Closed andreydanil closed 8 months ago
msirringhaus
commented
8 months ago Could you try this using Linux? I have a feeling that this may have nothing to do with authenticator-rs, but with the usage of the system dialogs for passkeys/security keys on Macs specifically.
jschanck
commented
8 months ago Testing on macOS with security.webauthn.enable_macos_passkeys = false would be sufficient to rule out an authenticator-rs regression.
andreydanil
commented
8 months ago @msirringhaus, this is an issue on Linux as well. Linux is working and not broken as of FF122,
@jschanck setting security.webauthn.enable_macos_passkeys to false makes the security key to respond to the challenge after entering the FIDO2 token PIN (using the AppID extension). Thank you for the suggestion!
This does unblock users in an environment where U2F and FIDO2 security keys are registered, however is it possible to make the passkeys not interfere with WebAuthn as in FF121?
jschanck
commented
8 months ago That doesn't make sense to me. Setting security.webauthn.enable_macos_passkeys to false makes macOS use authenticator-rs by default, which should align its behavior with Linux (which you say is not working). Did you also set security.webauthn.ctap2 to false on macOS (and not on Linux)?
andreydanil
commented
8 months ago I see. Linux appears to be working now, I had multiple security keys plugged and one of the devices was holding on to the previous challenge.
It's an issue with MacOS only then. Using the AppId extension in Safari works with U2F and FIDO2 keys, however the FF122 version appears to be breaking the Authentication. Given that Safari works with the new popup, it appears there is a bug on the FF end, but may not be necessarily with the authenticator-rs library. Feel free to chime in.
security.webauthn.enable_macos_passkeys=false.Thanks a lot for the quick responses @jschanck and @msirringhaus!
jschanck
commented
8 months ago Thank you, I found the underlying issue in Firefox, and I'll post a patch shortly. It is not a regression in authenticator-rs.
andreydanil
commented
8 months ago @jschanck , thank you again! One request - Can this please be patched in FF122?
jschanck
commented
8 months ago Probably not. I'll request beta uplift for 123, but we're pretty far into the release cycle at this point.
andreydanil
commented
8 months ago Got it. I appreciate if the fix can come into FF123. Thanks so much!
andreydanil
commented
8 months ago Linking the bugzilla ticket for reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1878598.
The problem is when an AppId extension is provided for a FIDO2 security key, the user can enter the FIDO2 PIN, but then nothing happens after a user enters a PIN and clicks submit - the browser no longer talks to the authenticator. This is only a problem starting with the 122 release.
Issue:
It looks like this PIN prompt is no longer valid since Firefox was switched to the new popup mechanism.
I see a few major changes: to how the preflights in CTAP2 logic and a Rework support for AppId extension.
It appears that starting Firefox 122, the default popup is the Apple/Safari one, however, when an AppId extension is provided, the old popup occurs and nothing happens after entering a PIN.