Closed Bug 1846097 Opened 9 months ago Closed 9 months ago

WebAuthn credential creation fails on devices where the highest supported CTAP version is FIDO_2_0 and no PIN is set on the device.

Categories

(Core :: DOM: Web Authentication, defect, P2)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 117
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
118 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox116 --- wontfix
firefox117 --- wontfix
firefox118 --- fixed

People

(Reporter: will.smart, Assigned: jschanck)

References

Details

Steps to reproduce:

Go to a WebAuthn test site, like webauthn.io, and configure it to discourage User Verification (https://webauthn.io/?regUserVerification=discouraged&attestation=none&attachment=all&algES256=true&algRS256=true&discoverableCredential=discouraged&authUserVerification=preferred)

Set a username and click "register"

When prompted, use a security key which supports FIDO_2_0, but not FIDO_2_1_Pre, and has not PIN set.

This occurs on MacOS on the latest Nightly (117)
It does not occur when security.webauthn.ctap2 is set to false

It appears to be related to https://github.com/mozilla/authenticator-rs/issues/283

While this does not affect currently available YubiKeys, it affects old versions (5.0.x and 5.1.x), as well as a number of FIDO2 keys that are currently available for purchase on Amazon.

Actual results:

An error: "User verification failed on webauthn.io. You may need to set a PIN on your device"

Expected results:

The webauthn makecredential should succeed and create a credential without user verification, as the relying party requested with uv=discouraged.

OS: Unspecified → macOS

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core
See Also: → 1841398
Assignee: nobody → jschanck
Severity: -- → S3
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P2
See Also: → https://github.com/mozilla/authenticator-rs/pull/285
Duplicate of this bug: 1841398
Duplicate of this bug: 1846352

Are there also plans to fix this for when user verification is "encouraged"?

As a user, not being able to proceed unless I on the spot compose and memorize a PIN, which AFAIK my key would then permanently require for all sites, doesn't really meet the definition of being "encouraged" to do something. I would describe that as user verification being "required". If something is "encouraged" I have the option to proceed without it.

Registration should succeed with no PIN even when the relying party specifies userVerification = Preferred.

@aws-identity-bugzilla - That's correct, and the referenced pull request for authenticator-rs should make that possible for any security keys that report FIDO_2_0 as the highest version they support.

The upstream patch landed in Firefox in Bug 1848172.

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox116: affectedwontfix
status-firefox117: affectedwontfix
status-firefox118: affectedfixed
status-firefox-esr115: affectedwontfix
Depends on: 1848172
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
QA Whiteboard: [qa-118b-p2]

Confirmed this works as expected now in the 118 beta. Thanks!

You need to log in before you can comment on or make changes to this bug.