FIDO2 / WebAuthn cannot set FIDO2 PIN during registration
Categories
(Core :: DOM: Web Authentication, defect, P3)
Tracking
()
People
(Reporter: drew.dani, Assigned: jschanck)
References
Details
Attachments
(1 file)
|
473.84 KB,
image/png
|
Details |
ff-set-pin.png
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Steps to reproduce:
The WebAuthn spec allows to set the FIDO2 PIN via web. When registering a new credential using the WebAuthn API, the "user verification" (UV) requirement can be set by the relying party (RP) to require the user to perform a specific action to prove their identity. This action can involve using a biometric factor, such as a fingerprint or facial recognition, or a PIN.
In Chrome, in the case where a security token does not have a FIDO2 pin set, with user verification set to required, the browser prompts the user to set the security token PIN during WebAuthn registration.
This bug has been open in GitHub issues: https://github.com/mozilla/authenticator-rs/issues/223.
Actual results:
Firefox bug:
- Reset FIDO2 on the security key.
- Go to https://webauthn.io/.
- Expand the advanced settings, under Registration Settings, select User Verification as Required.
- Enter jondoe as a username in the example_username field.
- Click on Register.
- There is an error: The authenticator was unable to process the specified options, or could not create a new credential.
- The registration fails.
Expected results:
Chrome experience:
- Reset FIDO2 on the security key.
- Go to https://webauthn.io/.
- Expand the advanced settings, under Registration Settings, select User Verification as Required.
- Enter jondoe as a username in the example_username field.
- Click on Register.
- Examine the prompt to set the FIDO2 pin and set the FIDO2 PIN.
- Tap on the token to complete the registration.
|
||
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 2•2 years ago
|
||
It should be fixed after https://hg.mozilla.org/mozilla-central/rev/6e9b9562dd9b ?
(In reply to Celeste from comment #2)
It should be fixed after https://hg.mozilla.org/mozilla-central/rev/6e9b9562dd9b ?
No it does not. That is the fix to support different forms of User Verification - Discouraged, Preferred, and Required. Addressing this Github issue: https://github.com/mozilla/authenticator-rs/issues/162.
The blocker currently is that the UI hasn't been implemented yet to set a PIN during registration: https://github.com/mozilla/authenticator-rs/issues/223#issuecomment-1409900002.
|
|
Assignee | |
Comment 4•2 years ago
|
||
We're working on an about:webauthn page in Bug 1820725 which will expose a PIN management utility. The patch that Celeste linked to includes the routines for PIN management that the about page will use, but not the about page itself.
Once the about page is ready we'll need a prompt to either 1) direct the user to about:webauthn, or 2) use the underlying PIN management function directly from the prompt. We'll track that work here.
Setting the PIN via WebAuthn provides the best security and user experience, particularly when the WebAuthn application is placed in a FIPS-approved mode: https://docs.yubico.com/hardware/yubikey/yk-fips/tech-manual/fips5-fido.html#placing-the-webauthn-application-in-fips-approved-mode. In order for the YubiKey WebAuthn application to operate in a FIPS-approved mode, a WebAuthn PIN must be set. This PIN adds an extra layer of protection, ensuring that only authorized individuals can access the WebAuthn functionality and associated cryptographic operations. By default, no WebAuthn PIN is set, but enabling this feature enhances security measures and aligns with industry best practices. Additionally, setting the PIN via WebAuthn streamlines the user experience, as it offers a convenient and standardized method for authentication across different platforms and devices.
Furthermore, the Chrome browser provides support for setting the FIDO2 PIN via the WebAuthn Registration API. This allows users to conveniently set their WebAuthn PIN directly within the browser, eliminating the need for additional software or complex configuration steps. By leveraging the WebAuthn Registration API in Chrome, users can easily manage their FIDO2 PIN, enhancing both security and user experience. This standardized approach to PIN management promotes widespread adoption of WebAuthn and ensures a consistent, seamless authentication process across various platforms and devices
Description
•