mysignins.microsoft.com - FIDO2 passwordless authentication is not supported on Firefox for Linux

[iinuwa]

URL: https://mysignins.microsoft.com/security-info

Browser / Version: Firefox 98.0
Operating System: Ubuntu
Tested Another Browser: Yes Chrome

Problem type: Site is not usable
Description: Browser unsupported
Steps to Reproduce:
Enrolling FIDO2 security keys in an Azure AD tenant is not supported on Firefox on Linux.

1. Go to myprofile.microsoft.com and log in with a user account.
2. Go to Security Info.
3. Click the button to add an authentication method.
4. Select "Security Token." You may be prompted to enroll another authentication method enabling a security token.
5. The attached error appears.

Microsoft says so in their documentation, but I'm not sure what the requirements are that Firefox lacks on Linux that are met on Windows. Maybe it's because Firefox doesn't support CTAP 2, but I can't confirm that.

View the screenshot

Browser Configuration

• None

From webcompat.com with ❤️

[softvision-oana-arbuzov]

Thanks for the report. Indeed it seems that FIDO2 passwordless authentication is not supported on Firefox for Linux.

Moving to Needsdiagnosis for further investigation.

[qa_13/2022]

[karlcow]

This is https://bugzilla.mozilla.org/show_bug.cgi?id=1619850
which has been closed as a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1530370

[NgoHuy]

It must be enable webauthn ctap2 on about:config, but it cannot login as passwordless for some reason, I debugged and got nothing with http request.

[itsjfx]

The feature is enabled by default and supported in Firefox as of 114.0
https://www.mozilla.org/en-US/firefox/114.0/releasenotes/

However the Azure login website (at this time, 17 Aug 2023) still does not support FIDO2 as it glitches out.
If you use Tampermonkey or Greasemonkey and this gist I wrote -- you can override some JS variables on the Azure login to allow it to work.
https://gist.github.com/itsjfx/e9e63130ba17a180a2e42294a2d955d5/
Raw link for Tampermonkey or Greasemonkey: https://gist.github.com/itsjfx/e9e63130ba17a180a2e42294a2d955d5/raw/75157271fae2e7f89b13e8ec43e2037ac673c187/azure_login_fido2_fix.user.js

Azure's website (on the server side) will stop FIDO2 from working for Firefox as it'll detect your user agent. Another workaround is to set your user agent to Chrome on Linux and it'll work as expected.

[NgoHuy]

I confirmed it, changed user agent to chrome on windows worked

[justinsteven]

I can confirm that @itsjfx 's userscript works. Thank you itsjfx!

Without the userscript, the Microsoft's FIDO2 code throws The operation failed for an unknown transient reason after doing a window.navigator.credentials.get()

With the userscript, the login flow completes successfully with no need to spoof a User Agent string.

I adapted the userscript to the following bookmarklet:

javascript:(function()%7Balert(%22Patching%20variables%20to%20support%20FIDO2%20login%22)%3Bwindow.%24Config.urlFidoLogin%3D%22https%3A%2F%2Flogin.microsoft.com%2Fcommon%2Ffido%2Fget%3Fuiflavor%3DWeb%22%3Bwindow.%24Config.fIsFidoSupported%3Dtrue%3Bwindow.%24Config.urlPost%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Flogin%22%3Bwindow.%24Config.urlPostAad%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Flogin%22%3B%7D)()%3B

[equaeghe]

I am using Firefox 105.3.1esr and am wondering whether registering a security key with Firefox on Linux is already supported for me. If so, do I still need to do something like use the above-mentioned user-script or user-agent-string spoofing?

Currently, when I go through the security key registration process, after I type the name of the key, I get an error message:

The Dutch translates to “Something went wrong. You can best try another security key or contact the administrator.”