FIDO test releases fails to authenticate #537
Comments
|
hey, thanks for reporting! Reproducing this was possible for us using firefox - but not chrom(ium).
So, could you please crosscheck using webauthn.io if this is also true for you? Why I am asking is because it looks like we've already found and fixed the issue:
At least this change will make authentication work again for me on firefox, so the question remains whether we see something else (on-top?) here, as you reported that the chrome behavior is identical. We'll include the change into the next test release (likely next week), using that you could then confirm if this fixes it for you. |
|
Here's my results at webauthn.io: These are all on Debian Bookworn.
I am now able to authenticate with real world sites like google.com but not on others, for example gandi.net, for chrome. I'm not sure what would be a good site to use for you for testing. |
|
great, thx for the detailed info - I assume you did not change anything inside the options on webauthn.io ? |
|
Hi Markus, I did fool around the the advanced options when I had registered the Nitrokey but couldn't authenticate in Firefox. This was blocking me from registering the key in other browsers. I thought setting "Use Security Key" since google recently is forcing passkey might make a difference but I didn't see any. I reverted back. I think the main points to take away are:
|
|
weird - for me chromium works just fine registering + authenticating with gitlab, github and gandi .... but as expected (due to the webauthn.io behaviro) they all don't work with firefox (but they work again with the fix linked above)... did you see this:
because the next possibility to fully reproduce your behavior would be resetting on a 1.7.2 stable, then update to the test firmware. Or did you by any chance downgrade to 1.7.2 in between ? |
|
Here's the steps I took:
I did not do a fido2 reset. I did not see this. I assume this will wipe all my existing credentials which will be very challenging since I cannot get a list of all the sites from the key - a very frustrating factor of the fido protocol. BTW, another data point. OpenSSH fido based authentication continues to work with the test firmware. |
|
ok, then the only path we didn't go to reproduce is to have make sure to not downgrade from the test release to the stable release, this particular "downgrade" path will invalidate your fido2 credentials - also please keep in mind that the test version is not intended for production use - be sure to have backup-methods for using your designated services. Maybe to explain in short what happened here: we implemented ctap2.2 and it looks like firefox is not precisely behaving as the specification suggests (at least how we understand it). So during attestation (authentication) an additional field is returned in the data-map from the nk3 (this is the bug mentioned above which was fixed already and shows correct behavior for me and firefox). Firefox should also ignore this field (according to spec) but doesn't... but as already implied, there could be another issue, based on your reports - but it's super weird why webauthn.io is behaving so differently for you. could you maybe do the tests above again with webauthn.io (firefox + chromium is ok), but set all drop downs in "more-options" to "discouraged" ? |
|
Well, this seems is even odder. I was previously able to register the key with Firefox with the default options. Keep in mind that authentication fails for real world sites in chrome based browsers.
|
|
ok, then let's wait on the upcoming test release and redo some tests - thx for your investigations |
|
Hi, We have released v1.7.2-test.20241022. Can you test if it fixes your issue? |
|
On 2024-10-24 08:35, sosthene-nitrokey wrote:
Hi, We have released v1.7.2-test.20241022
<https://github.com/Nitrokey/nitrokey-3-firmware/releases/tag/v1.7.2-test.20241022>. Can you test if it fixes your issue?
—
Reply to this email directly, view it on GitHub
<#537 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHYXMUV6J5RFZC7HH5XY4TDZ5DSQLAVCNFSM6AAAAABPGTJVROVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZVGE3TIOJSGI>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
I upgrade to this version from version v1.7.2-test.20240813.
The updated version does work with Firefox (132.0b7) when authenticating
to Google Workspace using FIDO2.
Thank you for the quick fix. You can close this issue.
…--
JP
|
device: Nitrokey 3C
firmware: v1.7.2-test.20240813
OS: Debian Bookworm
Browsers: Firefox 131.0b8, Chrome 129.0.6668.58
After installing the test firmware, I can no longer authenticate to any website using either Firefox or Chrome. I tried registering the Nitrokey which was successful but still fails to authenticate.
At a site:
This is a show stopper
The text was updated successfully, but these errors were encountered: