[Bug] FIDO U2F Registration Fails when "Detect new usernames/passwords & offer to save them" active

EnerJi

Just picked up and started testing a couple of FIDO U2F security keys (the "blue" kind) after reading about increasingly sophisticated and brazen phishing and SIM-swapping (cellphone carrier social engineering) attacks. I've noticed an issue while testing against Yubico's demo site that I thought worth reporting, in case it impacts actual production sites as well.

Test site: https://demo.yubico.com/u2f

When the "Detect new usernames/passwords & offer to save them" preference is turned ON, FIDO U2F registration fails. The Yubikey never starts flashing, and the demo site eventually times out. I was able to resolve the issue in one of the following ways:

1) De-activating the 1Password beta extension
2) Leaving the extension ON but turning OFF the "Detect new usernames" setting
3) Leaving the "Detect new usernames" setting ON, but placing "demo.yubico.com" in the list of exempted domains for the above setting

I will continue testing with "actual" production sites and report back if I run into any other strange interaction issues.

---

1Password Version: 6.8 Beta-4
Extension Version: 4.6.7.2
OS Version: 10.11.6
Sync Type: 1Password Account

AGAlumB

@EnerJi: Thanks for reaching out about this. I'm sorry for the delay. I've moved your post to the browser filling category of the forum so it gets the attention of our team there, since it seems to be a browser integration interaction with the website. It seems like we're getting inconsistent results there. Please try the beta extension to see if that makes a difference:

1Password browser extensions (beta)

It may be a timing issue, since there seems to be some inconsistent behaviour on registration with or without the 1Password extension enabled. And knowing the browser version you're using may help as well. Let me know what you find! /cc @beyer @jxpx777

jxpx777

@EnerJi To add to what @brenty said, we have seen some issues where the autosave dialog gains focus from the browser and this can cause some Javascript events to be cancelled. For instance, if you enter a username and password and the extension tells 1Password to save, the 1Password window could pop up before the page has finished handling all of its events and when the pop up gains focus, the browser cancels the remaining events.

We have a delay for this in the extension, and we recently made some adjustments for it to behave a little more robustly. These are in the current beta, so please do give it a try and let us know if you continue to see any problems.

--
Jamie Phelps
Code Wrangler @ AgileBits
Fort Worth, Texas

EnerJi

@brenty Thanks for moving my post - it seems most things I run across are application-related so I'm often not quite sure what needs to go in the browser extension forum. Sorry for my delay in responding as well.

@jxpx777 I'm running the 1Password Beta 4.6.8.1 extension (for Chrome stable on Mac), and they changes don't appear to have fixed the problem I'm seeing in the demo.yubico.com site.

That said, I haven't experienced problems with any other U2F sites as of yet, so this may be something that is specific to the Yubico demo site and a bit of a non-issue.

matthew_ag

Hey @EnerJi,

Thanks for trying out that new extension to see if it helped. From the sounds of it, there is some interaction between the browser and the 1Password app that is causing this issue - rather than just being caused by the extension on it's own. The delay that jxpx777 mentioned is where we delay sending the "autosave" message from the extension to the 1Password app to display the auto-save popup. The time we delay is 50ms and it could be possible that this delay is still too fast given that the web page is trying to also interact with a hardware key.

I will continue testing with "actual" production sites and report back if I run into any other strange interaction issues.

It would be wonderful to hear if this does have the same effect on other "production" sites that use this hardware key to understand if this problem is more widespread, thank you for offering to try that.

Looking forward to hearing back.

Best regards,
Matthew

EnerJi

It would be wonderful to hear if this does have the same effect on other "production" sites that use this hardware key to understand if this problem is more widespread, thank you for offering to try that.

I definitely will!

littlebobbytables

Thanks for keeping us informed @EnerJi :smile: It would be weird if in the end the only site we had compatibility issues with was the demo site but it would be a nice kind of weird if it means we work everywhere you need 1Password to work :lol: