User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180503143129 Steps to reproduce: Site: https://webauthn.bin.coffee/ 1) press "Create Credential" 2) plug in my Yubikey NEO 3) wait until the Yubikey is listed in the Windows device manager 4) pressed the golden button on the Yubikey Windows 10 17134.1 Firefox 60.0 Yubikey NEO Actual results: Firefox shows an notification, registration / assertion request times out Expected results: The registration / assertion request finishes without failure or timeout. Everything works fine if the Yubiekey is plugged in before the registration / assertion request.

jcj, is this expected behavior?

It's not, and it's not immediately reproducible for me on my Windows 8 or Windows 10 machines. It might be something like Bug 1399298, perhaps. Perhaps Tim and I need to take a closer look at the way we're using Windows DeviceInfoSet [1]; there might be something subtle there that leads to hotplugged devices on some USB controllers not appearing. [1] https://github.com/jcjones/u2f-hid-rs/blob/6d62a6ff07ff1673286d069b9b59048dab233435/src/windows/winapi.rs#L76

I have the same issue and narrowed it down to the Yubikey NEO sending a corrupted ping response back, causing the u2f rust lib to ignore the device. This probably only happens if the device is in CCID+U2F mode (not just U2F mode). Between the ping request and response a bunch of CCID communication is done by windows (because the device was just inserted). The ping response actually contains bytes from these unrelated CCID packets rather than from the ping request. I've added an issue (more of a question actually since it's likely not a problem with the lib) at github a while ago: https://github.com/jcjones/u2f-hid-rs/issues/63. Also I've contacted yubico with USB packet logs and they said they would get back to me.

After discussions with Yubico, there is a bug / race condition that causes this in their devices when U2F_PING is used. As U2F_PING is not a necessary part of the protocol -- we use it as a double-check -- we should remove it from the state machines in u2f-hid-rs. We should also plan to uplift that change into 61 and ESR 60. I'm marking 60 as optional, as this is kind of a corner case, and we have so-far only seen it happen on Windows, although it sounds like it could occur on any platform. Tim, any chance you could put this patch together?

Comment on attachment 8975411 [details] Bug 1460301 - Web Authentication - Don't use U2F_PING to initialize tokens r=jcj J.C. Jones [:jcj] has approved the revision. https://phabricator.services.mozilla.com/D1270

Pushed by ttaubert@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/0f5b9cd3d710 Web Authentication - Don't use U2F_PING to initialize tokens r=jcj

Comment on attachment 8975411 [details] Bug 1460301 - Web Authentication - Don't use U2F_PING to initialize tokens r=jcj Approval Request Comment [Feature/Bug causing the regression]: not a regression [User impact if declined]: there are multiple reports of a bad interaction with the current yubikey firmware that breaks webauthn on windows 10 for some people, it's a simple/safe fix and would be good to uplift [Is this code covered by automated tests?]: no [Has the fix been verified in Nightly?]: no [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: very low risk [String changes made/needed]: none [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: there are multiple reports of a bad interaction with the current yubikey firmware that breaks webauthn on windows 10 for some people, it's a simple/safe fix and would be good to uplift Fix Landed on Version: 62 Risk to taking this patch (and alternatives if risky): very low risk String or UUID changes made by this patch: none See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Comment on attachment 8975411 [details] Bug 1460301 - Web Authentication - Don't use U2F_PING to initialize tokens r=jcj Fixes a bad interaction between Yubikeys and Web Authentication. Approved for 61.0b6.

Comment on attachment 8975411 [details] Bug 1460301 - Web Authentication - Don't use U2F_PING to initialize tokens r=jcj sounds like a good fix for 60.1esr