1985777 - WebAuthn PRF Extension is not working on macOS

Status: UNCONFIRMED

(Core :: DOM: Web Authentication, defect)

Description

[humanet]

Steps to reproduce:

I have run test registration for Webauthn credentials. That process worked fine, but PRF is silently skipped. No error anywhere.

It works on Windows, it works on MacOs with Chrome and I am using Yubikey 5 NFC, tried with other keys, other browsers - I am 100% sure, it is Firefox issue.

#The PRF extension is part of WebAuthn Level 3 and is increasingly used by passwordless services like Bitwarden and 1Password.

• Chrome on macOS supports PRF with both platform authenticators (Touch ID) and external authenticators (e.g., YubiKey via USB HID).
• Firefox supports PRF on Windows and Linux, but not macOS — creating an inconsistent experience across platforms.
• The lack of PRF support on macOS breaks login flows for services that rely on it, forcing users to switch browsers.

#Technical Clarification:

• Firefox clearly does not rely on Apple’s native WebAuthn API, so it is not constrained by macOS limitations.
• The PRF logic exists in Firefox’s codebase but is not wired up properly for macOS.
• The missing piece appears to be USB HID integration and CTAP2 extension handling on macOS.

Actual results:

Credential Raw ID: 4bc830b28dda0d5ec31b65642d28902159bd877aa44811fb6b56a4305b0aa54bda675f9a27580c247a47a35286a72cc3f0748cc7e81be34df3f51882122f9f99
Credential ID: S8gwso3aDV7DG2VkLSiQIVm9h3qkSBH7a1akMFsKpUvaZ1-aJ1gMJHpHo1KGpyzD8HSMx-gb403z9RiCEi-fmQ
Credential Extension Results:

{
"prf": {
"enabled": false
}
}

Expected results:

Credential Raw ID: 4bc830b28dda0d5ec31b65642d28902159bd877aa44811fb6b56a4305b0aa54bda675f9a27580c247a47a35286a72cc3f0748cc7e81be34df3f51882122f9f99
Credential ID: S8gwso3aDV7DG2VkLSiQIVm9h3qkSBH7a1akMFsKpUvaZ1-aJ1gMJHpHo1KGpyzD8HSMx-gb403z9RiCEi-fmQ
Credential Extension Results:
Actual Expected

{
"prf": {
"enabled": true
}
}

Comment 1

[John Schanck [:jschanck]]

What version of macOS are you using? Firefox does use the macOS WebAuthn API when it is available, and the PRF extension is supported and used by Firefox on macOS 15.0 (Bug 1935280).

Comment 2

[humanet]

I'm using a MacBook Air M2 running macOS 15.6.1 (previously 15.6 and 15.5 for several months), and I’ve tested this on multiple recent Firefox build.

While WebAuthn itself works, the PRF extension does not appear to be functional. Specifically, after unlocking WebAuthn credentials, the PRF-derived output is missing — it cannot be used for key derivation or any downstream cryptographic purpose.

To be clear: the exact same code works as expected on Chrome on the exact same hardware and macOS version. This strongly suggests that Firefox’s macOS implementation is not fully handling the PRF extension, even though the platform authenticator is capable of it.

If Bug 1935280 claims PRF support landed in macOS 15.0, it may not be functioning correctly in later versions, or Firefox may not be invoking it properly. Logically, I see no other explanation, why the same code works with different browser, when everything else is same.

Comment 3

[humanet]

(In reply to humanet from comment #2)

I'm using a MacBook Air M2 running macOS 15.6.1 (previously 15.6 and 15.5 for several months), and I’ve tested this on multiple recent Firefox build.

While WebAuthn itself works, the PRF extension does not appear to be functional. Specifically, after unlocking WebAuthn credentials, the PRF-derived output is missing — it cannot be used for key derivation or any downstream cryptographic purpose.

To be clear: the exact same code works as expected on Chrome on the exact same hardware and macOS version. This strongly suggests that Firefox’s macOS implementation is not fully handling the PRF extension, even though the platform authenticator is capable of it.

If Bug 1935280 claims PRF support landed in macOS 15.0, it may not be functioning correctly in later versions, or Firefox may not be invoking it properly. Logically, I see no other explanation, why the same code works with different browser, when everything else is same.

Also, fair to say I am not using platform, but FIDO 2 compliant key for Webauthn. And it does support PRF, as it works fine on the same machine and Chrome

Comment 4

[Daniel Veditz [:dveditz]]

What version of Firefox are you using? bug 1935280 was fixed in version 139 released at the end of May. Normally Firefox should auto update and you should be using Firefox 142 now, but if you're using aESR-128.x (our extended support branch) you won't have the fix yet.

If you are using a password manager add-on (like the one that integrates with lastPass) then they take over the authentication and it's actually not Firefox that is doing it. You can disable any such add-on and re-test and see if they are implicated in this issue. We do know some people who use lastPass are having problems in Firefox right now (see comments in bug 1986502 and bug 1980252).

Firefox clearly does not rely on Apple’s native WebAuthn API

Why do you say "clearly"? Are you getting different UI? Is there a chance you have disabled our mac integration and are getting our inbuilt USB key support? Please open about:config and check the value for the security.webauthn.enable_macos_passkeys pref. it should be set to true. It might be possible that if we encounter errors accessing the mac API we fall back to that. IF none of the above help we'll have to check logs looking for other possible culprits.

Is there anything unique about the site you're testing this on? Are you seeing the problem on a public demo site like https://webauthn.karkkainen.net/ ?