U2F keys in Firefox


#22

Hi Buster,
Apologies for a bunch of links headed your way, but I think I know what issue you’re having here. Keys only enrolled as U2F are not supported for Firefox, so you’ll need to make sure the key is enrolled as a WebAuthn device and make sure you’re selecting it in the prompt.

You’ll need to do the following:

  1. Update your Security Key in Chrome as shown here: https://guide.duo.com/security-keys#existing-u2f-users
  2. If it is not your default device, in Firefox you will need to select your key in the device dropdown as shown in the second secreenshot here:https://guide.duo.com/security-keys#security-key-auth

It sounds like you’ve probably already done the first bit, but it’s good to check. You can set your default device in the Self-Service Portal (“My Settings & Devices”) as documented here: https://guide.duo.com/manage-devices.


#23

Dooley, thank you for the reply and the links. I don’t know how to switch these Yubikeys from U2F to WebAuthn in the Duo Admin portal. They have U2F IDs but not WebAuthn IDs listed under the WebAuthn &U2F section in the Admin portal. I also don’t get prompted to “Update” these when using them as U2F for an application (as noted by your first link) as I’m guessing this is the process that is supposed to enable them as WebAuthn? I’ve also removed them from the Duo configuration and added some back through the self-service and DMP.

On a side note, should Touch ID be listed in the DMP as well when I have it enabled in the Device Management Portal policy?


#24

Just tracked down some answers for you:

I don’t know how to switch these Yubikeys from U2F to WebAuthn in the Duo Admin portal.

As of now, you cannot. We currently don’t support WebAuthn enrollment in the Admin Panel. This is something we’re hoping to deliver, but there is no ETA on this feature at the moment.

I also don’t get prompted to “Update” these when using them as U2F for an application (as noted by your first link)

Please verify that Security Keys (WebAuthn) is enabled in your group and/or application Authentication Methods policies. Once enabled, the next time you use your security key in Chrome, you should be prompted for an upgrade.

should Touch ID be listed in the DMP as well when I have it enabled in the Device Management Portal policy

Once enrolled and allowed via policy (please check your group and application Authentication Methods policies here as well), macOS TouchID should be listed as an option in Chrome. TouchID is not supported on other browsers. Here is the TouchID documentation https://guide.duo.com/touch-id.


#25

For what it’s worth, I was not seeing this active for users on our system yet (Deployment DUO50), but I did have the Methods associated with WebAuthn (both TouchID & Security Keys) selected as options in our various policies (turned on by default from what I could see). HOWEVER, it was not on by default in our global policy, so when I flipped those one I started to see them available for users who all fall into the more granular policies.

I was successfully able to update my U2F/Yubikey entry and then subsequently use it to auth in a Firefox browser (wahoo!).

I’m not sure if I ever realized before that options in the Global Policy have to be enabled in order for them to be “on” in the more specific policies, unless this is a unique behavior to this new feature set.

All that being said, I did a quick test with trying Enroll my Touch ID on my MacBook Pro and it’s giving me an error about “Your identity couldn’t be verified: This device doesn’t support the type of security key requested by this website”. I have yet to do any investigation/troubleshooting with this, but for the record I’m using Chrome 73.0.3683.75 with MacOS 10.14.3 on my 2017 MacBook Pro.


#26

Quick update: The default Authentication Methods policy setting for new customers and newly-created policies allows all of Duo’s authentication methods including WebAuthn by default, but to ensure administrators are aware of their users’ authentication methods, customers with existing policies will need to enable the WebAuthn authentication methods.

I’ve updated the release notes post with this info as well. Thank you all very much for the speedy feedback and help here! It’s much appreciated!

@allendp:

I’m not sure if I ever realized before that options in the Global Policy have to be enabled in order for them to be “on” in the more specific policies, unless this is a unique behavior to this new feature set.

You do not need to enable the new authentication methods at a global level in order to be able to allow them in application or group policies. I’ve verified that nothing has changed regarding the policy engine here. If you are not seeing the authentication methods at a group or application level, it’s likely due to a conflicting assigned group policy or similar. I would recommend doublechecking the Custom Policy documentation for reference: Policy & Control | Duo Security.

For that TouchID error, please make sure you’re following the specific TouchID enrollment process, not enrolling it as a Security Key: https://guide.duo.com/touch-id#touch-id-enroll. If you continue to have issues, please contact our Support Team so they can more deeply troubleshoot this issue with you.


#27

Just to be completely clear. I did see the authentication methods listed in our policies as options (both at the global and the group/application level). However, what I found is that enabling methods for WebAuthn at the group/application level did not seem to do anything until I also enabled them in the global policy. I can’t really experiment with this much since this is a production environment, but that’s definitely the behavior I saw. From what I can tell, the policy order (per: Policy & Control | Duo Security) for enabling WebAuthn did not take precedence when it was enabled in our group policies and only became enabled when I allowed it in our Global Policy. My assumption was that the global policy was always the lowest priority in the policy order, but that was not my experience for this setting. I don’t have a problem enabling it at the global level, but if that’s not the proper behavior I figured it was worth noting.

Thanks much. I’m definitely following the TouchID enrollment process and will likely be contacting the Support Team, but haven’t spent much time troubleshooting yet myself.


#28

Sorry I wasn’t clear in my original post. I have a specific application policy applied to our Device Management Portal that allows WebAuthn and TouchID. Our Global policy has these options unchecked. I wasn’t seeing U2F or Touch ID allowed in the Device Management Portal, even after trying with Chrome, reboots, clearing cookies, remove/add security key in chrome, etc.

I came back a few hours later, logged in to the Device Management Portal (application that has a specific policy allowing WebAuthn and security keys) and noticed that I was able to use my U2F and Touch ID is listed. Seems like it took a couple of hours for this feature to apply to our tenant/account.

Good work on getting the WebAuthn support out there! Looking forward to testing with Touch ID in the next few days and Windows Hello later this year.


#29

I have follow your instructions and got to the point of use security key button, but every time i use the use security key button I get an authentication failed. To Try again, click the button, insert and tap your Security key message is displayed at the bottom. Just loops, I never get the key to light up on the U2F key or been able to tap the security key.

Firefox version 66.0(64 bit)


#30

Hi David,
Sorry to hear you’re having a frustrating experience with this. By any chance do you have multiple keys registered? We discussed this internally and are not aware an issue like this unless you’re attempting an authentication using the wrong Security Key at the Duo Prompt.


#31

I looked in Duo Admin and I did have 2 after the upgrade, one device type security key, and the other webauthn security key, I have since deleted the webauthn security key. Also turned off WebAUth as an authentication method, since it started asking users to upgrade their security key.

To be honest, I do not have time to work on this right now, just thought it would be a quick thing. We do have some user that would like to use firefox but have told them to use Chrome instead for the time being.