Firefox on MacOS creates resident key in spite of residentKey set to discouraged
Categories
(Core :: DOM: Web Authentication, defect)
Tracking
()
People
(Reporter: rillke, Unassigned)
Details
Attachments
(3 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Steps to reproduce:
- Be on MacOS 14.4.1 (23E224)
- Use Firefox 125.0.1
- Go to https://demo.yubico.com/webauthn-developers
- Set residentKey in the sidebar to discouraged
- Set userVerification in the sidebar to discouraged so the following configuration is created for the PublicKeyCredentialCreationOptions:
{
"publicKey": {
"attestation": "none",
"authenticatorSelection": {
"requireResidentKey": false,
"residentKey": "discouraged",
"userVerification": "discouraged"
},
"challenge": "abcdef0123456789...",
"extensions": {
"credProps": true
},
"pubKeyCredParams": [
{
"alg": -8,
"type": "public-key"
},
{
"alg": -7,
"type": "public-key"
},
{
"alg": -257,
"type": "public-key"
}
],
"rp": {
"id": "demo.yubico.com",
"name": "Yubico Demo"
},
"timeout": 90000,
"user": {
"displayName": "SOMEUSER",
"id": "abcdef0123456789...",
"name": "SOMEUSER"
}
}
}
- Press CREATE in the sidebar
- In the "Sign In" Dialog, select "Other Options"
- In "Choose where to save a passkey for demo.yubico.com, select "Security key" and press Continue
- Press the golden circle on the YubiKey
- Enter the PIN for the YubiKey (the PIN prompt wasn't requested but that's bug #1822429) and press Continue
- Press the golden circle on the YubiKey again
- Inspect the FIDO2 Passkeys with Yubico Authenticator
Actual results:
A discoverable resident key was created and can be fund in Yubico Authenticator. Note this is an issue for us because the space on YubiKey is limited.
Expected results:
A non-discoverable non-resident key is created that can't be found with Yubico Authenticator.
Google Chrome won't even prompt for the YubiKey FIDO2 PIN, Apple Safari will prompt for a FIDO2 PIN but will create a non-discoverable non-resident key.
Reporter | ||
Comment 1•14 days ago
|
||
Reporter | ||
Comment 2•14 days ago
|
||
Reporter | ||
Comment 3•14 days ago
|
||
Under 10. I meant to write "but that's bug #1854089" - whereas this report is about a resident key being created.
Reporter | ||
Comment 4•14 days ago
|
||
Since YubiKey information was requested in similar bug reports, here they come:
$ ykman info
Device type: YubiKey 5 NFC
Serial number: XXXXX_REDACTED_FOR_PRIVACY_REASONS
Firmware version: 5.2.4
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled
Applications USB NFC
Yubico OTP Enabled Enabled
FIDO U2F Enabled Enabled
FIDO2 Enabled Enabled
OATH Enabled Enabled
PIV Enabled Enabled
OpenPGP Enabled Enabled
YubiHSM Auth Not available Not available
Comment 5•14 days ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 6•12 days ago
|
||
Thanks for the report. We fixed this in 126.
Description
•