[WebAuthn] macOS Firefox 122 does not respect transports during security key authentication
Categories
(Core :: DOM: Web Authentication, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox127 | --- | fixed |
People
(Reporter: matthew, Assigned: jschanck)
References
Details
Attachments
(2 files)
Steps to reproduce:
Complete the following steps on macOS 14.3 with a USB security key (I used a YubiKey 5 Nano) to reproduce:
Registration:
(We have to use a different browser here until https://bugzilla.mozilla.org/show_bug.cgi?id=1878397 is fixed and we get transports from security key registration in Firefox)
- Open Safari
- Open Safari's JavaScript Console
- Go to https://webauthn.io/?regUserVerification=discouraged&attestation=none&attachment=cross_platform&algES256=true&algRS256=true&discoverableCredential=discouraged®Hints=&authUserVerification=preferred
- Enter a username
- Click "Register" to call
navigator.credentials.create()
- Select "Security key" from the macOS system prompt
- Tap security key (and enter PIN and re-tap if needed)
- Observe in Safari's JavaScript Console that
response.transports
is populated with a USB transport (e.g.["usb"]
)
Authentication:
- Open Firefox
- Open Firefox's Web Developer Tools
- Go to https://webauthn.io/?regUserVerification=discouraged&attestation=none&attachment=cross_platform&algES256=true&algRS256=true&discoverableCredential=discouraged®Hints=&authUserVerification=preferred
- Enter the same username as above
- Click "Authenticate" to call
navigator.credentials.get()
- Observe in Firefox's Console that the
transports
property in the sole entry inallowCredentials
contains["usb"]
as seen during registration - Observe that Firefox prompts the user to choose between "iPhone, iPad, or Android device" or "Security key"
Actual results:
Firefox prompted me to choose between "iPhone, iPad, or Android device" or "Security key" via the macOS system prompt.
Expected results:
Firefox should have jumped straight to the security key option because the "iPhone, iPad, or Android device" option is for the "hybrid"
transport which was not present anywhere in allowCredentials
.
Comment 1•10 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 2•10 months ago
|
||
The severity field is not set for this bug.
:jschanck, could you have a look please?
For more information, please visit BugBot documentation.
Assignee | ||
Updated•9 months ago
|
Assignee | ||
Comment 3•9 months ago
|
||
On macOS 13.5+ we can fix this by toggling the shouldShowHybridTransport
bit on ASAuthorizationPlatformPublicKeyCredentialAssertionRequest based on the transports that are present in the allowlist.
Assignee | ||
Updated•9 months ago
|
Assignee | ||
Comment 4•9 months ago
|
||
Updated•9 months ago
|
Comment 6•8 months ago
|
||
bugherder |
Description
•