Chromium 110 (Brave, Chrome, Edge) extension webauthn issue

waf · January 4, 2023, 8:08am

after updating the number of iterations for the pbkdf2 to 200000 from the webvault, i get a “NotAllowedError: WebAuthn is not supported on sites with TLS certificate errors” error from the edge extension when trying to log in using a yubikey. oddly, only edge has this issue. firefox and chrome both work just fine.

bw-admin · January 4, 2023, 9:52am

Hey @waf I haven’t bumped into that one yet but feel free to contact the support team at https://bitwarden.com/contact/ or drop a bug report on Github for review: Issues · bitwarden/clients · GitHub

cksapp · January 4, 2023, 4:29pm

FWIW I just made this change myself, was signed out of the web-vault and the MS Edge extension.
Once signed back in to the Edge extension was required for 2FA with my Yubikey 5C and was promptly logged in to my vault.

Can you verify that your browser and extension are up to date?

waf · January 5, 2023, 8:20am

yep, browser and extension are both up to date. i’m using the edge dev channel (v110.0.1587.1) and i also removed and re-installed the extension directly from the bitwarden site and the msft and chrome store.

billkach · February 8, 2023, 5:22am

I’m running into this same issue as of today on Brave browser, my browser and extension are both also up-to-date. I attempted a reinstall of the extension but this did not make a difference. Did anyone find a solution for this issue yet?

cyanide77 · February 8, 2023, 10:13am

same here today on Brave browser 1.48.158 (says latest) with Bw extension 2023.1.0
(was working fine for past weeks)

edge is OK and works fine with webauth

tested on old laptop with previous version of Brave and works OK 1.47.186

“not allowed error: webauthn is not supported on site with TLS certificate errors”

ive posted on the brave boards as it seems ok in previous brave build

waf · February 8, 2023, 10:41am

i was able to work around it by using a different form of mfa (e.g. google authenticator/authy)

cyanide77 · February 8, 2023, 10:58am

hi… thanks, yes, thats how i logged in for now, hopefully brave will fix it soon
i prefer everything logs out and prompts 2fa at each launch, the yubikey bio makes this quick and seemless (2fa codes are a pain in the ass… and i would usually opt to “dont ask again” as i cant be bothered with apps/codes unless required.

but at least for now its a workaround)

KDY · February 8, 2023, 11:42am

Same issue occurred in Chrome 110.0.5481.78 (chrome extension)

cyanide77 · February 8, 2023, 6:26pm

github.com/bitwarden/clients

[PS-2176] Open WebAuthn Prompt in New Tab for all browser extensions

bitwarden:master ← bitwarden:fix/chrome-110-webauthn

opened 04:57PM - 08 Feb 23 UTC

justindbaur

+2 -2

## Type of change ``` - [x] Bug fix - [ ] New feature development - [ …] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective Fix for WebAuthn being broken in any chromium 110, this makes it so that the WebAuthn prompt opens up in a new tab just like we do for Firefox and Safari. I am not totally sure if this will be fixed or is now the intended behavior, I will be filing an issue with chromium to find out that information, but in the meantime we should get this feature back to working for users. Additional context to reviewers: - WebAuthn Support was added [here](https://github.com/bitwarden/clients/pull/1379) - A mention of firefox NOT supporting webauthn in the iframe of browser extension [here](https://bugzilla.mozilla.org/show_bug.cgi?id=1460986) - A mention of an enterprise policy introduced in chrome 110 that can disable the check [here](https://support.google.com/chrome/a/answer/7679408#webAth110) Fixes #4691 ## Code changes - **apps/browser/src/auth/popup/two-factor.component.ts:** Always set new tab option to true since the only browsers this did work on were chromium based ones. ## Screenshots ## Before you submit - Please add **unit tests** where it makes sense to do so (encouraged but not required) - If this change requires a **documentation update** - notify the documentation team - If this change has particular **deployment requirements** - notify the DevOps team

User12 · February 12, 2023, 3:45pm

Hi, this has happened to me on both edge and firefox.
Edge version - edge Version 110.0.1587.41
i removed and reinstalled the bitwarden extension but this did not fix it.
Moving over to firefox had the same issues

do we know if the reported fix from a few days ago has been rolled out?

cyanide77 · February 12, 2023, 4:00pm

My extension still shows 2023.1.0 forcing update shows nothing newer… So no bitwarden team hasn’t fixed it yet

toxaris · February 13, 2023, 10:29am

Yep, Im experience this issue aswell. Sadly Im using only Yubikeys and WebAuthen. Somewhat stuck if I dont add additional MFA methods

cyanide77 · February 13, 2023, 10:50am

yeh luckily im using totp as backup so can still get in using that for now

p.s your webvault & desktop app should still work fine, so you could log in and setup totp temporarily until they fix this (id of thought it would of been fixed by now, but seems low on their priority list)

Mikey_Crawford · February 13, 2023, 12:44pm

Same issue occurring here. No changes made to any settings. When I sign in to the Edge extension it immediately errors with “An error has occurred. NotAllowedError: WebAuthn is not supported on sites with TLS certfiicate errors”.

I can log on via the web fine with the same FIDO2 key.

Edge is 110.0.1587.41 (Official build) (64-bit)
Bitwarden Edge extensions in 2023.1.0

Also happening in Chrome browser 110.0.5481.77 (Official Build) (64-bit)
Bitwarden Edge extensions in 2023.1.0

Machine has been restarted

Thanks

CygnusAtratus · February 14, 2023, 1:13pm

Looks as if it is a consequence of:

https://lists.w3.org/Archives/Public/public-webauthn/2022Nov/0135.html

Maybe implies a TLS certificate problem with bitwarden.com as FIDO2 auth works with other sites.

kpiris · February 14, 2023, 1:55pm

It certainly is consequence of that.

Because I just started Google Chrome with –disable-features=DisableWebAuthnWithBrokenCerts and then WebAuthn on the extension works again

Davidz · February 14, 2023, 2:21pm

Just coming here to check because I have noticed this in the past few days, probably happened over the weekend on two copies of Chrome. Both up to date, on up to date computers running Windows 10 (Iobit’s Advanced System Care keeps them updated regularly). Fails with a Security Key by Yubico and a Yubikey 5. Also fails at work on Microsoft’s Edge “browser” (think it is called Edge) with both keys.

One workaround is to use an old Yubikey 4 which works fine, presumably because it is not using FIDO2.

Glad that I left various other ways of accessing my passwords enabled. I had to use TOTP once when I was at work and didn’t have a Yubikey 4 with me.

I also have email turned on, but that is via a Gmail account which has their Advanced Protection turned on and is not used too often, so I’m not concerned about that.

Presumably the Yubikey 5 fails because it is set up to use FIDO2 in preference. Not bothered to turn that off to check it.

bw-admin · February 14, 2023, 2:24pm

Thanks for your patience all, the team is working on this one: [PS-2176] Open WebAuthn Prompt in New Tab for all browser extensions by justindbaur · Pull Request #4695 · bitwarden/clients · GitHub

CygnusAtratus · February 14, 2023, 12:08am

Chromium: 110.0.5481.77 (Official Build) (64-bit)

Windows 10 x64 enterprise (22H2), Ubuntu 22.04

The newly release version of Chrome has broken WebAuthn for the bitwarden addin.
Gives the error:
“not allowed error: webauthn is not supported on site with TLS certificate errors”

Works if start Chrome with the flag:
–disable-features=DisableWebAuthnWithBrokenCerts