Closed Bug 1841398 Opened 2 years ago Closed 2 years ago

WebAuthn registration fails when user verification is "preferred" but the key does not use a PIN

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 115
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1846097

People

(Reporter: interfect, Unassigned)

References

(Depends on 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Steps to reproduce:

  1. Make sure security.webauthn.ctap2 is true in about:config. (Setting it to false works around this issue).
  2. Go to https://webauthn.io/
  3. Enter a demo username and click Register
  4. Connect an authenticator device that does not have a PIN set, but which is capable of using PIN-based user verification (for example, a Yubikey 5 Nano).

Actual results:

The page reports that "The operation failed for an operation-specific reason". The browser displays a message that "User verification failed on webauthn.io. You may need to set a PIN on your device."

The demo also logs its registration request to the console:

REGISTRATION OPTIONS webauthn.io:501:17
{
"rp": {
"name": "webauthn.io",
"id": "webauthn.io"
},
"user": {
"id": "YWRzYXNkZmFzZGRm",
"name": "adsasdfasddf",
"displayName": "adsasdfasddf"
},
"challenge": "1UXDdGM_bbjwqNMQDnV49iA-qpu6LDGBlhO62IEmpsYbP2gC0yDU6mYfbs3Idn85ogDQBcHxx-liGUoGJ1AcYw",
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -257
}
],
"timeout": 60000,
"excludeCredentials": [],
"authenticatorSelection": {
"residentKey": "preferred",
"requireResidentKey": false,
"userVerification": "preferred"
},
"attestation": "none",
"extensions": {
"credProps": true
}
}

Expected results:

Because the user has not chosen to configure their device to require a PIN, and because the web site merely prefers but does not require user verification, the user should be allowed to proceed with the registration even though user verification will not be used.

It looks like the offending message was added in https://phabricator.services.mozilla.com/D176938.

There was a related problem at https://bugzilla.mozilla.org/show_bug.cgi?id=1822429 about trying to require a PIN when user verification was discouraged, but that didn't seem to cover the "preferred" case.

Also https://bugzilla.mozilla.org/show_bug.cgi?id=1811866 might be related but that seems like maybe a different underlying cause.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core

Experiencing the same here:
Useragent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Tested with Yubico Security Key NFC

setting security.webauthn.ctap2 to false works around the error as stated in the report.

The severity field is not set for this bug.
:jschanck, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jschanck)

Some security tokens, in particular those that support CTAP 2.0 but not CTAP 2.1, require user verification for all registrations. So it's possible that the only solution here is to set a PIN. In the near future we'll present a more helpful "Set a PIN" modal for this case (Bug 1819346).

It's possible there is a bug here, but we would need information about your authenticator that isn't readily available from Firefox. We can revisit once Bug 1820725 lands. Or, if you have Chrome available, we can get the necessary information from the "chrome://device-log" page. After performing a registration you should see two lines that look like:

FIDO Debug [15:44:47] -> {1: ["U2F_V2", "FIDO_2_0", "FIDO_2_1_PRE"], 2: ["credProtect", "hmac-secret"], 3: h'2FC0579F811347EAB116BB5A8DB9202A', 4: {"rk": true, "up": true, "plat": false, "clientPin": false, "credentialMgmtPreview": true}, 5: 1200, 6: [2, 1], 7: 8, 8: 128, 9: ["nfc", "usb"], 10: [{"alg": -7, "type": "public-key"}, {"alg": -8, "type": "public-key"}], 13: 4, 14: 328707}

FIDO Debug [15:44:47] Sending CTAP2 AuthenticatorGetInfo request to authenticator.

The value for the "1" key in the first line (["U2F_V2", "FIDO_2_0", "FIDO_2_1_PRE"]) indicates the supported versions. My guess is that your highest supported version is "FIDO_2_0".

Severity: -- → S3
Depends on: 1820725
Flags: needinfo?(jschanck)
Priority: -- → P3
See Also: → 1819346

Thanks for this info.
I checked with chromium on https://webauthn.io/.
With default advanced settings trying to register the key gives a dialog asking to set a pin.
When setting Discoverable Credential to discouraged I can register without pin and device-log gives:

FIDODebug[11:15:01] The device supports the CTAP2 protocol.

FIDODebug[11:15:01] -> {1: ["U2F_V2", "FIDO_2_0"], 2: ["hmac-secret"], 3: h'6D44BA9BF6EC2E49B9300C8FE920CB73', 4: {"rk": true, "up": true, "plat": false, "clientPin": false}, 5: 1200, 6: [1]}

FIDODebug[11:15:01] Sending CTAP2 AuthenticatorGetInfo request to authenticator.

So your guess seems right.

See Also: → 1846097
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1846097
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.