Open Bug 1870436 Opened 11 months ago Updated 1 day ago

Degraded passkey support

Categories

(Fenix :: WebAuthn, defect)

Product:
Fenix
Component:
WebAuthn
Version:
Firefox 119
Platform:
All
Android
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: tyotomy, Unassigned)

References

Details

Attachments

(1 file)

#2015973859vslatest.mp4
1.33 MB, video/mp4
Details
Attached video #2015973859vslatest.mp4

Actual results:

It is well known that Firefox still does not support passkeys, but in fact Firefox for Android can use the passkey registered in their Google account.
However, since Firefox 119 (#2015973955 in the Nightly version, I checked), the support seems to have degenerated.
After this version, passkeys are not available for My Nintendo, etc., and GitHub also warns about partial passkey support.
This continues until the current latest version.

The severity field is not set for this bug.
:jmahon, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jmahon)

Bit late to the party, so I don't know what was the case before now. What I am seeing with Android Firefox 123 (fully updated Pixel 6 Pro) is that:

  • passkey creation quietly fails.
    The flow looks like it has worked, asking for thumbprint etc., but all subsequent attempts to log in report that there is no passkey matching the site on the device. Google Password Manager on the phone shows no match.

  • passkey creation works in Chrome.
    The flow seems to have an extra (or different?) step that includes the site/login ID and a field that verifies the key will be created on “this device” (presumably tapping that will change the device) - as I recall, the Firefox flow had no site ID and instead had a list of device options (not individual devices, but stuff like USB, other device, etc.).

  • passkey login from Firefox then worked.
    The passkey shows up in Google Password Manager (alongside any passwords, wasn't obviously a way to filter just passkeys).

(In reply to Neil Bird from comment #2)

Bit late to the party, so I don't know what was the case before now. What I am seeing with Android Firefox 123 (fully updated Pixel 6 Pro) is that:

  • passkey creation quietly fails.
    The flow looks like it has worked, asking for thumbprint etc., but all subsequent attempts to log in report that there is no passkey matching the site on the device. Google Password Manager on the phone shows no match.

  • passkey creation works in Chrome.
    The flow seems to have an extra (or different?) step that includes the site/login ID and a field that verifies the key will be created on “this device” (presumably tapping that will change the device) - as I recall, the Firefox flow had no site ID and instead had a list of device options (not individual devices, but stuff like USB, other device, etc.).

  • passkey login from Firefox then worked.
    The passkey shows up in Google Password Manager (alongside any passwords, wasn't obviously a way to filter just passkeys).

Yes, I have confirmed that as well.
However, in previous versions, passkey login was available on almost all sites that supported passkeys, although in some cases user-agent spoofing was required.
But since Firefox 119, passkeys are no longer available on some sites such as My Nintendo.
This happens on every device I own, and by downgrading to Firefox 118 or earlier, I can now use passkeys on all sites again.
Can you confirm the described problem by accessing the My Nintendo login page or the GitHub login page?
I think these accounts are not necessary, so I would appreciate it if you could confirm this.

I had not used passkeys before this, so this was a bit of an experiment. And given that I then lost an hour or more of my life trying to recover my Sony PSN account after this failure locked me out, I'm not really willing to play any more with real logins I'm afraid! I've been using https://www.passkeys.io/ as a testing ground. That is the one that replicated my PSN failure (and then worked in Chrome).

The cause has been found.
After version #2015973955, the value of PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() changed from true to false.
It seems that some sites are seeing this value and misinterpreting that Passkeys is not available.
I don't know if this is a glitch or a change in implementation, but it is extremely inconvenient to not be able to use a passkey that should actually work, so I would like to see this fixed as soon as possible.

This problem has occurred in the past. bug 1711541

If you're using the Beta or Nightly channel, you can work around this by setting security.webauthn.webauthn_enable_android_fido2.residentkey to true in about:config. We're not ready to enable that pref for all users, as it also has the effect of causing Passkeys to be created in Google Password Manager unconditionally (i.e. users aren't given an option of where to store their Passkeys).

Severity: -- → S2
Flags: needinfo?(jmahon)
Priority: -- → P2
See Also: → 1831137

OK, I understand. Thanks.
I look forward to the various issues regarding the implementation of the passkey being resolved and officially supported.

Clearing Priority so we can reprioritize these bugs relative to our ux-fun-2024 bugs.

Priority: P2 → --
Duplicate of this bug: 1883265

It seems that many Password Manager were relaying on Google Password Manager’s list of privileged apps: https://www.gstatic.com/gpm-passkeys-privileged-apps/apps.json

But turns out that list doesn’t include Firefox for Android Nightly, which caused Firefox for Android Nightly unable to login with passkeys. Would Mozilla kindly asking Google to add Firefox for Android Nightly to the list?

Screenshots of some Password Managers:

(In reply to John Schanck [:jschanck] from comment #7)

If you're using the Beta or Nightly channel, you can work around this by setting security.webauthn.webauthn_enable_android_fido2.residentkey to true in about:config. We're not ready to enable that pref for all users, as it also has the effect of causing Passkeys to be created in Google Password Manager unconditionally (i.e. users aren't given an option of where to store their Passkeys).

Is that the reason why passkeys doesn't work with Firefox 128 + Linux (PopOS 22.04, Ubuntu 24.04, RHEL 9) + Microsoft 365 (ex. outlook.office.com) combination? Passkeys work with combination FF 128 + W11 + M365 or if I change user-agent in Linux FF to Chrome+W10.

I forgot to mention that I have stored passkeys for M365 in Bitwarden password manager and Yubikey 5 NFC.

(In reply to Jason Kwok from comment #11)

It seems that many Password Manager were relaying on Google Password Manager’s list of privileged apps: https://www.gstatic.com/gpm-passkeys-privileged-apps/apps.json

Fenix Nightly packaged isn't registered. 1Password looks this but they also seems to look Nightly package signature although that JSON doesn't have it. But Bitwarden doesn't look it.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: