what it's worth, I've tested that login page with a Yubikey 5 series with and without the FIDO2 application enabled, with and without a PIN set, and with various changes to the configuration between registration and authentication.
|
|
Assignee | |
Comment 13•3 years ago
|
||
I think I tracked down the problem. If you registered your Yubikey a while ago, it might pre-date the transition from the legacy U2F javascript API to WebAuthn. We're probably not handling the compatibility extension correctly. Have you had your key registered since before August 2019?
|
|
Reporter | |
Comment 14•3 years ago
|
||
(In reply to John Schanck [:jschanck] from comment #12)
Can you tell me a bit more about your configuration? Which applications are enabled on your Yubikey? What's the value of
security.webauthn.ctap2?For what it's worth, I've tested that login page with a Yubikey 5 series with and without the FIDO2 application enabled, with and without a PIN set, and with various changes to the configuration between registration and authentication.
After some tries to clarify steps to reproduce and my environments, I found some contexts and my problem was fixed...
- My hardware environment is not changed since the comment #0 that I filed this bug.
- I don't set any PIN to my Yubikey 5.
- My Yubikey 5 was registered to GitHub in May, 2019. I faced again this bug with this setting as like comment #11
- I registered the same Yubikey 5 to GitHub again with Firefox https://hg.mozilla.org/mozilla-central/rev/20512741e7b60f3f6791002d8311d681f9242e68 with
security.webauthn.ctap2=true, after that, I could sign in GitHub as usual without any errors.- I guess that an user may face this bug with using a key registered in years ago to GitHub....?
I'm sorry if I'm confusing you by my report.
|
|
Reporter | |
Comment 15•3 years ago
|
||
(In reply to John Schanck [:jschanck] from comment #13)
Have you had your key registered since before August 2019?
Ah, Yes.
|
|
Assignee | |
Comment 16•3 years ago
|
||
Thanks! I'm going to resolve this as fixed since we took care of a separate github login issue in the patch. I've opened Bug 1814722 to continue work on the AppID issue.
Description
•