Page MenuHomePhabricator
Create Task
Maniphest T386383

Mobile login with security key fails
Closed, DuplicatePublicBUG REPORT
Actions

Assigned To
None
Authored By
GorillaWarfare
Feb 13 2025, 4:34 PM
Tags
Referenced Files
F58395576: login-bug.mp4
Feb 13 2025, 4:45 PM
F58395558: login-bug.mp4
Feb 13 2025, 4:35 PM
F58395557: login-bug.ogg
Feb 13 2025, 4:34 PM
Subscribers
Aklapper
GorillaWarfare
matmarex
TheDJ

Description

Steps to replicate the issue (include links if applicable):

  • Enable two-factor authentication with a hardware security key
  • Enter username/password on mobile web (Pixel 7, Android v15, Chrome 133.0.6943.89)

What happens?:
After entering the username and password, I'm briefly sent to the prompt asking me to plug in and tap my security key. Before I'm able to do anything, I'm sent to an error page reading "Authentication process was interrupted. Please start the authentication process again." Tapping "reload" only repeats this issue, until ultimately I get a "too many sign-in attempts" error.

What should have happened instead?:
The page should wait for me to plug in my security key and then verify the 2FA.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

Related Objects

Event Timeline

GorillaWarfare created this task.Feb 13 2025, 4:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 13 2025, 4:34 PM
GorillaWarfare updated the task description. (Show Details)Feb 13 2025, 4:35 PM
GorillaWarfare updated the task description. (Show Details)Feb 13 2025, 4:45 PM
Aklapper added a project: MediaWiki-extensions-OATHAuth.Feb 13 2025, 4:57 PM
TheDJ subscribed.Feb 24 2025, 3:16 PM
TheDJ added a comment.EditedFeb 24 2025, 3:36 PM

Authentication process was interrupted. Please start the authentication process again

This likely means that an exception was thrown, because this is the message of the catch condition.

Most likely, this is because hardware security keys are domain specific (T244088). This is one of the known problems of the current 'support' for hardware keys. When we switch to auth.wikimedia.org for all logins/registrations, this should no longer be an issue (if we were to ever reactivate webauthn/hardware key support).

Reedy moved this task from Backlog to Bugs on the MediaWiki-extensions-OATHAuth board.Apr 1 2025, 6:02 PM
matmarex closed this task as a duplicate of T244088: Logging in at another wiki than WebAuth was set up fails.Apr 8 2025, 6:31 PM
matmarex subscribed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits