FIDO2 security key (YubiKey 5 NFC) and WebAuthn

From: Jan Behrens <jbe-mlist_at_magnetkern.de>
Date: Wed, 04 Sep 2024 08:46:43 UTC
Hello,

I have a problem with my FIDO2 security key (which is a YubiKey 5 NFC).
As I'm unsure whether this is an issue of FreeBSD or Firefox, I ask
here.

Originally, I made a post on the FreeBSD forum, but didn't get a
helpful response regarding this issue yet:
https://forums.freebsd.org/threads/94605/

In here, I only want to discuss the WebAuthn issue in Firefox, and not
the potential security issue regarding "pcscd" also mentioned on the
forum. (I made a post to the freebsd-security mailing list in that
matter.)

The Firefox related problem is as follows: When I go to
https://webauthn.io/ and click on "Authenticate" (this is reproducible
without a hardware token), then Firefox asks me:

"Touch your security key to continue with webauthn.io."

If I press cancel and try again, the website will from then on respond
with:

"The request is not allowed by the user agent or the platform in the
current context, possibly because the user denied permission."

Similar errors happen on other websites providing WebAuthn login.

This is until I switch to the text console using CTRL+ALT+F1 and back
to X using CTRL+ALT+F9. Afterwards I can perform WebAuthn registration
or authentication once more using Firefox, but only once. After an
unsuccessful or successful registration or authentication, it won't
work until I switch back to text console and back.

If I have several Firefox windows with different profiles open, only
the first attempt will be executed, and all other windows will fail
from then on.

This problem doesn't seem to exist in Chromium. However, I don't
understand why switching to the text console and back to X is a
workaround. This is why I suspect there might be something FreeBSD
related to this problem?

Can anyone reproduce this behavior of Firefox using FreeBSD? I'm using
package "firefox-130.0_1,2" and FreeBSD 14.1-RELEASE-p3.

Kind Regards,
Jan Behrens