Closed Bug 1829490 Opened 2 years ago Closed 2 years ago

Firefox 113 beta does not work when multiple security keys are available

Categories

(Core :: DOM: Web Authentication, defect)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 112
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
114 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox112 --- disabled
firefox113 --- disabled
firefox114 --- verified

People

(Reporter: toy.raymond, Unassigned)

References

(Regression)

Details

(Keywords: regression)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0

Steps to reproduce:

First have two security keys plugged in. I have an old Yubikey nano USB-A, and a newer Yubikey NFC USB-A.

Login at gitlab.common-lisp.net. I know this fails. But I suspect it is also a problem with any website that supports security keys.

Actual results:

Firefox briefly says that the site wants to verify me. Then it goes away and says it failed to verify.

However, if I remove one of the keys (doesn't matter which one), and try again, it works fine. Note that both keys are recognized as valid by the website. I just have two because the Nano key is old and doesn't work on some websites. I could just use the one key, but having both available is handy.

Expected results:

Firefox should work with multiple keys plugged in. This is how Firefox 112 and earlier worked. I hope Firefox continues to support this especially since this used to work in earlier versions but not 113. Chrome stable doesn't have any problems with multiple security keys.

The Bugbug bot thinks this bug should belong to the 'Core::Widget: Gtk' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Widget: Gtk
Product: Firefox → Core

Thanks for the report! Please try to find a regression range (you get a pushlog url at the end):
$ pip3 install mozregression
$ ~/.local/bin/mozregression --good 112 --bad 113 -a https://gitlab.common-lisp.net/users/sign_in

status-firefox112: --- → unaffected
status-firefox113: --- → affected
status-firefox-esr102: --- → unaffected
Component: Widget: Gtk → DOM: Web Authentication
Keywords: regression
OS: Unspecified → Linux
Hardware: Unspecified → x86_64

Sorry, I can't help. I tried mozregression with the suggested command line. It starts with 113.0a1 and I the security keys don't work, as expected. I enter "bad", but the script then says

2:33.30 ERROR: Build was expected to be good! The initial good/bad range seems incorrect.

Don't know what to do from here.

Try going back further:
$ ~/.local/bin/mozregression --good 110 --bad 113 -a https://gitlab.common-lisp.net/users/sign_in

The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.

Status: UNCONFIRMED → NEW
Ever confirmed: true

Going back further helped. Here is the last bit of output:

8:24.42 INFO: application_version: 111.0a1
Was this integration build good, bad, or broken? (type 'good', 'bad', 'skip', 'retry', 'back' or 'exit' and press Enter): bad
8:41.30 INFO: Narrowed integration regression window from [b7f07512, 6bc7d030] (3 builds) to [b7f07512, 7d0050f0] (2 builds) (~1 steps left)
8:41.30 INFO: No more integration revisions, bisection finished.
8:41.30 INFO: Last good revision: b7f07512450399f35fc38a7e94241b19a4c2693c
8:41.30 INFO: First bad revision: 7d0050f06d65d4c52c1f74bfb0c1751d2907ac70
8:41.30 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b7f07512450399f35fc38a7e94241b19a4c2693c&tochange=7d0050f06d65d4c52c1f74bfb0c1751d2907ac70

Do you want the entire log or is this enough?

Thanks!

status-firefox112: unaffecteddisabled
status-firefox113: affecteddisabled
status-firefox114: --- → affected
Regressed by: 1752089, enable-ctap2, 1816500
Summary: Firefox 113 does not work when multiple security keys are available → Firefox 113 beta does not work when multiple security keys are available

Does the problem still occur with latest Nightly?
mozregression --launch 2023-04-24 -a https://gitlab.common-lisp.net/users/sign_in

Duplicate of this bug: 1829577
No longer duplicate of this bug: 1829577

Latest lightly seems to work, but it's much slower and was a bit flaky.

The first few times, it failed with an error. Later (in the same session), it succeeded. I noticed that after logging in, there's a notification that multiple keys are available and I should select one. Not super clear how to select one, but I just pressed on one of the keys. A little later, it did succeed to log me in, using my Yubikey NFC key. It does seem to take a lot longer to login with the key than it used to though.

But when I used my older Yubikey Nano, it fails with an error about communicating with my device. I unplugged my NFC key, and tried again. The notification says there are multiple keys. There aren't. I get an failure message saying Firefox couldn't communicate with the device. I didn't get a chance to press the key.

Oh, chrome says the nano key isn't registered with the site. It would be useful if Firefox could figure that out and say so. (Perhaps that's a different issue?).

But it seems nightly is working with multiple keys now.

Thanks!

Depends on: 1830944

There were probably two issues here. One was Bug 1829577. The other was specific to the Yubikey Nano (https://github.com/mozilla/authenticator-rs/issues/255). Fixes for both issues landed with Bug 1830944.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
status-firefox114: affectedfixed
Target Milestone: --- → 114 Branch
Flags: qe-verify+

Verified on Mac12.6/Ubuntu 20.04 using FF build 114.0b4 that authenticating while having multiple security keys old Yubikey 4 and Feitian Fido works correctly on github.

status-firefox114: fixedverified
Flags: qe-verify+
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.