Open Bug 1971969 Opened 7 months ago Updated 4 months ago

accounts.google.com - Google Titan USB-A security key fails with 2FA

Categories

(Web Compatibility :: Site Reports, defect, P3)

Product:
Web Compatibility
Component:
Site Reports
Type:
defect

Tracking

(Webcompat Priority:P3, Webcompat Score:3)

Project Flags:
Webcompat Priority P3
Webcompat Score 3

People

(Reporter: rbucata, Unassigned)

References

(
URL
)

Details

(Keywords: webcompat:needs-diagnosis, webcompat:site-report, Whiteboard: [webcompat-source:web-bugs][webcompat:sightline][webcompat:japan])

User Story

platform:linux
impact:workflow-broken
configuration:rare
affects:all
branch:release
diagnosis-team:security
user-impact-score:36

Environment:
Operating system: Linux
Firefox version: Firefox 139.0

Steps to reproduce:
I have a brand-new Google Titan USB-A security key. It authenticates correctly with every webauthn test service I've tried, but after entering my username and password, on the 2FA step, accounts.google.com immediately throws a "There was a problem" error. "Try using your security key again or try another way to verify it's you". The security key flashes green for less than a second, rather than continuously. Firefox also shows the "touch your security key to continue" prompt. I suspect Google's JS is issuing a request for authentication, and then aborting immediately, without giving the browser/user a chance to press the key.

This occurs on an AMD64 machine running Linux Mint 21.3 Virginia (6.8.0-59-generic #61~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 15 17:03:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux). This is the Mint-packaged Firefox 139.0 (64-bit). Packages are all up-to-date.

Oddly enough I can enroll the security token via Firefox; I just can't log in. I've tried deleting the credentials and re-enrolling several times, both in Firefox and Chromium, to no avail.

I can also use Chromium to log in. I can also enroll and log in with https://webauthn.me/, https://webauthn.io/, https://demo.yubico.com, and https://webauthn.lubu.ch/_test/client.html. On these sites I receive the prompt to tap the key, it flashes green until pressed, and auth proceeds normally. I think Firefox is doing the basic webauthn APIs correctly, and Google is doing something weird, but repeated attempts to escalate through Google support, including submitting HAR files and videos, have gone nowhere. They're saying it must be a Firefox bug.

I've tried clearing cache and cookies, running in a private browsing session, disabling all extensions, and restarting the machine from scratch. To be absolutely sure I've also run Firefox with a fresh profile, using -safe-mode, and it still breaks.

Actual Behavior:
Unable to login

Notes:

  • Reproduces regardless of the status of ETP
  • Reproduces in firefox-nightly, and firefox-release
  • Does not reproduce in chrome

Created from https://github.com/webcompat/web-bugs/issues/158830

QA does not have the required setup to test the issue, but the user said it fails in a new profile. This might be something to look into, if the required setup is available.

Whiteboard: [webcompat-source:web-bugs] → [webcompat-source:web-bugs][webcompat:sightline]
Severity: -- → S4
User Story: (updated)
Webcompat Priority: --- → P3
Webcompat Score: --- → 3
Keywords: webcompat:needs-diagnosis
Priority: -- → P3
Whiteboard: [webcompat-source:web-bugs][webcompat:sightline] → [webcompat-source:web-bugs][webcompat:sightline][webcompat:japan]
User Story: (updated)
Duplicate of this bug: 1989843

This is affecting Windows users too: Bug 1989843.

User Story: (updated)
OS: Linux → Unspecified
Hardware: Desktop → Unspecified

Hello. I am also experiencing this same problem. Gmail is no longer recognizing MFA via USB Titan key while using Firefox. Issue started Sep 1st. Previously, I had no issues signing into gmail with USB Titan key MFA.

Steps to reproduce:

Attempting to sign into my gmail account on PC running windows 10 using Firefox. I enter my email and password, then I am redirected to the MFA page and receive a pop up from Firefox prompting me to touch my USB Titan security key.

Actual results:

After touching the Titan key, gmail displays the following error:

There was a problem. Try using your security key again or try another way to verify it’s you.

I tried using the security key again, but received the same error. I tried clearing cache and cookies in Firefox, still received the error. I tried a private Firefox window, but still received the error. I tried restarting my pc, but received the same error. I tried disabling my firewall and ad blockers, but still received the same error.

I tested the Titan key to ensure it works. I successfully used it to sign into Lastpass in Firefox, which was successful.

Finally, I tried signing into gmail using a different browser, which was successful. This problem is only happening to gmail in Firefox.

Hello. Wondering if there are any updates on this ticket?

Flags: needinfo?(dschubert)

Updates to a ticket are shared in the ticket. Since no update has been shared, no update exists - no need to needinfo people.

Flags: needinfo?(dschubert)
You need to log in before you can comment on or make changes to this bug.