Closed Bug 1831394 Opened 2 years ago Closed 2 years ago

PIN retry counts are confusing

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox115 --- verified

People

(Reporter: jschanck, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1831394 - omit the retries left counter from the invalid PIN prompt when it is large. r=keeler
48 bytes, text/x-phabricator-request
Details | Review

Using a Yubikey 5 series authenticator, I see a retry count of 7 after my first incorrect PIN entry, but after three incorrect PIN entries the authenticator needs a power cycle.

We can't expect the user to know that pinRetries is counting down to the CTAP2_ERR_PIN_BLOCKED event and not the CTAP2_ERR_PIN_AUTH_BLOCKED event.

It would be better to only show the retry count when it is equal to 1, 2, or 3, so that it is always interpreted as counting down to a CTAP2_ERR_PIN_BLOCKED.

Severity: -- → S3
Summary: PIN retry counts are inaccurate → PIN retry counts are confusing

The PIN for a user's security key will be temporarily blocked after three
failed PIN entry attempts, but the "retries left" counter in the invalid PIN
prompt is the (typically larger) number of attempts left before the PIN is
permanently blocked. This patch makes it so that the retries left counter is
only shown when it is equal to 1, 2, or 3.

Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/76aeed342459 omit the retries left counter from the invalid PIN prompt when it is large. r=keeler,fluent-reviewers,flod

https://hg.mozilla.org/mozilla-central/rev/76aeed342459

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox115: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch
Depends on: 1828926

Verified using the latest Nightly build 115.0a1 that the count is no longer confusing when an invalid PIN is submitted and after a few wrong PINs I get the message "Incorrect PIN. You have { $retriesLeft } attempts left before you permanently lose access to the credentials on this device." but only when using the Yubico devices.

If using the Feitian token though I receive the messages:

  • "Incorect PIN. Try again" 3 times
  • temporary blocked with a power cycle solving the problem message
  • "Incorect PIN. Try again" 2 times
  • temporary blocked with a power cycle solving the problem message
  • "Incorrect PIN. Try again" 1 time
  • permanently blocked message. Reset required

Let me know if this is correct for Feitian token.

Testing was done using the following:

  • Yubico 5 NFC
  • Yubico Bio
  • Feitian ePass FIDO2 Security Key A4B
  • Windows 7, Ubuntu 20.04 and macOS 13
Flags: needinfo?(jschanck)
Blocks: 1828926
No longer depends on: 1828926

Sounds like the Feitian token doesn't report a count for us to display. I don't think we can do anything to improve the user experience.

Flags: needinfo?(jschanck)

(In reply to John Schanck [:jschanck] from comment #5)

Sounds like the Feitian token doesn't report a count for us to display. I don't think we can do anything to improve the user experience.

Thanks John, I'm gonna close this as verified fixed on 115 in this case.

Status: RESOLVED → VERIFIED
status-firefox115: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: