-
-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Usernameless seems not to be working on ANY Browser on W10 1903/1909 #138
Comments
I just successfully enrolled and logged in usernameless with a security key on 1909 with Edge, Firefox, and Chrome 79 (Chrome 78 is crashing for me for some reason). What exactly are you doing in order to reproduce the failure? |
okay this is getting weird here. I recently got an eWBM Goldengate G310 (That one with Fingerprint Sensor and Fido2 L2) and that on any request I tried (even literally just as I write this comment) just gets that error posted above, without even asking for UV. My Solo Hacker (3.0.0) on the other Hand doesnt even ask for a PIN when trying to Log in. basically I went and created the credential locally (brave on Kubuntu, and logging in with that seems to work fine on every system that doesnt intercept Fido calls, including the other remote W10 with 1809, although the Edge on 1809 is limited to 20 RKs per RP) I basically just connect the stick using virtualhere, then start the login process, and well after a short wait for nothing, I get that message that the key is unknown, with W10 not asking for any Verification. The fact that the solo doesnt ask for PIN and the Goldengate doesnt get recognized properly, seems to be VERY weird to me to be honest. even on classic edge on 1809 the solo doesnt ask for PIN when using usernameless login. |
okay I found out what's going on with the missing UVs. apparently passwordless.dev on usernameless sends userverification discouraged, and apparently windows just takes that even when everything else goes to enforce UV on RK logins. also I think that may be the reason why the Goldengate immediately refuses, as it probably doesnt wanna give out any RKs without UV. another update. my own test tool, which I generally use for playing around a lot apparently also rejects w10 190x with the Goldengate. based on this I think windows is trying to find out whether the key fits the site before trying UV which basically just blasts everything. Classic Edge on 1809 apparently doesnt try this and as long as you dont go with discouraged the sign in goes through. |
I was also able to register and login with G310. The flow does feel a tad awkward, but it does work. The Windows WebAuthn library seems to require PIN entry an excessive amount of the time. |
PIN entry? I've never seen it ask for a PIN unless that it requires UV for a lot may be that W10 is iirc only Fido2 aware and registrations force UV if set by spec (imo stupid) |
Ah yes, I almost certainly factory reset this since last demo. |
passwordless.dev works for me on win 1903. |
I am not sure whether it made any differences other platforms i used just ignored the uv parameter and forced uv. The chaos apparently comes from that on my g310 the issue apparently only arose when registering on a different platform and then signing in via 1903 (don't ask me why) Although i can't currently check whether this is still the case as i am not at home currently and i didnt take the g310 with me (as i do have to send it back) Also this specifically only seems to happen on usernameless other scenarios iirc worked fine |
On my Windows 10 computer with Chrome and a USB security key, |
it basically just says "this key seems to be unknown, please try another", without even asking me for a UV.
as far as I know how windows 1903+ captures Fido things, I believe this would apply to all browsers running on at the very least 1903.
I tried both classic Edge and Insider Dev, as well as the latest chrome as of the writing of this issue (literally just downloaded)
Since Windows 10 started intercepting FIDO2, the general "browser XYZ works" approach is kinda flawed in my opinion.
Update, also happens on 1909.
Edge 1809 seems to work fine, albeit with the limitation that only the 20 most recent RKs for any given RP are shown, also other browsers work fine pre-1809 as interception wasnt a thing back then.
The text was updated successfully, but these errors were encountered: