[upstream] Firefox lacks FIDO2 support with Yubikeys

Bug #1877038 reported by IA
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Confirmed
Unknown
firefox (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Ubuntu LTS versions affected.

"Passwordless" authentications with Yubikeys using Firefox don't work with FIDO2.

Tested both with the yubikey software packages from the bionic/universe repo and those from the vendor https://www.yubico.com/

Tags: upstream
Revision history for this message
In , Jjones-g (jjones-g) wrote :

Web Authentication is specified for the second-factor-only CTAP 1.1 protocol and a passwordless-supporting CTAP 2.0 protocol. This meta-bug tracks support for CTAP 2 and passwordless support.

Revision history for this message
In , P-bugzilla-mozilla-org (p-bugzilla-mozilla-org) wrote :

*** Bug 1535730 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Twisniewski (twisniewski) wrote :

Given that the live.com site only supports passwordless login via CTAP2, and this metabug is marked as a P1 for the last 7 months, could we get an update? It's unclear what the status is for authenticator-rs to support CTAP2, and that's the only dependency I'm seeing (which is curiously marked as a P3 for this P1 metabug).

Revision history for this message
In , Jjones-g (jjones-g) wrote :

I'm busy elsewhere at present; I keep hoping I'll have some free time to work on WebAuthn soonish, but there's nothing definitive planned. Realistically, I have to rework the UX before I can really integrate the CTAP2 branch of `authenticator-rs` properly (since I need to do things like solicit PINs) and what passes for a WebAuthn UX today is currently broken anyway (Bug 1573190, Bug 1540309, Bug 1579927). So I need to learn how to do UX design as a practical prereq, which makes it harder to just casually work on.

Revision history for this message
In , Twisniewski (twisniewski) wrote :

Thanks for the update, here's hoping we can get some assistance for you on the UX end.

Revision history for this message
In , T-m-0 (t-m-0) wrote :

Regarding your comment on https://bugzilla.mozilla.org/show_bug.cgi?id=1536482#c4, did you find the time?

Can I help to triage or groom anything?

Revision history for this message
In , Jjones-g (jjones-g) wrote :

I got Bug 1616675 handled, but not quite yet, still working on diffs for CRLite, among other things. I also have PRs to write for the WebAuthn spec that have to happen before the fun stuff...

Revision history for this message
In , T-m-0 (t-m-0) wrote :

Thanks for the response, and great to see you working in this. If I can help with the WebAuthn spec PRs, give a shout. (feedback, proofreading, writing out use cases, etc.)

Revision history for this message
In , Jjones-g (jjones-g) wrote :

*** Bug 1619850 has been marked as a duplicate of this bug. ***

Revision history for this message
Aaron Whitehouse (aaron-whitehouse) wrote :

Is this related to: https://bugzilla.mozilla.org/show_bug.cgi?id=1530370 ? If so, in the duplicate bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1619850 ) somebody said "This is a 2020 goal."

affects: evolution (Ubuntu) → firefox (Ubuntu)
Olivier Tilloy (osomon)
summary: - Firefox seems to lack FIDO2 support with Yubikeys
+ [upstream] Firefox lacks FIDO2 support with Yubikeys
tags: added: upstream
Changed in firefox (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Changed in firefox:
importance: Unknown → Medium
status: Unknown → Confirmed
Revision history for this message
In , Jaromir Talir (jtalir) wrote :

Any update on this? We are using FIDO MDS to verify attestations and only get useless fido-u2f type attestation statement (no aaguids included) with Firefox on Linux. This works fine in Chrome. I believe it's related to this issue. The situation forces us to put disclaimer on our service: "Do not use Firefox for FIDO2 token registrations". It makes me sad since Firefox has always been my favourite browser. Hope this will move forward.

Olivier Tilloy (osomon)
Changed in firefox (Ubuntu):
importance: Low → Medium
Revision history for this message
In , 0x0ptr (0x0ptr) wrote :

Agree, any update? This makes Firefox useless on MacOS and Linux. How come Windows works?
Also, isn't this related/same as https://bugzilla.mozilla.org/show_bug.cgi?id=1530373 ?

Revision history for this message
In , Nkochar (nkochar) wrote :

(In reply to 0x0ptr from comment #10)
> Agree, any update? This makes Firefox useless on MacOS and Linux. How come Windows works?
Sorry for the delay in getting this finished. We don't currently have anyone available to work on this. We will prioritize this as soon as we can. Windows works because of the work in Bug 1508115.

> Also, isn't this related/same as https://bugzilla.mozilla.org/show_bug.cgi?id=1530373 ?
This is a meta bug and bug 1530373 is one of the dependencies.

Revision history for this message
In , Z-paul-p (z-paul-p) wrote :

(In reply to Neha Kochar [:neha] from comment #11)

> Sorry for the delay in getting this finished. We don't currently have anyone available to work on this. We will prioritize this as soon as we can. Windows works because of the work in Bug 1508115.

I appreciate the work that you guys for free and I understand that resources are tight. Is there some way we could provide some financial support to address this specific issue?

How can Firefox claim to be all about Privacy, Security and Speed when it doesn't support the greatest improvement we have ever had to all of those things when it comes to logins? I expected Firefox to be the very first to get this working, not the last.

Again, I do really appreciate what the developers do but I really think that this issue deserves to be a top priority and I'm sure there are plenty of people who would be willing to fund it.

Revision history for this message
In , Bert Van de Poel (bhack) wrote :

(In reply to paul from comment #12)
> (In reply to Neha Kochar [:neha] from comment #11)
>
> > Sorry for the delay in getting this finished. We don't currently have anyone available to work on this. We will prioritize this as soon as we can. Windows works because of the work in Bug 1508115.
>
> I appreciate the work that you guys for free and I understand that resources are tight. Is there some way we could provide some financial support to address this specific issue?
>
> How can Firefox claim to be all about Privacy, Security and Speed when it doesn't support the greatest improvement we have ever had to all of those things when it comes to logins? I expected Firefox to be the very first to get this working, not the last.
>
> Again, I do really appreciate what the developers do but I really think that this issue deserves to be a top priority and I'm sure there are plenty of people who would be willing to fund it.

Currently someone from SUSE has been working on authenticator-rs. They really want to see webauthn added to firefox and have been working for weeks on CTAP2 support now. You can check out https://github.com/mozilla/authenticator-rs/pull/150 https://github.com/mozilla/authenticator-rs/pull/154 and their own development branch on https://github.com/msirringhaus/authenticator-rs/tree/ctap2-cont

Of course, work would be much light if it wasn't a single person doing all the work!

Maybe this gives you some idea of the progress of things right now :)

Revision history for this message
In , Dveditz (dveditz) wrote :

*** Bug 1719806 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Dveditz (dveditz) wrote :

*** Bug 1695380 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Coelacanthus-p (coelacanthus-p) wrote :
Revision history for this message
In , D-mv-t (d-mv-t) wrote :

I'd also love to see this get added — I'd love to use passwordless auth, but I'm not going to implement it if it's not supported by the main browser I use. Looks like https://github.com/mozilla/authenticator-rs/pull/157 just got approved a few days ago, so hopefully things are moving?

Thanks for working on this!

Revision history for this message
In , Coelacanthus-p (coelacanthus-p) wrote :

https://github.com/mozilla/authenticator-rs/pull/157 is merged to https://github.com/mozilla/authenticator-rs/tree/ctap2-2021 branch now.
I hope it can be included in Firefox Nightly test, I'm glad to test it!

Revision history for this message
In , Kdubost (kdubost) wrote :

mysignins.microsoft.com - FIDO2 passwordless authentication is not supported on Firefox for Linux
https://github.com/webcompat/web-bugs/issues/101753

Putting Webcompat Priority to 1, just because this is microsoft, people have other ways to log in, but for some users that might be a hard stop.

Revision history for this message
In , Mozilla-kaply (mozilla-kaply) wrote :

This is also affecting Amazon.

Revision history for this message
In , Drew-dani (drew-dani) wrote :

> I'd also love to see this get added — I'd love to use passwordless auth, but I'm not going to implement it if it's not supported by the main browser I use. Looks like https://github.com/mozilla/authenticator-rs/pull/157 just got approved a few days ago, so hopefully things are moving?

Can this be tested in a FF Nightly build?

Revision history for this message
In , Mozilla-kaply (mozilla-kaply) wrote :

Please don't need info people if you are just asking a question.

Revision history for this message
In , Bugs-c (bugs-c) wrote :

(In reply to drew.dani from comment #21)
> > I'd also love to see this get added — I'd love to use passwordless auth, but I'm not going to implement it if it's not supported by the main browser I use. Looks like https://github.com/mozilla/authenticator-rs/pull/157 just got approved a few days ago, so hopefully things are moving?
>
> Can this be tested in a FF Nightly build?

Not yet. You can get yourself CC'd on this bug if you want to know when this lands in nightly.

Revision history for this message
In , Drew-dani (drew-dani) wrote :

Thanks for the update and suggestion. Can we prioritize this item? It has a large impact on 2 major tech companies.
Also, do you have an estimated completion date when FIDO2 will be available on Mac and Linux?

Revision history for this message
In , Bugs-c (bugs-c) wrote :

I can't give you an estimate but this is my current work item. The priority of this meta bug wasn't reflecting that, my apologies.

Revision history for this message
In , Drew-dani (drew-dani) wrote :

Greeting, any progress on this bug? If you have a branch, I can help review and collaborate on the feature. Please provide the blockers and estimated completion date.

Revision history for this message
In , Sylvain Rabot (sylr) wrote :

My company is considering enforcing the use of FIDO2 devices. It would be a blow for our Mac and Linux employees to have to switch from Firefox to Chrome because of this.

Revision history for this message
In , Jay Chu (escape0707) wrote :

Just read a news about even iOS 16 will ship better webauthn function. I guess this issue should be taken care of sooner.

Revision history for this message
In , purtpelhcs (christian-c-benz) wrote :

Currently Microsoft doesn't support FIDO2 keys while using firefox on linux or MacOS.
(see https://learn.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility)
Just for my understanding: Would resolving this bug result in MS being able to support FIDO on linux/MacOS?

Revision history for this message
In , Neumaif02-k (neumaif02-k) wrote :

(In reply to Christian from comment #29)
> Just for my understanding: Would resolving this bug result in MS being able to support FIDO on linux/MacOS?
It would, at least if MS allows the User Agent of Firefox for Mac/Linux to see this feature (otherwise you would have to switch your user agent) like they didn't do with Safari.

Revision history for this message
In , Paul Schreiber (paulschreiber) wrote :

+1 would like to see this. We ran into this problem with Microsoft + Firefox on Linux yesterday.

Revision history for this message
In , Dschubert (dschubert) wrote :

Folks, while it's great to see there is a lot of interest in this, please don't post "+1" comments. We know that this is important (it is a P1, after all) and people are actively working on it. It will be done as soon as it's done, and posting more comments isn't accelerating that process.

Revision history for this message
In , Drew-dani (drew-dani) wrote :

Any updates on the estimated completion date on this P1 item? This bug has been open for 4 years (since 2/25/2019) and impacting customers from raising the security bar to migrate to FIDO2 security keys; ultimately driving millions of users AWAY from using Firefox. Google Chrome, Microsoft Edge, and Safari support FIDO2 for years now. Also, U2F is a deprecated API and major security token providers only sell FIDO2 tokens. Currently, Firefox only supports U2F on Mac and Linux, and with that, this is a critical security blocker.

On a different note, can someone from Mozilla provide a knowledge transfer so that we understand the blocker and the remaining work? Is there a feature branch we can test FIDO2 in Firefox on Mac and Linux? I'm curious to know the current state of the FIDO2 support in Firefox. Thanks.

Revision history for this message
In , Neumaif02-k (neumaif02-k) wrote :

Is there any plan to also support passkeys?

Revision history for this message
In , Dkeeler (dkeeler) wrote :

(In reply to neumaif02 from comment #34)
> Is there any plan to also support passkeys?

See bug 1792433.

Changed in firefox:
importance: Medium → Unknown
Revision history for this message
In , Alfie-fresta (alfie-fresta) wrote :

I'm interested in hearing people's thoughts on adopting FIDO2 platform APIs on Linux, akin to Windows Hello, or Android's Fido2ApiClient -- which Firefox already delegates to on those platforms.

I've written a FIDO2 (WebAuthn) and FIDO U2F platform library in Rust [1], for Linux. It's a WiP, but it already supports the main FIDO2 ceremonies, both FIDO2 PIN protocols, and downgrading WebAuthn for U2F devices (as per specs). I've tested this with as many security keys I could get my hands on so far [2]. It's designed to have pluggable transports, currently supporting HID and BLE (via Bluez), and plans for NFC and caBLE.

As mentioned before, whilst it could be used directly as a library, the main objective is to provide a backend for new D-Bus platform APIs. Secondary goals include supporting TPM platform authenticators, and supporting containerised applications (e.g. Flatpaks[3]), without requiring access to the USB stack, or BLE adapters.

I'm trying to gauge interest in Firefox delegating U2F and FIDO2 to the platform. If this sounds feasible, as the next step I will try and reach out to GNOME shell folks. I reached out earlier to some System76 engineers working on the Cosmic DE, as they may also be interested.

[1] https://github.com/AlfioEmanueleFresta/xdg-credentials-portal
[2] https://github.com/AlfioEmanueleFresta/xdg-credentials-portal/wiki/Verified-hardware
[3] https://github.com/flatpak/flatpak/issues/2764

Revision history for this message
In , Dkeeler (dkeeler) wrote :

HI Alfie - bugzilla isn't a discussion forum. You'll probably have more luck here: https://discourse.mozilla.org/

Revision history for this message
In , Dveditz (dveditz) wrote :

*** Bug 1815529 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Nicola-canepa-74 (nicola-canepa-74) wrote :

Is there an ETA to restore Firefox 114 working behavior?

Revision history for this message
In , T-matsuu (t-matsuu) wrote :

All dependent bugs have been fixed.

Revision history for this message
In , Y-satou (y-satou) wrote :

I just tested nightly build which includes fix of [~~1846836~~](https://bugzilla.mozilla.org/show_bug.cgi?id=1846836) and it worked like a charm, restore FF114's behavior. Is there plan backport to 115ESR?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.