Google login Passkey brings up Firefox prompt for a Security Key instead
Categories
(Core :: DOM: Web Authentication, defect)
Tracking
()
People
(Reporter: matteo.ferrando2, Unassigned)
Details
Attachments
(1 file)
|
196.78 KB,
image/png
|
Details |
proof.png
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:145.0) Gecko/20100101 Firefox/145.0
Steps to reproduce:
Try to login to google account, click on "Use your Passkey", Google says
2-Step Verification
Your device will ask for your fingerprint, face, or screen lock
And then get prompted from Firefox for a security key instead
Actual results:
prompted from Firefox for a security key instead of a bio print.
Expected results:
get prompted for the right security thing
|
Reporter | |
Comment 1•21 hours ago
|
||
When using Safari, it offers the security but also offers completing with a phone or tablet.
|
||
Comment 2•21 hours ago
|
||
Doesn't look like an exploitable security issue that needs to stay hidden to protect users.
The dialog in the screenshot is a macOS one (not a Firefox one), so I imagine that Google has called the relevant web API and we're delegating the passkey bits to macOS. Over to web authentication folks who can perhaps provide more context / ask better questions to narrow down what is going on.
|
|
Reporter | |
Comment 3•20 hours ago
|
||
OK, got it to work with a hack:
- opened my account in chrome
- added a passkey to my macbook from it
- installed the icloud password extension in firefox
- enabled firefox access to passkeys in mac system settings
- went through a verification process of icloud passwords
- diabled and re enabled security.webauthn.enable_macos_passkeys quitting in between
finally got a finterprint prompt.
|
||
Comment 4•18 hours ago
|
||
Based on Comment 1, Safari also did not offer to use Touch ID / a passkey from iCloud keychain. So it sounds like you didn't have one stored there. If you registered the passkey from Chrome, you may have stored it in Chrome rather than in iCloud keychain. This can provide a very confusing user experience as Chrome will use Touch ID to unlock its own passkey storage but Passkeys stored in Chrome are not accessible from the macOS system dialog.
Did you have a passkey registered with Google that was stored on a phone or tablet? If so, then Firefox should have given you the same options as Safari. It's possible that you needed to allow Firefox access to passkeys in your system settings. I was under the impression that macOS would ask for that permission as part of the login flow. But maybe you had previously denied the permission?
Regarding Comment 3, it sound like you successfully created a passkey in iCloud keychain in step 2. The rest of the steps should not have been necessary for that passkey to be usable from Firefox. Again it may have been a permission issue.
|
|
Reporter | |
Comment 5•15 hours ago
|
||
I did have the passkey setup in iCloud, I just tested Safari before doing that.
I think it was mostly about Firefox actually prompting the iCloud passkey system.
I had this experience on a new laptop, so maybe an easy reproducer is
- create a new account in macos
- download firefox
- try to open google account
It should offer you to use maybe phone or tablet to confirm access?
And then you can try setting iCloud passkey and seeing it work or not.
|
|
||
Comment 6•14 hours ago
|
||
I'm not able to reproduce in 146 or 147. In 145 I see the fingerprint and security key options, but I do not see the phone option. It's possible that this was fixed by Bug 1992469 in Firefox 146.
|
|
Reporter | |
Comment 7•1 hour ago
|
||
OK, I am in what my firefox believes to be the latest build: 145.0.2 (aarch64)
Glad to read there was a fix already!
Thank you.
Description
•