Firefox on Ubuntu cannot find my FIDO USB authenticator (whitelist issue)

[Gregory Gallagher]

Recently I was testing my company's FIDO USB authenticator on Ubuntu and found that it worked fine with Chrome and Edge browsers, but Firefox did not recognize it.

After much debugging and web searching, I discovered that Firefox is installed with Snap on Ubuntu and as such, it runs in a sandbox that restricts access to the hidraw library that Firefox uses to communicate with USB devices. For our authenticator to be accessible, it needs to be on special device whitelist that gets distributed through Snap updates. I learned about it from this link:

https://askubuntu.com/questions/1406921/allow-firefox-snap-access-to-usb-security-keys

Have others run into this issue, and is there any official guidance or process on how to do this? (I know that I need to add our authenticator's VID and PID to the whitelist.)

Also, I was surprised to have run into this issue and seen so little information about it. Are there other potholes out there lurking that might prevent our authenticator from working on particular platforms?

Thanks very much,

Greg Gallagher

[Isaiah Inuwa]

I don't have any other guidance for your company getting your device information whitelisted upstream by Canonical, but some context:

Flatpaks have a similar issue: browsers (both Chrome and Firefox) running in Flatpak do not have access to USB devices by default and cannot do WebAuthn ceremonies without allowing all USB devices through the sandbox. There is interest in creating an API for accessing FIDO authenticators via a Freedesktop Portal (cf. https://github.com/flatpak/xdg-desktop-portal/issues/989). If that API is implemented and adopted by distros and browsers, then this should be a way to let browsers access all authenticators without having to manage whitelists.

Isaiah Inuwa