Bug 263790 - www/chromium: Unable to use FIDO U2F
Summary: www/chromium: Unable to use FIDO U2F
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-chromium (Nobody)
Depends on:
Reported: 2022-05-05 09:50 UTC by Peter Jeremy
Modified: 2022-05-20 22:02 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (chromium)

Image (55.64 KB, image/png)
2022-05-16 17:10 UTC, Ismael Tisminetzky
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Jeremy freebsd_committer 2022-05-05 09:50:22 UTC
Running on a recent FreeBSD 13.1-STABLE, after upgrading to chromium-101.0.4951.41, I am unable to login to Google.

To reproduce:
1) Start chrome
2) visit https://www.google.com
3) Click on "Sign in" button in top right.
4) On the "Sign in" screen, enter username and click next
5) On the "Hi $NAME" screen, enter password and click next

At this point, I expect a "2-Step Verification" screen to appear and provide me with various options to provide a 2FA authentication.

Instead, there's a greyed-out "2-Step Verification" screen that has a moving blue bar continuously scrolling across the top.  It never reaches the point of actually requesting 2FA authentication.

I get the same behaviour on 2 different FreeBSD hosts (running similar 13.1-STABLE versions), using both packages and locally built ports.

There were no problems with chromium-99.0.4844.84
Comment 1 Peter Jeremy freebsd_committer 2022-05-07 23:44:40 UTC
The problem still exists with chromium-101.0.4951.54
Comment 2 Robert Nagy 2022-05-08 06:15:13 UTC

Which 2FA method is enabled on your account?

Tested, but could not reproduce yet with the default settings of Google.
Comment 3 Peter Jeremy freebsd_committer 2022-05-11 09:40:40 UTC
My default 2FA is a security key (like Yubikey).  In the past it would popup a prompt to "insert my security key and press the button" as well a providing an option to use an alternative 2FA.  (I haven't tried to actually key the security key working on FreeBSD lately).
Comment 4 Ismael Tisminetzky 2022-05-16 17:10:08 UTC
Created attachment 233967 [details]
Comment 5 Ismael Tisminetzky 2022-05-16 17:12:08 UTC

This is a real issue. The option to enable/disable Sign-In is not even there in the browser.

Port version: chromium: 101.0.4951.64
Comment 6 Robert Nagy 2022-05-16 17:36:55 UTC
Would you please try to use your 2fa key with another site to verify that
the fido code actually works in the browser?

Just trying to pinpoint where the issue is coming from.
Comment 7 Ismael Tisminetzky 2022-05-16 18:46:35 UTC
(In reply to Robert Nagy from comment #6)

I use Google Authenticator Android app for 2FA key. Also, I use it for other websites like Github with no issue. Beside, I'm having this issue with other accounts from google without 2fa having set. Not sure if this is only related with this browser.
Comment 8 Robert Nagy 2022-05-17 09:23:52 UTC
I've tested every possible 2FA with my google and account and all of them work
just fine. I suggest you try with a temporary profile, chromium --user-data-dir=/tmp/tempprofile and see if that works.

Just to make sure, you are not trying to use Sync or actually trying to Sign-in the browser itself?
Comment 9 Ismael Tisminetzky 2022-05-17 10:57:43 UTC
(In reply to Robert Nagy from comment #8)

Robert, You're missing the point. It's not the 2FA which is not working, it's the Sign-In button for Profile, in the browser itself.
Comment 10 Robert Nagy 2022-05-17 12:04:20 UTC
Browser sign-in has been disabled for a long time (years ago) because Google does not
allow it anymore.
Comment 11 Ismael Tisminetzky 2022-05-17 12:27:21 UTC
(In reply to Robert Nagy from comment #10)

I was using it on FreeBSD 12.3 with latest chromium. Until I did a fresh install with 13.1-RC6.
Comment 12 Ismael Tisminetzky 2022-05-18 13:16:53 UTC
(In reply to Robert Nagy from comment #10)
Anyway, thank you for your kind response.
Comment 13 Peter Jeremy freebsd_committer 2022-05-20 10:57:41 UTC
I've tried disabling my Yubikey and using an alternative 2FA method and I can login to Google successfully.  This is a regression because Chromium 99.x allowed me to choose a 2FA method whereas Chromium 100.x doesn't bring up the menu allowing me to choose an alternative.

I've tried attempting to add a security key via Chromium.  Working through, it reaches a popup that just spins, with or without the key installed:

Add a security key
You’ll see instructions in your browser window for adding your key to your account

I do regularly use a security key with Chrome (on Linux) but don't have any non-FreeBSD systems that I can easily test Chromium on.

I've tried using my security key to login to Github using Chromium on FreeBSD and it also fails in a similar way: It spins waiting for the security key.  I'm not sure if this is a regression because I haven't tried it previously.

I've tried doing some ktrace'ing and Chromium isn't attempting to even look for a security key in either case: In my case, the security key appears as /dev/uhid1 but:
* in the github login case, there are no accesses to /dev.
* in the Google "add a key" case, only /dev/null and /dev/urandom are accessed.

* in both cases, there are a number of access attempts to /sys/class/input/event* - which might make sense on Linux, but not FreeBSD.
* during a ktrace of Chromium starting, I did find an unsuccessful access attempt to /dev/fido - despite the name, that's actually the interface to watchdog(4).  I couldn't find the code that does that.
Comment 14 Robert Nagy 2022-05-20 11:37:31 UTC
(In reply to Peter Jeremy from comment #0)

Could you please go to chrome://flags and set `Enable the U2F Security Key API`
to Enabled and retry?
Comment 15 Peter Jeremy freebsd_committer 2022-05-20 12:25:10 UTC
This still relates to 101.0.4951.64.  I'm building 101.0.4951.67 and will provide an update later.

After explicitly enabling `Enable the U2F Security Key API` then I can use my security key with Github.

Unfortunately, I still can't add a security key to my Google account: I get to the popup:
Add a security key
You’ll see instructions in your browser window for adding your key to your account
and the security key starts flashing.  If I tap it, it stops flashing but it there are no "instructions" and the popup keeps spinning.  If I cancel and retry then I get a popup:
Couldn’t connect
Remove your key and reconnect it. Then try again.

Removing and reconnecting the key doesn't help.
Comment 16 Robert Nagy 2022-05-20 17:49:31 UTC
(In reply to Peter Jeremy from comment #15)

This is a deprecated feature that is going to get removed in next releases
of Chromium and the only thing that can be done is that sites need to move
to the webauthn framework.
Comment 17 Peter Jeremy freebsd_committer 2022-05-20 22:02:43 UTC
I realise `Enable the U2F Security Key API` will be removed soon.

I've updated to chromium-101.0.4951.67 and my security key has stopped working, even with Enable the U2F Security Key API` enabled.