Closed Bug 1828895 Opened 2 years ago Closed 2 years ago

UserVerified flag not supported with webauthn

Categories

(Core :: DOM: Web Authentication, defect)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 112
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1827748

People

(Reporter: pgadmin, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0

Steps to reproduce:

I'm implementing webauthn for a website, and found that the User Verified flag is not indicated when using a Trustkey G310 in the Authenticator Data using navigator.credentials.create() and ..get().

Actual results:

Using Chrome, the Trustkey will indicate "FIDO2" mode blinking blue, and the UV flag is set, stating that biometry was checked (a Yubikey5 without PIN will deliver UV=false as expected).
Using Firefox 112 (Mac and Linux), the Trustkey will blink orange, indicating UT2 Mode, check the fingerprint, but the UV flag remains unset.

Expected results:

To distinguish if the authenticator key is checking biometry (thus representing two factors), the UV flag should be transferred according to https://www.w3.org/TR/webauthn-2/#flags.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core

This is expected in Firefox 112 as FIDO2 support is disabled by default. If you flip the security.webauthn.ctap2 flag to true you should get a PIN prompt and the UV flag in the response should be set.

You will not be able to use your fingerprint for user verification in Firefox 112, as we only recently landed support for that feature. I would be curious to hear if it works as you expect in Firefox 114 (Nightly).

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1827748
Resolution: --- → DUPLICATE

I checked with FF112 with security.webauthn.ctap2=true, as well as FF114.0a1 (s.w.ctap2 enabled by default).
FF112 will ask for the PIN, and then address the key with FIDO2-without-Biom mode (as you described), and the Authenticator Data has the UV flag set, so this looks fine.
FF114 does NOT ask for the PIN, use FIDO2-without-Biom as well, and return Auth-Data with UV flag unset. Seems a regression to me...

As a side note, I consider it annoying to ask to select which key to use when more than one is inserted (which is probably required with PINs. On Chrome, I just tap the Key I want and the browser will do the rest as expected).

Checking with FF114-0a1 2023-04-19:
Yubikey 5 without PIN:

  • userVerification discouraged: Auth succeeds->UV-false OK
  • userVerification required: immediate fail OK
    Trustkey G310:
  • userVerification discouraged: Non-Bio mode, Auth succeeds->UV false OK
  • userVerification required: Bio-Mode, Auth succeeds->UV true OK
    Yubikey 5 with PIN:
  • userVerification discouraged: PIN ist requested, fail when touched FAIL
  • userVerification required: PIN is requested, fail when touched FAIL

So Yubikey 5 with PIN is completely broken, while fingerprint is fine now.

Ok there was something wrong with my test, the Yubikey-with-PIN wasn't registered... correction:

Whether userVerification is required or discouraged, Firefox will always ask for the PIN, and will always return Auth succeeded with UV=true.

The unregistered key just threw NS_ERROR_FAILURE, IMHO the user should be informed a little more in detail...

You need to log in before you can comment on or make changes to this bug.