webauthn-ctap2 User Verification seems to break other webauthn flows on Linux
Categories
(Core :: DOM: Web Authentication, defect)
Tracking
()
People
(Reporter: sergeantsagara, Unassigned)
Details
Attachments
(1 file)
|
156.54 KB,
image/png
|
Details |
080423141030.png
Steps to reproduce:
Tried to authenticate with GitHub (which uses FIDO U2F for 2fa with hardware security keys).
https://github.com/sessions/two-factor/webauthn
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
Actual results:
A popup for a CTAP2 user verification pin appeared even though FIDO U2F does not support this. If you do not have a CTAP2 user verification pin set on this device, the flow is locked out. Attempting to enter a pin decrements the rety counter and cancelling breaks the authentication results (for GitHub, the error "Security key authentication failed." is thrown).
Expected results:
FIDO U2F should not have prompted for a pin dialog but just proceed to ask for presence verifcation like in other browsers.
|
||
Comment 1•2 years ago
|
||
What kind of security key are you using? If it's a YubiKey, could you confirm that ykman fido info reports "PIN is not set"?
|
Reporter | |
Comment 2•2 years ago
|
||
(In reply to John Schanck [:jschanck] from comment #1)
What kind of security key are you using? If it's a YubiKey, could you confirm that
ykman fido inforeports "PIN is not set"?
I am using a Yubikey 5 NFC. Actually, when I did test/post this bug, I did have a pin set from previous testing purposes.
ykman fido info
PIN is set, with 4 attempt(s) remaining.
After resetting the FIDO appliance on the yubikey, I do not see the pin prompt.
ykman fido info
PIN is not set.
However, even with a pin set, I believe this is a bug because GitHub is not requiring user verification of the pin (this is why a browser like Chromium does not prompt for a pin to the same link even if a pin is set on the hardware key).
|
|
||
Updated•2 years ago
|
Description
•