PIN protected Yubikey isn't recognized

httpjames

Steps to reproduce:

Lock Yubikey WebAuthn with a PIN for user verification
Try to log into a website that requires user verification
Plug yubikey in
Try pressing the button

Safari does not behave in the same way because it prompts for the PIN.

Expected behavior:
I expected it to ask for my PIN to unlock the yubikey and login normally.

Orion, OS version; hardware type:
Version 0.99.121.1-beta (WebKit 614.1.20)
MacBook Pro (macOS Ventura 13.0 build 22A380)
Yubikey 5C NFC

Vlad

Lack of a yubikey makes this hard to reproduce. I thought we nailed WebAuthn, not sure what is causing it. @gp ?

gp

Ah, so it is possible to add PIN protection to webauthn devices.

I will set up a spare Yubikey with a PIN, and give it a test.

BTW, you won't need an actual Yubikey to test this with - almost any hardware "dongle" type key should let you set a PIN. Just be aware you often cannot remove it after setting it, so you might not want to do it on your "real" one.

From an article about this:

"To allow getAssertion calls with or without PIN, the website decides this individually per operation. This is done by setting the optional userVerification property to either required, preferred, or discouraged."

I imagine that in your API implementation of webauthn, we need to add a "flow" for a scenario where a site requests getAssertion(), and the 3 options for userVerification:

"The RP has the following options for userVerification when initiating registration or authentication:

DISCOURAGED: This value indicates that the RP does not want user verification employed during the operation (for example, to minimize disruption to the user interaction flow).

PREFERRED: This value indicates that the RP prefers user verification for the operation if possible, but will not fail the operation if the response does not have the AuthenticatorDataFlags.UV flag set.

REQUIRED: Indicates that the RP requires user verification for the operation and will fail the operation if the response does not have the AuthenticatorDataFlags.UV flag set."

Today, Orion handles DISCOURAGED fine - no PIN prompt should be popped up, even if the device has a PIN set. It handles PREFERRED when someone has not set a PIN on their device. The scenario not handled right now is where REQUIRED is used, or PREFERRED is used, and a PIN is set on the device.

More info - https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/User_Presence_vs_User_Verification.html

https://www.w3.org/TR/webauthn-2/#user-verification

Exists

I can reproduce the issue with a few exceptions

The vast majority of sites behave in the way described this post, prompting for the key & causing it to blink, but not recognizing a press.

I've noticed that this isn't an issue with some sites, such as GitHub and GitLab (only ones I've found so far)

Same versions & YubiKey model as the initial report

gp

Exists

Would you be able to check if GitHub and GitLab behave in this way in another browser?

I suspect GH and GL are requesting userVerification = DISCOURAGED, which would not request a PIN, even if one is set. Best test would be to use Safari or another browser to log in, on a key with a PIN (which I assume you have based on your notes above), and see if it proceeds in another browser without PIN?

Exists

Looks like that is the issue

Both GH and GL didn't require a pin while testing on Safari, other sites that don't work on Orion did request a pin

gp

To record my testing notes here. Note that I have tested with a Yubikey, but this is all standardised under FIDO2/webauthn as a PIN, so you don't have to use a Yubikey.

Set up a fresh Yubikey 5C (firmware 5.4.3, current latest). Disabled all the applets other than FIDO2 and U2F.
Set up a FIDO2 PIN on the device via the Yubikey manager app.
In Safari, browse to https://webauthn.io
Register a new "user" on this testing site, using the default settings. Settings captured below (note that user verification is the relevant one here, which is on by default).

Safari asks how you'd like to authenticate. Pick the option for an external security key.

Press the button on your token when prompted, to confirm user presence.

Enter your PIN when prompted

Tap the button on the key again when prompted

Done registering

Log in again using Safari - enter username, hit authenticate
Tap the button when prompted.

Enter your FIDO2 PIN

Tap the button again

Successful login in Safari

Now let's use Orion to login, attempting the same username as before

Some useful docs from Yubico looking at compatibility of different browsers and OSs.

https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/

To resolve this issue, we need to ensure user verification is implemented.

I suspect the "next" feature request would be discoverable credentials (i.e. passwordless login). For example, if I try to log in to webauthn.io without entering a username, then press the button and enter PIN, I can see the following (after telling Safari I want to use an external key):

Allowing me to pick an "account" to log in as - via the "discoverable credentials" feature of Webauthn/FIDO2 - where the credential gets stored on the key itself.

Ota

I just also ran into this issue and no idea how to solve it, besides using a different browser. It would be lovely if this can be tackled for a browser that considers privacy and security first.

aycaramba

Reporting same problem; pin-ed Yubikey is not being recognized on e.g. dropbox.com. Donated $50 for this effort specifically as it's the only real blocker for my switching to this browser. Thanks for the amazing work you're doing!

P.S. I do encourage folks affected to register to vote on the issue and make a donation to sponsor this as well.

httpjames

I am also sponsoring this issue as I need pin protected yubikeys for work, and I'd love to fully switch to Orion instead of switching between browsers.

Vlad

Thanks to both, we will give this issue attention asap.

prpl

I'm also experiencing this issue with my SoloKey, so it's not just limited to YubiKeys.

twadds

I just paid for a year subscription to Orion and I'm a Kagi search subscriber. I'd love to get this issue sorted. I have a couple of PIN protected YUbiKeys and am having this issue also

dino

@twadds @gp @httpjames @Ota can you please try this Dev(test) build and check if that works (we updated some code)

https://www.icloud.com/iclouddrive/0b7WgHZqUgn0-Jms4kkRiyhsQ#Orion-13.0-124.4.6

Vlad

We are looking for a yes/no 🙂 We do not have a key to test so we need your guidance.

aycaramba

I have attempted the download from 3-4 different browsers and it doesn't -- some log spew in the console. I assume something is temporarily broken on icloud drive side. I will retry in a bit, or if you guys could upload elsewhere, I can try that

dino

aycaramba Uploaded build to dropbox (with few more fixes to WebAuthn)

https://www.dropbox.com/s/5vtbublfyb718yz/Orion-13.0-124.4.6.2-Dev.zip?dl=0