The AAGUID is non-null when authenticating on webauthn.io on some devices
Categories
(Fenix :: WebAuthn, defect, P3)
Tracking
(firefox118 disabled, firefox119 disabled, firefox120 disabled, firefox121 disabled, firefox122 disabled, firefox123 disabled, firefox124 fixed)
People
(Reporter: mlobontiuroman, Assigned: jschanck)
References
()
Details
Attachments
(3 files)
Screenshot_20231025-132250 - HTC 10.png
Prerequisites
Make sure your device is set to lock with a pattern.
Steps to reproduce
- In about:config, set the pref security.webauthn.webauthn_enable_android_fido2.residentkey to true.
- Go to https://webauthn.io/, and insert a username in the "example_username" text field, and tap on the "Register".
- Draw the pattern set to lock your device.
- Now tap on the "Authenticate" option.
- Draw the pattern set to lock your device.
- Scroll the page to the "Credentials for [username]" section, and verify the Authenticator Attestation Global Unique Identifier (AAGUID).
Expected behavior
The Authenticator Attestation Global Unique Identifier has a unique number.
Actual behavior
The Authenticator Attestation Global Unique Identifier displays a null number - as seen in the attached screenshot.
Device information
- Firefox version: Nightly 120.0a1 from 10/19, Beta 119.0b9
- Android devices: Sony Xperia Z5 Premium (Android 7.1.1), HTC 10 (Android 8)
- NOT reproducible on Samsung Galaxy Tab S8 Ultra (Android 12), Google Pixel 6 (Android 14), Xiaomi Mi8 Lite (Android 10)
Any additional information?
|
Reporter | |
Comment 1•1 year ago
|
||
I've also attached a logcat, it might help.
|
||
Updated•1 year ago
|
|
|
Reporter | |
Updated•1 year ago
|
|
|
Reporter | |
Comment 2•1 year ago
|
||
Reproducible also on Beta 121.0b3, and Nightly 122.0a1 from 11/27, with the same devices.
|
||
Updated•1 year ago
|
|
Assignee | |
Comment 3•1 year ago
|
||
We are currently setting attestation=none for all requests because we don't have a way to opt in to attestation (Bug 1550164), so actually the expected behavior is that the AAGUID is zeroed out.
There's ongoing discussion in the working group about whether to change the expected behavior w3c/webauthn #1962, but I'll post a patch.
|
|
Assignee | |
Comment 4•1 year ago
|
||
|
||
Comment 6•1 year ago
|
||
| bugherder | ||
|
|
Reporter | |
Comment 7•10 months ago
|
||
This issue is still reproducible on Fenix Nightly 127.0a1 from 5/13, with Sony Xperia Z5 Premium (Android 7.1.1), and on HTC 10 (Android 8).
I'll reopen it.
|
|
Reporter | |
Updated•10 months ago
|
|
|
Assignee | |
Comment 8•10 months ago
•
|
||
Are you seeing null AAGUIDs, or non-null AAGUIDs? The expected behavior is that we return a null AAGUID. (Note that I changed the title of this bug in Comment 3).
There's a separate question of whether we'll change our behavior when https://github.com/w3c/webauthn/issues/1962 is resolved.
Edit: sorry, didn't mean to re-resolve this as fixed. Please re-open if you are seeing non-null values.
|
|
Reporter | |
Updated•10 months ago
|
Description
•