Closed Bug 1815529 Opened 2 years ago Closed 2 years ago

Firefox 109.0.1 (64-bit) does not respect PIN set on Yubikey 5 NFC. Safari and Chrome do.

Categories

(Core :: DOM: Credential Management, defect)

Product:
Core
Component:
DOM: Credential Management
Version:
Firefox 109
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1530370

People

(Reporter: bill.barrick, Unassigned)

Details

Steps to reproduce:

I browsed to a brokerage web site where i have two-factor auth set with Yubikey 5 NFC. I entered username/pw and tapped the Yubikey as prompted by the site.

Actual results:

When tapping the Yubikey FF does not challenge for the set PIN. Safari and Chrome do. This is a security vulnerability.

Expected results:

FF should have challenged me for the PIN i set on the device.

This is most likely a FIDO implementation issue.

Group: core-security → dom-core-security
Component: DOM: Device Interfaces → DOM: Credential Management

Firefox does not support FIDO2 tokens yet, only the FIDO U2F protocol which predates PINs. If your token supports both protocols then you can use the key under the old protocol. If you use the Yubikey Authenticator software you can disable the U2F protocol, but then FIrefox will not be able to use your key.

You PIN will be enforced on Firefox Nightly currently, but it's not ready to ship.

Group: dom-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: webauthn-ctap2
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.