Closed Bug 1822429 Opened 2 years ago Closed 2 years ago

PIN always required for WebAuthn even when user verification is discouraged

Categories

(Core :: DOM: Web Authentication, defect, P2)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 113
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
114 Branch
Tracking Flags:
Tracking Status
firefox114 --- verified

People

(Reporter: will.smart, Assigned: jschanck)

References

Details

Attachments

(2 files)

Screenshot 2023-03-14 at 6.28.02 PM.png
709.33 KB, image/png
Details
Bug 1822429 - Don't require PIN if user verification is discouraged. r=jschanck
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

  1. Insert a FIDO2 key that has a PIN configured
  2. visit https://webauthn.io/
  3. Enter a username
  4. Register a new credential with the following advanced settings:
    User Verification = Discouraged
    Discoverable Credential = Discouraged
  5. Enter the FIDO2 key pin and complete the registration ceremony
  6. Authentication with the following advanced settings:
    User Verification = Discouraged
  7. Complete the authentication ceremony

This issue is reproducible with a new Firefox profile, and occurs on the latest Firefox Nightly.

Version 113.0a1
Build ID 20230314094139

Actual results:

Firefox prompts for a PIN, even though the credential is not discoverable and the relying party specified User Verification was Discouraged. (See attached screenshot)

This behavior may result in prompting for the PIN when it is not desired by the relying party.

Expected results:

In all other web browsers I've tested with WebAuthn/CTAP2 support (Chrome and Safari on MacOS, for example), when performing the steps to reproduce, the authentication ceremony only requires user presence, not PIN entry.

I am able to reproduce this issue with FIDO2 keys from different vendors including a Yubikey 5.
This may actually be the same issue as https://bugzilla.mozilla.org/show_bug.cgi?id=1811866, which I'm able to reproduce as well on the current nightly version of Firefox.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core

Thanks for the report. We should be able to fix this in Firefox 113.

Assignee: nobody → jschanck
Severity: -- → S3
Status: UNCONFIRMED → ASSIGNED
Depends on: 1813982
Ever confirmed: true
Priority: -- → P2
Target Milestone: --- → 113 Branch
Target Milestone: 113 Branch → 114 Branch
Duplicate of this bug: 1827097
Depends on: 1828762
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/aaab709d6ddd Don't require PIN if user verification is discouraged. r=msirringhaus,keeler

Backed out for causing build bustages in AndroidWebAuthnTokenManager.cpp.

  • Backout link
  • Push with failures
  • Failure Log
  • Failure line: /builds/worker/checkouts/gecko/dom/webauthn/AndroidWebAuthnTokenManager.cpp:159:19: error: no member named 'requireResidentKey' in 'mozilla::dom::WebAuthnAuthenticatorSelection'
Flags: needinfo?(jschanck)
Flags: needinfo?(jschanck)
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8d1e3fba9215 Don't require PIN if user verification is discouraged. r=msirringhaus,keeler

https://hg.mozilla.org/mozilla-central/rev/8d1e3fba9215

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox114: --- → fixed
Resolution: --- → FIXED

Verified that at user authentication PIN is not required if UserVerification=Discharged on MAC 12.6 using Beta 114/Nightly 115 (tested with Feitian Fido device).

status-firefox114: fixedverified
Flags: qe-verify+
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: