Open Bug 1868343 Opened 2 years ago Updated 5 months ago

webauthn: PIN-dialog for security keys that are PIN protected is not shown (with security.webauthn.ctap2 enabled)

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 115
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

People

(Reporter: msirringhaus, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: triaged, Whiteboard: [mailsec-incomplete-fixwanted])

All the FIDO/webauthn related user dialogs and pop-ups are not shown in Thunderbird.
So, when trying to log in via SSO that requires MFA, and one uses a security key (e.g. Yubikey) that is PIN-protected, one can not log in. The PIN-dialog is never shown, the security key waits for it and runs in a timeout eventually.

Current workaround is to set security.webauthn.ctap2 == false and hope that your device also speaks CTAP1/FIDO1.

Severity: -- → S2
Component: General → Security
Keywords: triaged

I can reproduce the issue with Thunderbird 115.7.0 and a Google account with a Yubikey 5 NFC security key configured with a PIN.

The workaround works as suggested.

Summary: webauthn: PIN-dialog for security keys that are PIN protected is not shown → webauthn: PIN-dialog for security keys that are PIN protected is not shown (with security.webauthn.ctap2 enabled)

I can confirm this happens in 128.5.2esr using a YubiKey 5 NFC key with a PIN. The proposed work around does not work when there is Okta sitting configured as a provider any more.

I can confirm that it happens in 128.14.0esr on Ubuntu (installed via PPA) using a Nitrokey 3A Mini. I'm trying to authenticate to Google Mail with a passkey that was set up today (2025-09-08).

Also the proposed workaround does not work in this use case (newly set up Nitrokey with PIN in Google Mail).

If I understand correctly, you are trying to use Thunderbird to connect to email accounts that require the use of a special authentication device, and it doesn't work with Thunderbird, because it doesn't bring up related UI.

You're pointing to some code in the initial comment, does that mean that Firefox/Thunderbird do have some related implementation already, but it's not being triggered?

Do you have any theories why it isn't working?

Thunderbird should be able to use the underlying implementation of Firefox to deal with Webauthn-requests, but there was some code in browser/base/content/browser.js to activate the handler and deal with the UI (e.g. pop-up prompt to enter PIN). I'm guessing, TB has it's own variant of browser.js, and thus didn't have this?
This code was, however, very recently moved to it's own file, as per Bug 1880918, so it should be even easier to integrate it in Thunderbirds frontend, as it now lives as it's own module at browser/modules/WebAuthnPromptHelper.sys.mjs.

See Also: → 1864917
Whiteboard: [mailsec-incomplete-fixwanted]
You need to log in before you can comment on or make changes to this bug.