Open Bug 1819346 Opened 1 year ago Updated 2 months ago

FIDO2 / WebAuthn cannot set FIDO2 PIN during registration

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 109
Type:
defect

Tracking

()

Status:
ASSIGNED

People

(Reporter: drew.dani, Assigned: jschanck)

References

Details

Attachments

(1 file)

ff-set-pin.png
473.84 KB, image/png
Details
Attached image ff-set-pin.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36

Steps to reproduce:

The WebAuthn spec allows to set the FIDO2 PIN via web. When registering a new credential using the WebAuthn API, the "user verification" (UV) requirement can be set by the relying party (RP) to require the user to perform a specific action to prove their identity. This action can involve using a biometric factor, such as a fingerprint or facial recognition, or a PIN.

In Chrome, in the case where a security token does not have a FIDO2 pin set, with user verification set to required, the browser prompts the user to set the security token PIN during WebAuthn registration.

This bug has been open in GitHub issues: https://github.com/mozilla/authenticator-rs/issues/223.

Actual results:

Firefox bug:

  1. Reset FIDO2 on the security key.
  2. Go to https://webauthn.io/.
  3. Expand the advanced settings, under Registration Settings, select User Verification as Required.
  4. Enter jondoe as a username in the example_username field.
  5. Click on Register.
  6. There is an error: The authenticator was unable to process the specified options, or could not create a new credential.
  7. The registration fails.

Expected results:

Chrome experience:

  1. Reset FIDO2 on the security key.
  2. Go to https://webauthn.io/.
  3. Expand the advanced settings, under Registration Settings, select User Verification as Required.
  4. Enter jondoe as a username in the example_username field.
  5. Click on Register.
  6. Examine the prompt to set the FIDO2 pin and set the FIDO2 PIN.
  7. Tap on the token to complete the registration.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core
Assignee: nobody → jschanck
Severity: -- → S3
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P3

(In reply to Celeste from comment #2)

It should be fixed after https://hg.mozilla.org/mozilla-central/rev/6e9b9562dd9b ?

No it does not. That is the fix to support different forms of User Verification - Discouraged, Preferred, and Required. Addressing this Github issue: https://github.com/mozilla/authenticator-rs/issues/162.
The blocker currently is that the UI hasn't been implemented yet to set a PIN during registration: https://github.com/mozilla/authenticator-rs/issues/223#issuecomment-1409900002.

We're working on an about:webauthn page in Bug 1820725 which will expose a PIN management utility. The patch that Celeste linked to includes the routines for PIN management that the about page will use, but not the about page itself.

Once the about page is ready we'll need a prompt to either 1) direct the user to about:webauthn, or 2) use the underlying PIN management function directly from the prompt. We'll track that work here.

See Also: → 1820725

Setting the PIN via WebAuthn provides the best security and user experience, particularly when the WebAuthn application is placed in a FIPS-approved mode: https://docs.yubico.com/hardware/yubikey/yk-fips/tech-manual/fips5-fido.html#placing-the-webauthn-application-in-fips-approved-mode. In order for the YubiKey WebAuthn application to operate in a FIPS-approved mode, a WebAuthn PIN must be set. This PIN adds an extra layer of protection, ensuring that only authorized individuals can access the WebAuthn functionality and associated cryptographic operations. By default, no WebAuthn PIN is set, but enabling this feature enhances security measures and aligns with industry best practices. Additionally, setting the PIN via WebAuthn streamlines the user experience, as it offers a convenient and standardized method for authentication across different platforms and devices.

Furthermore, the Chrome browser provides support for setting the FIDO2 PIN via the WebAuthn Registration API. This allows users to conveniently set their WebAuthn PIN directly within the browser, eliminating the need for additional software or complex configuration steps. By leveraging the WebAuthn Registration API in Chrome, users can easily manage their FIDO2 PIN, enhancing both security and user experience. This standardized approach to PIN management promotes widespread adoption of WebAuthn and ensures a consistent, seamless authentication process across various platforms and devices

See Also: → 1841398
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: