Closed Bug 1846352 Opened 2 years ago Closed 2 years ago

FIDO2 security key registration fails in Firefox for MacOS when no PIN is available, even if PIN is not required by security key or relying party.

Categories

(Core :: DOM: Web Authentication, defect)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 115
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1846097

People

(Reporter: aws-identity-bugzilla, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0

Steps to reproduce:

FIDO2 security key registration fails in MacOS when no PIN is available, even in cases where there is no FIDO2 pin set on the security key and the relying party (RP) configures "User Verification = Preferred" or "User Verification = Discouraged".

This behavior was observed on certain firmware versions of Yubikey (5.0.2 and 5.1.0) and Firefox (114.0, 115.0), but registered successfully as expected in Firefox ESR 102 and on other browsers such as Safari. There may be other impacted firmware and browser versions.

To reproduce:

1.) Insert affected USB security key.
2.) (Optional, but helps to confirm there is no pin on your key already). Download/open Yubikey Manager software from Yubico and navigate to "Applications -> FIDO2" to confirm there is no FIDO2 PIN set for the device. It should say "No PIN is set". Do not set a PIN.
3.) Open Firefox (reproduced in version 114.0 or 115.0) and navigate to https://webauthn.me.
4.) Open "Debugger" page.
5.) Ensure you are on "Registration" tab. Click "Register".
6.) Operation fails.

You can repeat this test with various User Verification and Resident Key settings configured on either https://webauthn.io "Advanced Settings" or https://webauthn.me "Debugger" page. All configurations will have the same result.

Actual results:

Registration failed with an error that, "User verification failed on webauthn.io. You may need to set a PIN on your device."

Expected results:

Registration should succeed unless a local FIDO2 pin is already set on the key, or the RP configuration requires user verification to complete registration.

Additionally, if either of those conditions are true and registration should fail without a PIN, an improved user experience would be to enable the user to create the PIN at registration time instead of failing.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1846097
Resolution: --- → DUPLICATE

I'll add to the other ticket, but want to point out that bug only specifies failure when UV = Discouraged. Registration should still succeed even if UV = Preferred. The only case in which it should fail is UV = Required.

You need to log in before you can comment on or make changes to this bug.