Closed Bug 1811866 Opened 2 years ago Closed 2 years ago

Enabling security.webauthn.ctap2 will request PIN entry when only touch verification is required

Categories

(Core :: DOM: Web Authentication, defect, P2)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 109
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
111 Branch

People

(Reporter: devnull771992, Assigned: jschanck)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0

Steps to reproduce:

  1. Setup a fido/u2f token* for login on a nextcloud instance (also tested with Github)
    (this will require the user to touch the token, there is no pin required)
  2. Set security.webauthn.ctap2 to true (currently false is default in firefox 109)
  3. Nextcloud will now require the user to enter a PIN to login
  • Using Nitrokey Fido2 token

Actual results:

The authentication process changed by requiring PIN entry instead of touch verification to login to a service that was previously setup without PIN requirement

Expected results:

Firefox should not request the PIN to be entered when the service was setup using u2f or Fido2 with touch verification only.

When using chromium for the login process, it works as expected and no pin is required.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core

Some notes:

Services using Fido2 authentication can determine the user to use different factors to authenticate:

  1. The user needs to have a token connected
  2. The user needs to touch the token to verify the authentication
  3. The user needs to enter the Token Pin to verify the authentication

These steps can also be combined, to have to user both touch the token and require the Pin entry.

Entering a PIN should only be requested if the Authentication service requests this.

This bug is likely caused by registering the key for U2f (Fido1) using CTAP but after enabling CTAP2 something goes wrong.

Component: DOM: Web Authentication → Untriaged
Product: Core → Firefox

This can also be reproduced on https://webauthn.io for testing

  1. Register key while security.webauthn.ctap2=false - touch is requested
  2. Login with key while security.webauthn.ctap2=false - touch is requested
  3. Login with key while security.webauthn.ctap2=true - PIN is requested

If the register step is done with security.webauthn.ctap2=true a PIN is also requested during registration, but this might be intentional

Assignee: nobody → jschanck
Severity: -- → S3
Priority: -- → P2
Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core
Target Milestone: --- → 111 Branch

Is this still an issue for you? I think we resolved it in Bug 1804624, but I don't have a Nitrokey Fido2 to test with.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(devnull771992)
Resolution: --- → FIXED
See Also: → 1854089
Flags: needinfo?(devnull771992)
You need to log in before you can comment on or make changes to this bug.