AppId Extension is broken again for FIDO2 security keys in Firefox 122

Question

AppId Extension is broken again for FIDO2 security keys in Firefox 122

andreydanil opened this issue 7 months ago · 10 comments

The problem is when an AppId extension is provided for a FIDO2 security key, the user can enter the FIDO2 PIN, but then nothing happens after a user enters a PIN and clicks submit - the browser no longer talks to the authenticator. This is only a problem starting with the 122 release.

Issue:

It looks like this PIN prompt is no longer valid since Firefox was switched to the new popup mechanism.

I see a few major changes: to how the preflights in CTAP2 logic and a Rework support for AppId extension.

It appears that starting Firefox 122, the default popup is the Apple/Safari one, however, when an AppId extension is provided, the old popup occurs and nothing happens after entering a PIN.

Answer 1 · 2024-02-05T14:52:11.000Z

Could you try this using Linux? I have a feeling that this may have nothing to do with authenticator-rs, but with the usage of the system dialogs for passkeys/security keys on Macs specifically.

Answer 2 · 2024-02-05T16:43:39.000Z

Testing on macOS with security.webauthn.enable_macos_passkeys = false would be sufficient to rule out an authenticator-rs regression.

Answer 3 · 2024-02-05T17:44:22.000Z

@msirringhaus, ~~this is an issue on Linux as well~~. Linux is working and not broken as of FF122,

@jschanck setting security.webauthn.enable_macos_passkeys to false makes the security key to respond to the challenge after entering the FIDO2 token PIN (using the AppID extension). Thank you for the suggestion!

This does unblock users in an environment where U2F and FIDO2 security keys are registered, however is it possible to make the passkeys not interfere with WebAuthn as in FF121?

Answer 4 · 2024-02-05T17:51:27.000Z

That doesn't make sense to me. Setting security.webauthn.enable_macos_passkeys to false makes macOS use authenticator-rs by default, which should align its behavior with Linux (which you say is not working). Did you also set security.webauthn.ctap2 to false on macOS (and not on Linux)?

Answer 5 · 2024-02-05T17:59:44.000Z

I see. Linux appears to be working now, I had multiple security keys plugged and one of the devices was holding on to the previous challenge.

It's an issue with MacOS only then. Using the AppId extension in Safari works with U2F and FIDO2 keys, however the FF122 version appears to be breaking the Authentication. Given that Safari works with the new popup, it appears there is a bug on the FF end, but may not be necessarily with the authenticator-rs library. Feel free to chime in.

FF121 works with both U2F and FIDO2 keys.
FF122 works for U2F keys, but not FIDO2 keys using the ApId extension.
FF122 works when security.webauthn.enable_macos_passkeys=false.

Thanks a lot for the quick responses @jschanck and @msirringhaus!

Answer 6 · 2024-02-05T18:03:22.000Z

Thank you, I found the underlying issue in Firefox, and I'll post a patch shortly. It is not a regression in authenticator-rs.

Answer 7 · 2024-02-05T18:04:31.000Z

@jschanck , thank you again! One request - Can this please be patched in FF122?

Answer 8 · 2024-02-05T18:06:03.000Z

Probably not. I'll request beta uplift for 123, but we're pretty far into the release cycle at this point.

Answer 9 · 2024-02-05T18:10:44.000Z

Got it. I appreciate if the fix can come into FF123. Thanks so much!

Answer 10 · 2024-02-05T21:33:07.000Z

Linking the bugzilla ticket for reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1878598.