Open Bug 1833364 Opened 2 years ago Updated 2 years ago

Expose UI for the CTAP2.1 `toggleAlwaysUv` command

Categories

(Core :: DOM: Web Authentication, enhancement, P3)

Product:
Core
Component:
DOM: Web Authentication
Type:
enhancement

Tracking

()

People

(Reporter: bmaris, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

Attachments

(1 file)

Video showing the issue
9.41 MB, video/quicktime
Details

Found in

  • Firefox 114.0b3

Affected versions

  • Firefox 114.0b3
  • Nightly 114.0a1
  • Nightly 115.0a1

Tested platforms

  • Affected platforms: Windows 7, Ubuntu 18.04, macOS 13
  • Unaffected platforms: none

Prerequisites

  • Have only a PIN set up to Yubico Bio token and no fingerprint

Steps to reproduce
Same as bug 1822429

  1. Insert Yubico BIO token
  2. Visit https://webauthn.io/
  3. Enter a username
  4. Register a new credential with the following advanced settings:
    User Verification = Discouraged
    Discoverable Credential = Discouraged
  5. Enter the Yubico key pin and complete the registration ceremony
  6. Authentication with the following advanced settings:
    User Verification = Discouraged
  7. Click the Authentication button

Expected result

  • Firefox does not prompt for a PIN when authenticating since the User Verification was Discouraged.

Actual result

  • Firefox prompts for a PIN, even though the credential is not discoverable and the relying party specified User Verification was Discouraged.

Regression range

  • Not a regression.

Additional notes

  • Basically its the same thing as in bug 1822429
  • Not sure if this device has something special that also need a PIN prompt when authenticating but I did notice the same thing when using Chrome.
  • Not sure if this is indeed a bug or something with this specific device, if the latter please close this bug.
Component: DOM: Push Notifications → DOM: Web Authentication

:bmaris, if you think that's a regression, could you try to find a regression range using for example mozregression?

This is the expected behavior as the YubiKey Bio implements the alwaysUv feature: https://docs.yubico.com/hardware/yubikey/yk-bio/tech-manual/FIDO2.html#user-verification.

There is a CTAP 2.1 toggleAlwaysUv command that lets the user turn off alwaysUv. We can implement that and expose it through the about:webauthn page that we're working on in Bug 1820725.

I'll change this bug to an enhancement request for toggleAlwaysUv.

Severity: S3 → --
Type: defect → enhancement
status-firefox114: affected → ---
status-firefox115: affected → ---
Depends on: 1820725
Priority: -- → P3
Summary: Using Yubico BIO token PIN is always required for WebAuthn even when user verification is discouraged → Expose UI for the CTAP2.1 `toggleAlwaysUv` command

https://github.com/mozilla/authenticator-rs/pull/261 implements the underlying command to toggle this option.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: