WebAuthn does not show the number of PIN attempts left - You have {$retriesLeft} attempts left before you permanently lose access to the credentials on this device.
Categories
(Core :: DOM: Web Authentication, defect)
Tracking
()
People
(Reporter: drew.dani, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Steps to reproduce:
Using a FIDO2/CTAP2.0 security key, a non-Yubikey, and register a security key with UV=required using using the AppID extension in https://webauthn.io/.
When entering the PIN incorrectly, a pop-up appears with the message:
You have {$retriesLeft} attempts left before you permanently lose access to the credentials on this device.
Actual results:
You have {$retriesLeft} attempts left before you permanently lose access to the credentials on this device.
Expected results:
When entering the PIN incorrectly, a pop-up appears should appear with the number of attempts.
You have 8 attempts left before you permanently lose access to the credentials on this device.
YubiKey devices take the latter approach of blocking the PIN - and effectively destroying all private keys - after 8 incorrect attempts. Users should be aware of how many attempts they have.
This appears to be an issue in:
- https://searchfox.org/mozilla-central/source/browser/locales/en-US/browser/webauthnDialog.ftl#9
- https://searchfox.org/mozilla-central/source/toolkit/locales/en-US/toolkit/about/aboutWebauthn.ftl#44
where the $retriesLeft is not correctly interpolated.
|
||
Comment 2•3 days ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Description
•