Closed Bug 1893875 Opened 14 days ago Closed 12 days ago

Firefox on MacOS creates resident key in spite of residentKey set to discouraged

Categories

(Core :: DOM: Web Authentication, defect)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 125
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1886577

People

(Reporter: rillke, Unassigned)

Details

Attachments

(3 files)

12 - Inspect the FIDO2 Passkeys with Yubico Authenticator.png
297.27 KB, image/png
Details
13 - Resident key discouraged.png
400.05 KB, image/png
Details
08 - Choose where to save a passkey for demo.yubico.com.png
562.78 KB, image/png
Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0

Steps to reproduce:

  1. Be on MacOS 14.4.1 (23E224)
  2. Use Firefox 125.0.1
  3. Go to https://demo.yubico.com/webauthn-developers
  4. Set residentKey in the sidebar to discouraged
  5. Set userVerification in the sidebar to discouraged so the following configuration is created for the PublicKeyCredentialCreationOptions:
{
  "publicKey": {
    "attestation": "none",
    "authenticatorSelection": {
      "requireResidentKey": false,
      "residentKey": "discouraged",
      "userVerification": "discouraged"
    },
    "challenge": "abcdef0123456789...",
    "extensions": {
      "credProps": true
    },
    "pubKeyCredParams": [
      {
        "alg": -8,
        "type": "public-key"
      },
      {
        "alg": -7,
        "type": "public-key"
      },
      {
        "alg": -257,
        "type": "public-key"
      }
    ],
    "rp": {
      "id": "demo.yubico.com",
      "name": "Yubico Demo"
    },
    "timeout": 90000,
    "user": {
      "displayName": "SOMEUSER",
      "id": "abcdef0123456789...",
      "name": "SOMEUSER"
    }
  }
}
  1. Press CREATE in the sidebar
  2. In the "Sign In" Dialog, select "Other Options"
  3. In "Choose where to save a passkey for demo.yubico.com, select "Security key" and press Continue
  4. Press the golden circle on the YubiKey
  5. Enter the PIN for the YubiKey (the PIN prompt wasn't requested but that's bug #1822429) and press Continue
  6. Press the golden circle on the YubiKey again
  7. Inspect the FIDO2 Passkeys with Yubico Authenticator

Actual results:

A discoverable resident key was created and can be fund in Yubico Authenticator. Note this is an issue for us because the space on YubiKey is limited.

Expected results:

A non-discoverable non-resident key is created that can't be found with Yubico Authenticator.

Google Chrome won't even prompt for the YubiKey FIDO2 PIN, Apple Safari will prompt for a FIDO2 PIN but will create a non-discoverable non-resident key.

Under 10. I meant to write "but that's bug #1854089" - whereas this report is about a resident key being created.

Since YubiKey information was requested in similar bug reports, here they come:

$ ykman info
Device type: YubiKey 5 NFC
Serial number: XXXXX_REDACTED_FOR_PRIVACY_REASONS
Firmware version: 5.2.4
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled

Applications	USB          	NFC          
Yubico OTP  	Enabled      	Enabled
FIDO U2F    	Enabled      	Enabled
FIDO2       	Enabled      	Enabled
OATH        	Enabled      	Enabled
PIV         	Enabled      	Enabled
OpenPGP     	Enabled      	Enabled
YubiHSM Auth	Not available	Not available

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core

Thanks for the report. We fixed this in 126.

Status: UNCONFIRMED → RESOLVED
Closed: 12 days ago
Duplicate of bug: 1886577
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: