Open Bug 1968224 Opened 3 months ago Updated 11 days ago

login.microsoft.com - Authentication failure with FIDO2/WebAuthn authenticator for Entra accounts

Categories

(Web Compatibility :: Site Reports, defect, P3)

Product:
Web Compatibility
Component:
Site Reports
Platform:
Desktop
Windows 10
Type:
defect

Tracking

(Webcompat Score:2, Webcompat Priority:P3, firefox138 affected, firefox139 affected, firefox140 affected)

Project Flags:
Webcompat Score 2
Webcompat Priority P3
Tracking Flags:
Tracking Status
firefox138 --- affected
firefox139 --- affected
firefox140 --- affected

People

(Reporter: rbucata, Unassigned, NeedInfo)

References

(
URL
)

Details

(Keywords: webcompat:needs-diagnosis, webcompat:site-report, Whiteboard: [webcompat-source:web-bugs])

User Story

platform:windows
impact:workflow-broken
configuration:general
affects:some
branch:release
diagnosis-team:dom
user-impact-score:17

Environment:
Operating system: Windows 10
Firefox version: Firefox 138.0

Steps to reproduce:
When attempting to log in to a Microsoft Entra account with either Windows Hello credentials or a FIDO2 security key, the Entra authN flow does not appear to be able to properly activate the security key UX provided by Windows.

When I select "Face, fingerprint, PIN or security key" as a way to log in, I am taken to a screen that says "Something went wrong when trying to sign in with a passkey. Please try again.".

When I try the same flow with Edge, after clicking on "Face, fingerprint, PIN or security key", I get UX from Windows asking me to pick the security key I want to use. I am able to use both my Windows Hello login and a FIDO2 security key.

In Firefox settings, I have enabled "Allow Windows single sign-on for Microsoft, work, and school accounts"

I already have a passkey for this account in Windows settings.

Expected Behavior:
Login successfull

Actual Behavior:
Unable to login

Notes:

  • Reproduces regardless of the status of ETP
  • Reproduces in firefox-nightly, and firefox-release
  • Does not reproduce in chrome

Created from https://github.com/webcompat/web-bugs/issues/156686

QA does not have the required prerequisites for testing (auth methods, Entrata account), but we think this is something worth investigating, if the proper set-up is available.

status-firefox138: --- → affected
status-firefox140: --- → affected

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.

status-firefox139: --- → affected
Webcompat Score: --- → 1
Severity: -- → S4
User Story: (updated)
Webcompat Priority: --- → P3
Webcompat Score: 1 → 2
Keywords: webcompat:needs-diagnosis
Priority: -- → P3
See Also: → 1860604

+1
Facing same issue...works fine in chromium browsers

Summary: login.microsoft.com - Authentication failure with FIDO2/WebAuthn authenticator for Entrata accounts → login.microsoft.com - Authentication failure with FIDO2/WebAuthn authenticator for Entra accounts

The link https://login.microsoft.com/common/fido/get?uiflavor=Web doesn't show the login form at all, it shows error when opened:

Sorry, but we’re having trouble signing you in.
AADSTS900561: The endpoint only accepts POST requests. Received a GET request.

Probably needs a new link?

That's not a correct endpoint..instead open below url it will redirect to login.microsoftonline.com and with oauth request data

https://outlook.office.com/mail/

Here are the repro steps from my initial webcompat/web-bugs report. https://login.microsoft.com/common/fido/get?uiflavor=Web is the page that reports the error, but as Kagami Rosylight found, you can't start the repro from there. The shortest repro for me starts by trying to visit https://mysignins.microsoft.com/security-info.

Prerequisites:

  • An Entra work/school account that you use to log in to your machine.
  • A YubiKey v5 FIDO2 authenticator configured for that account.
  • Windows Hello PIN set up for that account on the machine.
  • Windows Hello facial recognition set up. (This does not appear to be a prereq upon further testing on 2025-07-30.)
  • Entra configured to allow a Windows Hello PIN and a YubiKey v5 as a strong authenticator

Steps:

  1. Log in to Windows with your Entra work/school account using facial recognition.
  2. Launch Firefox.
  3. Clear all cookies, site data, &c.
  4. Ensure that "Allow Windows single sign-on for Microsoft, work, and school accounts" is enabled in settings.
  5. Go to https://myaccount.microsoft.com/
  6. You should be automatically logged to the same Entra account you logged in to Windows with.
  7. Go to https://mysignins.microsoft.com/security-info
  8. If prompted for a password, instead click on "Other ways to sign in"
  9. Click on "Face, fingerprint, PIN or security key"
  10. Observe the failure.
  11. Insert the YubiKey. Tap on it just to be sure.
  12. Click "Other ways to sign in"
  13. Click on "Face, fingerprint, PIN or security key"
  14. Observe the failure again.

Expected results:

Windows UX for interacting with security keys is shown. I am able to authN into my Entra account.

Actual results:

No UX for interacting with security keys is shown. The Entra site (https://login.microsoft.com/common/fido/get?uiflavor=Web) displays the error message "Something went wrong when trying to sign in with a passkey. Please try again."

Flags: needinfo?(jschanck)
You need to log in before you can comment on or make changes to this bug.