Yubikey + O365/GlobalProtect - Safari limited window

grs177 · ‎10-05-2021

I’ve received feedback from Mac users that WebAuthn security key isn’t an option for Duo authentication when trying to log into applications like O365 and Global Protect. Both launch the native browser window for the OS (Safari being the native browser for Mac). The users get an error message when selecting their Yubikey that states “Requires Chrome, Firefox, Safari, or Edge to use security keys.”

From what I’ve gathered, all of these browsers now support security keys. Each user is running fully updated versions of Safari and can auth with their Yubikeys in every other situation other than when the native browser is called. Again, our biggest hitters being O365 and GlobalProtect.

What causes that option to not be available in this instance?

DuoKristina · ‎10-06-2021

It may be that those thick client applications use WKWebView, which has limitations not present in full Safari.

I found this explanation on Yubico’s site:

Question: Can I just use WKWebView inside my app for WebAuthn flow?

Answer : Apple does not support FIDO2 security keys for the WebAuthn flow using the WKWebView. You will need to rely on Safari browser, or embed the SFS afariViewController or ASWebAuthenticationSession into a native app.

Duo, not DUO.