Re: FIDO2 security key (YubiKey 5 NFC) and WebAuthn

From: Jan Behrens <jbe-mlist_at_magnetkern.de>
Date: Thu, 05 Sep 2024 10:18:43 UTC
On Thu, 05 Sep 2024 01:29:34 +0000
Hotaka Korenori <chaplintokyo@vivaldi.net> wrote:

> Hi,
> 
> 
> I am a newbie here but having a similar issue with Yubikey 5 NFC on Firefox on GhostBSD (FreeBSD 14.1 based).  I reached out to Yubikey support and this is the response I got.  I haven't yet tried the suggested check re pcscd but this does seem to be what the folks at Yubikey seem to feel is the most likely issue.
> 

Hi, thanks for sharing.

I don't think "pcscd" is involved in this case. I can use my Yubikey
with Firefox (as well as ssh-keygen and a few other programs) WITHOUT
pcscd.

I need pcscd when I want to use the Yubikey Manager, e.g. to generate
TOTP tokens or to change my PIN. (Though it's also possible to change
the FIDO2 pin through the "fido2-token" command, which doesn't use
"pcscd".) But Firefox just seems to access /dev/uhid0 in my case, for
which I need to make sure my user is in the "u2f" group.

But even being in the "u2f" group, and with "pcscd" stopped or running,
the issue still persists in Firefox. Also restarting "pcscd" does not
have any impact on the issue.

The only workaround for me is to switch to the text console using
CTRL+ALT+F1 and then back to X with CTRL+ALT+F9. I don't need to do
anything on the console. Just switching back and forth does the trick
(but then allows me to use Firefox just once until I have to do
CTRL+ALT+F1 and then CTRL+ALT+F9 again).

This feels very weird to me, and I don't know if this is an issue of
Firefox or FreeBSD.

Since I can also observe the behavior when NO key is inserted (Firefox
asks for a token touch only once), I don't think this issue is related
to the hardware.

> 
> Chaplintokyo

Regards
Jan

> 
> 
> 
> Michael (Yubico)
> 
> Sep 3, 2024, 11:13?AM PDT
> 
> Hello,
>  
> Thank you for contacting Yubico Support! Michale here, sorry to hear about this issue!
>  
> I'm afraid GhostBS falls outside our scope of support as it is a linux distribution. You would need to reach out to them directly. Sorry about that!
>  
> I do have one suggestion, however, and that is to be sure that the pcscd daemon is running; you can use the following command in the terminal if you are using systemd: sudo systemctl status pcscd  
>  
> I hope this helps! Please let me know if you have any further questions. Otherwise, have a great day!
>  
> 
> 
> Kind regards,
> 
> Michael
> Customer Support Specialist | Yubico
> 
> 
> 
> On 2024?09?04? 17?46?43? (+09:00), Jan Behrens wrote:
> 
> 
> 
> > Hello,
> 
> >
> 
> > I have a problem with my FIDO2 security key (which is a YubiKey 5 NFC).
> 
> > As I'm unsure whether this is an issue of FreeBSD or Firefox, I ask
> 
> > here.
> 
> >
> 
> > Originally, I made a post on the FreeBSD forum, but didn't get a
> 
> > helpful response regarding this issue yet:
> 
> > https://forums.freebsd.org/threads/94605/
> 
> >
> 
> > In here, I only want to discuss the WebAuthn issue in Firefox, and not
> 
> > the potential security issue regarding "pcscd" also mentioned on the
> 
> > forum. (I made a post to the freebsd-security mailing list in that
> 
> > matter.)
> 
> >
> 
> > The Firefox related problem is as follows: When I go to
> 
> > https://webauthn.io/ and click on "Authenticate" (this is reproducible
> 
> > without a hardware token), then Firefox asks me:
> 
> >
> 
> > "Touch your security key to continue with webauthn.io."
> 
> >
> 
> > If I press cancel and try again, the website will from then on respond
> 
> > with:
> 
> >
> 
> > "The request is not allowed by the user agent or the platform in the
> 
> > current context, possibly because the user denied permission."
> 
> >
> 
> > Similar errors happen on other websites providing WebAuthn login.
> 
> >
> 
> > This is until I switch to the text console using CTRL+ALT+F1 and back
> 
> > to X using CTRL+ALT+F9. Afterwards I can perform WebAuthn registration
> 
> > or authentication once more using Firefox, but only once. After an
> 
> > unsuccessful or successful registration or authentication, it won't
> 
> > work until I switch back to text console and back.
> 
> >
> 
> > If I have several Firefox windows with different profiles open, only
> 
> > the first attempt will be executed, and all other windows will fail
> 
> > from then on.
> 
> >
> 
> > This problem doesn't seem to exist in Chromium. However, I don't
> 
> > understand why switching to the text console and back to X is a
> 
> > workaround. This is why I suspect there might be something FreeBSD
> 
> > related to this problem?
> 
> >
> 
> > Can anyone reproduce this behavior of Firefox using FreeBSD? I'm using
> 
> > package "firefox-130.0_1,2" and FreeBSD 14.1-RELEASE-p3.
> 
> >
> 
> > Kind Regards,
> 
> > Jan Behrens
> 
> >
> 
> >
> 
> 
> -- 
> Sent with Vivaldi Mail. Download Vivaldi for free at vivaldi.com