Firefox 2fa Authenticator

[Desiderato Chouinard]

Ihad the google authenticator on my old phone and used only once for addons.mozilla, now after 6 months the site is asking me for my verification / security code and I have none, I just installed google authenticator in my new phone and there is no account in there.

Do you also use the Firefox Account in your Firefox browser for Sync? In other words, does this account show up on about:preferences#sync? If yes, you might be able to click manage account and turn off two-factor authentication.

The authenticatorAttachment read-only property of the PublicKeyCredential interface is a string that indicates the general category of authenticator used during the associated navigator.credentials.create() or navigator.credentials.get() call.

The authenticator is part of the device WebAuthn is running on (termed a platform authenticator), therefore WebAuthn will communicate with it using a transport available to that platform, such as a platform-specific API. A public key credential bound to a platform authenticator is called a platform credential.

The authenticator is not a part of the device WebAuthn is running on (termed a roaming authenticator as it can roam between different devices), therefore WebAuthn will communicate with it using a cross-platform transport protocol such as Bluetooth or NFC. A public key credential bound to a roaming authenticator is called a roaming credential.

Logging in with Firefox is currently not possible. When prompted for the authenticator the browser is simply redirected back to the login form. This appears to be due to the authenticator page trying to load a URL that gives a 404 status.

I assume there is functionality on the authenticator page to redirect back to the login form if it hits a 404. I did not encounter this issue with any chromium based browsers, as it appears the URL is not accessed there.

Logging in to Battle Net Account on Firefox and with a Authenticator attached is still broken. I reset the cache and ran a full clean Mozilla Firefox with no Addons/Extensions and after hitting logging in it still redirects back to login screen.

You can install an Extension in Edge, Chrome, or Firefox and use it as an authenticator. Click the image below to view the steps for setting up the Authenticator extension in Chrome, Firefox, or Edge.

I constantly reproduce this issue when more than half of the security code availability time has passed using Google Authenticator app installed on a Moto G6 device (Android 9). I was not able to reproduce this issue while using the Google Authenticator app installed on iPhone 13.1.2.

@vasilica -- can you narrow down steps to reproduce this on Android? Some thoughts that came up in triage: It only compares the current code and the previous code so you have around 60 seconds to get the code in before it will fail, and also the date & time on the devices need to be accurate.

@silvanocerza - Maybe you can try one workaround that succeed for me. I was logged with the account on multiple devices and initially I could login and logout fine with 2FA enabled. I did not manage to reproduce the steps that blocked me from logging in because the "Invalid two-step authentication code" was received when I tried to introduce the Google Authenticator code, but after logged out from the other devices and deleted all Cookies and Cache from the browser of the device on which the issue was occurring the code for 2FA was accepted as valid and I managed to login again.

Could you try seeing if this yields any results?

I have the same issue, the time on my Android phone (Samsung A40, fully updated) is set automatically, etc.

I've used both Google Authenticator & Microsoft Authenticator and while the already existing 2FA codes for other services work fine, the new one for Firefox fails.

However, when I add the 2FA secret to KeepassXC and setup TOTP there, KeepassXC does in fact generate correct codes.

This really confuses me since the algorithm behind both should be the same and the time is also equal.

Hi, I had the same issue and managed to solve this. I'd like to share my solution.

The problem is the desktop version (e.g Firefox browser on Windows) has bug so it won't work, no matter how many times I tried, it failed. But I found out it works when I do this on the Firefox app on my iPhone. Follow these steps:

Note: I haven't test it on Android, but I think it will work for FireFox app on Android too. The point is: the QR code that [ ] gives you is buggy, not work, so use the QR code that the Firefox app (on iOS or Android) gives you.

I also encountered this problem. Later I found that the clock on my computer is incorrect and for some reason it makes the site(accounts.firefox.com) thinks codes I entered are invalid. (The clock on my authenticator is correct.)

Password authentication is known to be a security liability on the Web. The W3C Web Authentication Working Group is developing a specification for using Scoped Credentials to supplement or replace passwords. Mozilla intends to continue supporting the Web Authentication (WebAuthn) specification.

Firefox for Android (Fenix) supports the Google Play Services FIDO2 authenticator for WebAuthn, which provides support for many compliant devices as well as built-in platform authenticators such as fingerprint sensors.

The FIDO2 authenticator requires the application have a valid signature by an approved signing key for WebAuthn to work. Under other circumstances, a SECURITY_ERROR is the most likely result. Mozilla worked with Google to add several signing keys to the allow-list; all of these signing keys are protected in hardware security modules as part of Mozilla's release infrastructure. This makes testing WebAuthn support on Android complex.

I might have misunderstood something about the passkey promises 1password made here. But it seems that the browser plugin hijacks all webauthn-calls rather than to emulate a proper CTAP authenticator.

In the Open Beta of saving and signing in with passkeys from 1Password, you will see a prompt appear from 1Password asking you if you would like to save the passkey you're creating into 1Password. You'll also see the same prompt if the 1Password in your browser detects that you have a passkey stored in your account for that website.

If you wish to use a passkey stored in another location or save it in another location other than 1Password such as iCloud Keychain or Google Password Manager, you can dismiss the 1Password prompts and the request will be forwarded to your device/browser's passkey provider method.

My point here is that a core mechanism, but not required mechanism of passkeys according to the spec, is CDA, which normally relies on CTAP(2). I would have wanted to be able to use 1password-passkeys in a CTAP-process as a CTAP authenticator to, for example, a CTAP client in a browser on a different device.

Hopefully using the 1password-binary as CTAP authenticator is on the roadmap (in combination with using the browsers built-in CTAP client)? And a setting to disable the webauthn/FIDO-hook to cater to the scenario where you might have 1password installed but for some reason do not want to use passkeys from 1password?

Firefox Nightly gets updated every day and as a consequence, the release notes for the Nightly channel are updated continuously to reflect features that have reached sufficient maturity to benefit from community feedback and bug reports.

Starting with Firefox 112, Nightly users on macOS and Linux can now use FIDO2 / WebAuthn authenticators over USB. Some advanced features, such as fully passwordless logins, require a PIN to be set on the authenticator. It is expected to ship to all users in a future release.

Starting with Firefox 113, Nightly and early beta builds now behave similar to the other browsers when splitting a node (e.g., typing Enter to split a paragraph) and joining two nodes (e.g., typing Backspace at start of a paragraph to join the paragraph and the previous one) when using the built-in editor. When a node is split, the built-in editor creates new node after the original one, i.e., creates the right node. Similarly, when two nodes are joined, the built-in editor deletes the latter node and moves its children to end of the preceding node.

This new behavior can also be enabled by web apps themselves for all channels with a call of document.execCommand("enableCompatibleJoinSplitDirection", false, "false") (introduced in bug 1810663). This command is available only when designMode is set to "on" or there is at least one editable element which has contenteditable attribute, and the built-in editor has not handled the insertParagraph, delete, or forwardDelete command.

Starting with Firefox 113, the WebTransport API is now enabled in the Nightly channel, including RFC 9297 support. It's expected to ship to release in the near future. WebTransport is expected to see widespread use for media delivery and other applications. WebTransport is built on top of QUIC/HTTP3 and provides reliable streams and reliable and unreliable datagrams.

3a8082e126