Open Bug 1969205 Opened 20 days ago Updated 6 days ago

WebAuthn credentials requires PIN to authenticate even when user verification is "discouraged"

Categories

(GeckoView :: General, defect, P1)

Product:
GeckoView
Component:
General
Version:
Firefox 141
Platform:
All
Android
Type:
defect

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: git+bugzilla, Assigned: git+bugzilla)

Details

Attachments

(1 file)

Bug 1969205 - Fido2: Use requested user verification r=#android-reviewers
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0

Steps to reproduce:

Setup: You need to register a non-discoverable credential. It must be done with the Play services installed, or on desktop because of D247877:

  1. Visit https://webauthn.io/
  2. Enter a username
  3. Register a new credential with the following advanced settings:
    • User Verification = Discouraged
    • Discoverable Credential = Discouraged
  4. Enter the FIDO2 key pin and complete the registration ceremony

Test: This can be done with the Play services installed, of with a credential manager that supports the hardware key.

  1. Visit https://webauthn.io/
  2. Enter the same username
  3. Authentication with the following advanced settings:
    • User Verification = Discouraged

Actual results:

The authentication requires the PIN, even though the credential is not discoverable and the relying party specified User Verification was Discouraged

Expected results:

The authentication should not request the PIN

Additional info:

Assignee: nobody → git+bugzilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

EDIT: Because of Bug 1964526 *

Product: Firefox for Android → GeckoView
Severity: -- → S2
Priority: -- → P1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: