U2F keys in Firefox


Can’t wait to start using U2F in Firefox with duo, hoping this is still on track for a “mid-to-late 2018” release :slight_smile:

1 Like


Can you elaborate on this difference? So far websites I’ve accessed that implement FIDO2 have worked with the same Yubi 5 in Chrome and Firefox.



I’d just like to pile on to the queue of people clamoring for this feature. I’m a privacy-conscious Firefox user, and now that my university has mandated that we use Duo 2FA for logging in to our learning management system, I find it very frustrating to have to open Google Chrome from a disk image to log in.

As other people have said, I can use my YubiKey in Firefox just fine with other websites that implement U2F, so it’s pretty baffling to me that Duo still doesn’t support it.

Even worse, Duo used to work in Firefox if I set my User-Agent to Chrome on Windows, but something happened in the past 6 months to break that workaround too. The Firefox developers seem to think this problem stems from you guys trying to set a global variable that is read-only in Firefox’s API, but read-write in Chrome’s. I’m sure many Firefox users would appreciate it if you could perform that feature test in a different way, so that we all could continue using our browser of choice.



Is Duo just planning to wait on this until the W3C’s WebAuthn spec is implemented in all of the (commercially relevant) browsers?



That just happened, so hopefully soon. Duo also doesn’t work with chrome on android. From what I can tell it really looks like the problem is with duo’s checks for browser type being too strict. For android, if you have something like a Yubikey 5 NFC, it really should work with android too. Hopefully soon.



I noticed this pop up in the Duo Admin panel today:

March 1, 2019

WebAuthn is now available in the Duo Prompt

Use Touch ID on MacOS with the Chrome Browser or Security Keys with Chrome or Firefox. Learn more about the WebAuthn policies and setting up a WebAuthn device in our release notes.

However, when I follow the link to the March 1, 2019 Release notes there is no mention of WebAuthn in those notes. I suspect the intended that message to correspond to impending release notes for today or tomorrow March 7/8, 2019 which are not yet posted. Also, I don’t see any change in behavior with Firefox yet, so that suggests they haven’t pushed the corresponding update (everywhere) yet.



I think this blog post Touch ID and Beyond: Duo’s Plans for WebAuthn | Duo Security will be welcome news for everyone watching this thread:

Thanks to Firefox’s early adoption of WebAuthn, we’re happy to announce that we’ll also be supporting Security Keys in Firefox.

This feature should be available for all customers by March 15. Configuration documentation for these new authentication methods will be coming soon as well.



That’s great news, thanks for cross posting.

I’d still like to know about U2F over NFC … it doesn’t work and I’m not sure where lies the limitation.



Quick update: Much more information on Firefox support for Security Keys and TouchID auth on macOS, including links to the new documentation, is available in the latest release notes post here: Duo Release Notes for March 15, 2019



Any additional guidance on getting U2F to work with Duo in Firefox? I have the latest version of Firefox 65.0.2, enabled security.webauth.u2f in about:config, and have authenticated using U2F through Chrome one additional time as outlined in the Duo release notes. I also have a policy created and applied to the Duo Device Management Portal application with WebAuthn (Security Keys, Touch ID) as an allowed Authentication Method. I’m testing this by logging in to the DMP in Firefox but I still get the message about “Requires Chrome to use Security Keys” when trying to use my Security Key (U2F) to log in to the DMP.



Hi Buster,
Apologies for a bunch of links headed your way, but I think I know what issue you’re having here. Keys only enrolled as U2F are not supported for Firefox, so you’ll need to make sure the key is enrolled as a WebAuthn device and make sure you’re selecting it in the prompt.

You’ll need to do the following:

  1. Update your Security Key in Chrome as shown here: https://guide.duo.com/security-keys#existing-u2f-users
  2. If it is not your default device, in Firefox you will need to select your key in the device dropdown as shown in the second secreenshot here:https://guide.duo.com/security-keys#security-key-auth

It sounds like you’ve probably already done the first bit, but it’s good to check. You can set your default device in the Self-Service Portal (“My Settings & Devices”) as documented here: https://guide.duo.com/manage-devices.



Dooley, thank you for the reply and the links. I don’t know how to switch these Yubikeys from U2F to WebAuthn in the Duo Admin portal. They have U2F IDs but not WebAuthn IDs listed under the WebAuthn &U2F section in the Admin portal. I also don’t get prompted to “Update” these when using them as U2F for an application (as noted by your first link) as I’m guessing this is the process that is supposed to enable them as WebAuthn? I’ve also removed them from the Duo configuration and added some back through the self-service and DMP.

On a side note, should Touch ID be listed in the DMP as well when I have it enabled in the Device Management Portal policy?



Just tracked down some answers for you:

I don’t know how to switch these Yubikeys from U2F to WebAuthn in the Duo Admin portal.

As of now, you cannot. We currently don’t support WebAuthn enrollment in the Admin Panel. This is something we’re hoping to deliver, but there is no ETA on this feature at the moment.

I also don’t get prompted to “Update” these when using them as U2F for an application (as noted by your first link)

Please verify that Security Keys (WebAuthn) is enabled in your group and/or application Authentication Methods policies. Once enabled, the next time you use your security key in Chrome, you should be prompted for an upgrade.

should Touch ID be listed in the DMP as well when I have it enabled in the Device Management Portal policy

Once enrolled and allowed via policy (please check your group and application Authentication Methods policies here as well), macOS TouchID should be listed as an option in Chrome. TouchID is not supported on other browsers. Here is the TouchID documentation https://guide.duo.com/touch-id.



For what it’s worth, I was not seeing this active for users on our system yet (Deployment DUO50), but I did have the Methods associated with WebAuthn (both TouchID & Security Keys) selected as options in our various policies (turned on by default from what I could see). HOWEVER, it was not on by default in our global policy, so when I flipped those one I started to see them available for users who all fall into the more granular policies.

I was successfully able to update my U2F/Yubikey entry and then subsequently use it to auth in a Firefox browser (wahoo!).

I’m not sure if I ever realized before that options in the Global Policy have to be enabled in order for them to be “on” in the more specific policies, unless this is a unique behavior to this new feature set.

All that being said, I did a quick test with trying Enroll my Touch ID on my MacBook Pro and it’s giving me an error about “Your identity couldn’t be verified: This device doesn’t support the type of security key requested by this website”. I have yet to do any investigation/troubleshooting with this, but for the record I’m using Chrome 73.0.3683.75 with MacOS 10.14.3 on my 2017 MacBook Pro.



Quick update: The default Authentication Methods policy setting for new customers and newly-created policies allows all of Duo’s authentication methods including WebAuthn by default, but to ensure administrators are aware of their users’ authentication methods, customers with existing policies will need to enable the WebAuthn authentication methods.

I’ve updated the release notes post with this info as well. Thank you all very much for the speedy feedback and help here! It’s much appreciated!


I’m not sure if I ever realized before that options in the Global Policy have to be enabled in order for them to be “on” in the more specific policies, unless this is a unique behavior to this new feature set.

You do not need to enable the new authentication methods at a global level in order to be able to allow them in application or group policies. I’ve verified that nothing has changed regarding the policy engine here. If you are not seeing the authentication methods at a group or application level, it’s likely due to a conflicting assigned group policy or similar. I would recommend doublechecking the Custom Policy documentation for reference: Policy & Control | Duo Security.

For that TouchID error, please make sure you’re following the specific TouchID enrollment process, not enrolling it as a Security Key: https://guide.duo.com/touch-id#touch-id-enroll. If you continue to have issues, please contact our Support Team so they can more deeply troubleshoot this issue with you.



Just to be completely clear. I did see the authentication methods listed in our policies as options (both at the global and the group/application level). However, what I found is that enabling methods for WebAuthn at the group/application level did not seem to do anything until I also enabled them in the global policy. I can’t really experiment with this much since this is a production environment, but that’s definitely the behavior I saw. From what I can tell, the policy order (per: Policy & Control | Duo Security) for enabling WebAuthn did not take precedence when it was enabled in our group policies and only became enabled when I allowed it in our Global Policy. My assumption was that the global policy was always the lowest priority in the policy order, but that was not my experience for this setting. I don’t have a problem enabling it at the global level, but if that’s not the proper behavior I figured it was worth noting.

Thanks much. I’m definitely following the TouchID enrollment process and will likely be contacting the Support Team, but haven’t spent much time troubleshooting yet myself.



Sorry I wasn’t clear in my original post. I have a specific application policy applied to our Device Management Portal that allows WebAuthn and TouchID. Our Global policy has these options unchecked. I wasn’t seeing U2F or Touch ID allowed in the Device Management Portal, even after trying with Chrome, reboots, clearing cookies, remove/add security key in chrome, etc.

I came back a few hours later, logged in to the Device Management Portal (application that has a specific policy allowing WebAuthn and security keys) and noticed that I was able to use my U2F and Touch ID is listed. Seems like it took a couple of hours for this feature to apply to our tenant/account.

Good work on getting the WebAuthn support out there! Looking forward to testing with Touch ID in the next few days and Windows Hello later this year.



I have follow your instructions and got to the point of use security key button, but every time i use the use security key button I get an authentication failed. To Try again, click the button, insert and tap your Security key message is displayed at the bottom. Just loops, I never get the key to light up on the U2F key or been able to tap the security key.

Firefox version 66.0(64 bit)



Hi David,
Sorry to hear you’re having a frustrating experience with this. By any chance do you have multiple keys registered? We discussed this internally and are not aware an issue like this unless you’re attempting an authentication using the wrong Security Key at the Duo Prompt.



I looked in Duo Admin and I did have 2 after the upgrade, one device type security key, and the other webauthn security key, I have since deleted the webauthn security key. Also turned off WebAUth as an authentication method, since it started asking users to upgrade their security key.

To be honest, I do not have time to work on this right now, just thought it would be a quick thing. We do have some user that would like to use firefox but have told them to use Chrome instead for the time being.