Page MenuHomePhabricator
Create Task
Maniphest T286138

Cannot use NFC security keys with WebAuthn on iOS
Closed, ResolvedPublicBUG REPORT
Actions

Description

List of steps to reproduce (step by step, including full links if applicable):

  • Register a YubiKey with FIDO U2F support via USB on a desktop browser on en.wikipedia.org
  • Try to log in with the key in Mobile Safari or the Wikipedia app on an iPhone with NFC

What happens?:
The mobile site says verification failed, while the desktop site says authentication was interrupted. The iOS app just says "Please touch your verification device ..." but doesn't recognize it either. The iOS native NFC / security key UI never shows up.

What should have happened instead?:
It should have recognized my security key via NFC.

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc:
English Wikipedia, iPhone X, iOS 15.0, Mobile Safari / Wikipedia 6.8.1 (1815), YubiKey Security Key NFC

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Load WebAuthn RL modules on mobilemediawiki/extensions/WebAuthnREL1_35+20 -0
Load WebAuthn RL modules on mobilemediawiki/extensions/WebAuthnREL1_39+20 -0
Load WebAuthn RL modules on mobilemediawiki/extensions/WebAuthnREL1_38+20 -0
Load WebAuthn RL modules on mobilemediawiki/extensions/WebAuthnmaster+20 -0
Customize query in gerrit

Related Objects

Event Timeline

Alexiaa created this task.Jul 3 2021, 11:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 3 2021, 11:52 PM
Platonides added a project: MediaWiki-extensions-OATHAuth.Jul 3 2021, 11:58 PM
Alexiaa updated the task description. (Show Details)Jul 4 2021, 9:04 AM
Alexiaa updated the task description. (Show Details)
Alexiaa updated the task description. (Show Details)Jul 4 2021, 9:07 AM
Alexiaa renamed this task from Cannot use NFC security keys with WebAuthn in Mobile Safari or Wikipedia app on iOS to Cannot use NFC security keys with WebAuthn on iOS.Jul 4 2021, 9:11 AM
Alexiaa updated the task description. (Show Details)
Alexiaa updated the task description. (Show Details)
Reedy added a project: Mobile.Feb 17 2022, 3:33 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.
Stang subscribed.Oct 14 2022, 3:14 PM

Reproduced on Mobile view:

IMG_3770.PNG (1,124×2,309 px, 253 KB)
IMG_3771.PNG (1,124×2,316 px, 235 KB)

But it works fine when using desktop view.
iOS 15.7, YubiKey 5 NFC

alistair3149 mentioned this in T321708: MediaWiki should support passwordless login with passkeys.Dec 12 2022, 9:11 PM
alistair3149 subscribed.Dec 14 2022, 9:47 PM

I have a working theory that WebAuthn does not work on MobileFrontend because the ResourceLoader module is not loaded at all.
WebAuthn requires Javascript to complete the verification process.

I am unable to verify it on WMF production since I don't have OATH access, but I have done a similar experiment on a non-WMF wiki by logging into an account with WebAuthn enabled and Javascript disabled. It yields the same result as above. I will verify once again when I have OATH permission on WMF production.

If that is the case, it is a relatively easy fix. Just need a few lines in extension.json to make sure it loads on MobileFrontend:

"targets": [
	"desktop",
	"mobile"
]
gerritbot added a comment.Dec 14 2022, 9:55 PM

Change 868177 had a related patch set uploaded (by Alistair3149; author: Alistair3149):

[mediawiki/extensions/WebAuthn@master] Load WebAuthn RL modules on mobile

https://gerrit.wikimedia.org/r/868177

gerritbot added a project: Patch-For-Review.Dec 14 2022, 9:55 PM
gerritbot added a comment.Dec 15 2022, 12:11 AM

Change 868177 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@master] Load WebAuthn RL modules on mobile

https://gerrit.wikimedia.org/r/868177

gerritbot added a comment.Dec 15 2022, 12:13 AM

Change 868057 had a related patch set uploaded (by Reedy; author: Alistair3149):

[mediawiki/extensions/WebAuthn@REL1_39] Load WebAuthn RL modules on mobile

https://gerrit.wikimedia.org/r/868057

gerritbot added a comment.Dec 15 2022, 12:13 AM

Change 868058 had a related patch set uploaded (by Reedy; author: Alistair3149):

[mediawiki/extensions/WebAuthn@REL1_38] Load WebAuthn RL modules on mobile

https://gerrit.wikimedia.org/r/868058

gerritbot added a comment.Dec 15 2022, 12:13 AM

Change 868059 had a related patch set uploaded (by Reedy; author: Alistair3149):

[mediawiki/extensions/WebAuthn@REL1_35] Load WebAuthn RL modules on mobile

https://gerrit.wikimedia.org/r/868059

gerritbot added a comment.Dec 15 2022, 12:37 AM

Change 868058 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@REL1_38] Load WebAuthn RL modules on mobile

https://gerrit.wikimedia.org/r/868058

gerritbot added a comment.Dec 15 2022, 12:38 AM

Change 868057 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@REL1_39] Load WebAuthn RL modules on mobile

https://gerrit.wikimedia.org/r/868057

gerritbot added a comment.Dec 15 2022, 12:42 AM

Change 868059 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@REL1_35] Load WebAuthn RL modules on mobile

https://gerrit.wikimedia.org/r/868059

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.17; 2023-01-02).Dec 15 2022, 2:01 AM
Tgr subscribed.Dec 21 2022, 10:54 PM

(This is another case of T127268: Dismantle ResourceLoader's "targets" system.)

Agusbou2015 subscribed.Mar 25 2023, 7:02 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 25 2023, 7:10 PM
alistair3149 closed this task as Resolved.May 4 2023, 12:36 AM
alistair3149 claimed this task.
Stang unsubscribed.May 7 2023, 10:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits