Firefox 132 broke YubiKey FIDO2 functionality on Mac OS
Categories
(Core :: DOM: Web Authentication, defect)
Tracking
()
People
(Reporter: nerickson, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Steps to reproduce:
Attempted to sign in to Microsoft account using YubiKey 5C Nano on Mac OS Sonoma
Actual results:
Firefox prompted me to insert & set up my YubiKey, which was already inserted & set up. After touching the key I was prompted for a PIN. After entering the PIN it again prompted to insert & set up, I touched the key and was prompted for my pin, repeat indefinitely. My PIN is correct, and it works with Chrome and with FF on Windows.
Expected results:
It should have logged me with without getting stuck in a loop.
|
||
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•1 year ago
|
||
I'm experiencing the very same issue, works on Edge, but not on Firefox 132.0.2 (pin loop).
|
|
||
Comment 3•11 months ago
|
||
The severity field is not set for this bug.
:jschanck, could you have a look please?
For more information, please visit BugBot documentation.
|
||
Comment 4•11 months ago
|
||
I don't have a Sonoma machine set up currently. It would help if someone could get a regression range using mozregression. Our implementation hasn't changed since Firefox 128, so I'm struggling to see what might have caused this.
From the tests I've done, the issue only affects Firefox browsers on OSX on M1/2/3/4-based Macs, not browsers on Intel-based OSX. Regardless of Firefox version or OSX version.
I confirm. The same issue in my ff - I get stuck in a pin loop (asks for pin over and over).
FF 133.0 (aarch64); mac os Sequoia 15.1.1 (24B91) M2.
|
||
Updated•11 months ago
|
|
|
||
Comment 7•11 months ago
|
||
Monica, do you have an M-series Mac that you could test this on? This doesn't look like a Firefox regression, so I'm hoping to determine which versions of macOS it works in, if any.
|
||
Comment 8•11 months ago
|
||
John, we could not reproducible on:
- Mac 12.6 using Firefox 135.0a1 and Feitian passkey,
- Mac 13.6 (Ventura) using Firefox 134 and Yubico 5 NFC passkey
- Mac 14.7.1 (Sonoma) using Firefox 134 and Yubico 5 NFC passkey.
We are looking for an M1 device and come back with an update.
|
||
Comment 9•11 months ago
|
||
It is very likely that this issue is actually caused by Safari 18.1. See here: https://bugs.webkit.org/show_bug.cgi?id=282880
Does security.webauthn.enable_macos_passkeys still work?
|
|
||
Comment 10•11 months ago
|
||
Does security.webauthn.enable_macos_passkeys still work?
Yes, setting security.webauthn.enable_macos_passkeys to false is a viable workaround for users who do not need to use the iCloud keychain authenticator or the hybrid transport.
|
|
||
Comment 11•11 months ago
|
||
For the folks still dealing with this, another workaround, for this bug in particular, us triggering a usernameless logon flow (one where the relying party does not send an authenticator allowlist as part of the webauthn ceremony).
Here's Yubico's KB on the subject: https://support.yubico.com/hc/en-us/articles/16726447752732-Safari-18-1-upgrade-MacOS-iOS-iPadOS-FIDO-PIN-issue-with-FIDO-CTAP-2-1-security-keys
I'm pretty confident this is only reproducible on devices running iOS 18.1 or MacOS 15.1, and will be fixed in iOS 18.2 / MacOS 15.2 - with already has a release candidate out.
|
|
||
Comment 12•11 months ago
|
||
(In reply to will.smart from comment #11)
For the folks still dealing with this, another workaround, for this bug in particular, us triggering a usernameless logon flow (one where the relying party does not send an authenticator allowlist as part of the webauthn ceremony).
Here's Yubico's KB on the subject: https://support.yubico.com/hc/en-us/articles/16726447752732-Safari-18-1-upgrade-MacOS-iOS-iPadOS-FIDO-PIN-issue-with-FIDO-CTAP-2-1-security-keysI'm pretty confident this is only reproducible on devices running iOS 18.1 or MacOS 15.1, and will be fixed in iOS 18.2 / MacOS 15.2 - with already has a release candidate out.
Hello!
I have this issue running MacOS 14.7.1 (latest version I can currently update to on my company issued laptop).
Thanks!
|
|
||
Comment 13•11 months ago
|
||
(In reply to Alexandre Dery from comment #12)
Hello!
I have this issue running MacOS 14.7.1 (latest version I can currently update to on my company issued laptop).
Thanks!
Hi Alexandre
Does the workaround from the Yubico article or temporarily setting security.webauthn.enable_macos_passkeys to false work?
Both of those tests might help to confirm it's the same issue.
|
|
||
Comment 14•11 months ago
|
||
Hello Will!
Yes setting "security.webauthn.enable_macos_passkeys" to "false" solved the issue for me (MacOS 14.7.1, FF 133.0, Macbook M3 Pro).
Hope this helps!
|
|
||
Comment 15•11 months ago
|
||
(In reply to will.smart from comment #13)
(In reply to Alexandre Dery from comment #12)
Hello!
I have this issue running MacOS 14.7.1 (latest version I can currently update to on my company issued laptop).
Thanks!Hi Alexandre
Does the workaround from the Yubico article or temporarily setting
security.webauthn.enable_macos_passkeystofalsework?
Both of those tests might help to confirm it's the same issue.
Hello Will!
Setting "security.webauthn.enable_macos_passkeys" to "false" solved the issue for me (MacOS 14.7.1, FF 133.0, Macbook M3 Pro).
I know have MacOS 15.1.1 available to upgrade to... would this be pertinent test case for this issue, or more of the same ?
Thank you!
|
|
||
Comment 16•11 months ago
|
||
I believe the earliest version where this issue is no longer present is MacOS 15.2, released yesterday, with it's own, distinct webauthn bugs.
|
||
Comment 17•11 months ago
|
||
I confirm - 15.2 has fixed the issue with using YubiKey 5C NFC on Firefox with the latest version of MAC OS 15.2 - no pin loops
I recommend checking your ff after updating your OS.
Thank you all for your involvement in trying to solve this issue.
|
|
||
Comment 18•11 months ago
|
||
I can confirm that MacOS 15.2 solved the issue for me, FF 133 no longer goes into a pin loop, with "security.webauthn.enable_macos_passkeys" set back to "true" (Default).
Thank you for the analysis everyone!
|
|
||
Comment 19•11 months ago
|
||
Looks like there's nothing for us to do here.
@will.smart, could we get the security.webauthn.enable_macos_passkeys workaround mentioned on the yubico troubleshooting pages?
Description
•