Closed Bug 1878742 Opened 3 months ago Closed 25 days ago

[WebAuthn] macOS Firefox 122 does not respect transports during security key authentication

Categories

(Core :: DOM: Web Authentication, defect, P3)

Firefox 122
defect

Tracking

()

RESOLVED FIXED
127 Branch
Tracking Status
firefox127 --- fixed

People

(Reporter: matthew, Assigned: jschanck)

References

Details

Attachments

(2 files)

Steps to reproduce:

Complete the following steps on macOS 14.3 with a USB security key (I used a YubiKey 5 Nano) to reproduce:

Registration:

(We have to use a different browser here until https://bugzilla.mozilla.org/show_bug.cgi?id=1878397 is fixed and we get transports from security key registration in Firefox)

  1. Open Safari
  2. Open Safari's JavaScript Console
  3. Go to https://webauthn.io/?regUserVerification=discouraged&attestation=none&attachment=cross_platform&algES256=true&algRS256=true&discoverableCredential=discouraged&regHints=&authUserVerification=preferred
  4. Enter a username
  5. Click "Register" to call navigator.credentials.create()
  6. Select "Security key" from the macOS system prompt
  7. Tap security key (and enter PIN and re-tap if needed)
  8. Observe in Safari's JavaScript Console that response.transports is populated with a USB transport (e.g. ["usb"])

Authentication:

  1. Open Firefox
  2. Open Firefox's Web Developer Tools
  3. Go to https://webauthn.io/?regUserVerification=discouraged&attestation=none&attachment=cross_platform&algES256=true&algRS256=true&discoverableCredential=discouraged&regHints=&authUserVerification=preferred
  4. Enter the same username as above
  5. Click "Authenticate" to call navigator.credentials.get()
  6. Observe in Firefox's Console that the transports property in the sole entry in allowCredentials contains ["usb"] as seen during registration
  7. Observe that Firefox prompts the user to choose between "iPhone, iPad, or Android device" or "Security key"

Actual results:

Firefox prompted me to choose between "iPhone, iPad, or Android device" or "Security key" via the macOS system prompt.

Expected results:

Firefox should have jumped straight to the security key option because the "iPhone, iPad, or Android device" option is for the "hybrid" transport which was not present anywhere in allowCredentials.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core

The severity field is not set for this bug.
:jschanck, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jschanck)
Severity: -- → S4
Flags: needinfo?(jschanck)
Priority: -- → P3

On macOS 13.5+ we can fix this by toggling the shouldShowHybridTransport bit on ASAuthorizationPlatformPublicKeyCredentialAssertionRequest based on the transports that are present in the allowlist.

Assignee: nobody → jschanck
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #9392149 - Attachment description: WIP: Bug 1878742 - only show hybrid transport option on macOS if it might be used. → Bug 1878742 - only show hybrid transport option on macOS if it might be used. r=dveditz
Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ed724b89a2c2
only show hybrid transport option on macOS if it might be used. r=dveditz
Status: ASSIGNED → RESOLVED
Closed: 25 days ago
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
Duplicate of this bug: 1894876
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: