Open Bug 1908603 Opened 11 months ago Updated 1 month ago

Pressing Enter in PIN entry of security key also sends Enter to website which makes security key login fail

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 127
Type:
defect

Tracking

()

People

(Reporter: alynx.zhou, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0

Steps to reproduce:

My company uses okta to login internal websites, in which I use security key (a YubiKey 5C NFC) for 2-step verification. When I entered security key step, Firefox pops up a dialog to insert PIN of my FIDO2 key, and I type my PIN then press Enter to confirm.

Steps:

  1. Find a 2-step login that requires you to enter PIN of your security key.
  2. When the PIN dialog pops up, insert PIN, press Enter.

Actual results:

The dialog closes, but the Enter event is also sent to the website before the dialog, so the okta login goes directly next step without getting the result of PIN verification.

Expected results:

The dialog receives Enter and closes, and the website should not receive the same Enter event again, so I could then click button on the website by myself.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core

Probably the same problem as in bug 1893629, where I couldn't pinpoint the reason.
I can confirm that the keyboard-shortcut is indeed the problem. When clicking the "Sign in"-button, the login works fine.
Tab-Tab-Space also works fine. Enter or Tab-Tab-Enter does not.

Severity: -- → S3
Priority: -- → P3
Duplicate of this bug: 1893629

This is not a problem of the website, this completely inside firefox.

When the PIN is confirmed Firefox spawns another dialog "Touch your security key to continue with okta.com" which has a cancel button.

The key event that is used to confirm the PIN is also received by this cancel button, and the FIDO authentication is immediately canceled.

Workaround: security.webauthn.ctap2 to false in about:config as suggested in bug 1868343

Duplicate of this bug: 1958772

(In reply to Michal 'hramrach' Suchanek from comment #5)

Workaround: security.webauthn.ctap2 to false in about:config as suggested in bug 1868343

A simpler workaround is to just not hit the "enter" key but to use the mouse.

Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.