Safari 18.2 [MacOS / iOS / iPadOS] FIDO known issues


Yubico internal testing has found a pair of issues that occur during authentication with websites that use the YubiKey as a second factor (without a PIN), and discourage user verification.  You can read more about user verification here.

 

In addition to some 3rd party websites and identity providers, the Yubico Enterprise Services console is affected by these issues.

 

Yubico is working with Apple to resolve the issues, and will update this article as new information becomes available. 

 

January 10, 2025 update: In Apple's macOS 15.3 Beta 2 (24D5040f) and iOS/iPadOS 18.2 Beta 2 (22D5040d) releases, there are fixes for both issues documented in this article. Please test within your environment, report any issues to Apple, and subsequently inform Yubico including your Apple issue/feedback identifier.

 

Issue 1

The first issue occurs on YubiKeys that have FIDO2 disabled, or devices that only support U2F such as the YubiKey 4 Series and earlier devices.  With these devices, under certain circumstances, the browser will not respond to inserting and tapping the YubiKey.

 

Issue 1 possible mitigations and workarounds

  1. Enable FIDO2:
    If the YubiKey supports FIDO2 and it’s simply disabled, this issue can be mitigated by simply enabling FIDO2.  See this article for instructions on how to enable FIDO2.
    Note: If a FIDO2 PIN was set before disabling the FIDO2 application,
    enabling FIDO2 will trigger issue #2.
  2. Use a different browser:
    • On MacOS, Chromium based browsers are unaffected by this issue.
    • On iOS and iPadOS, all browsers on the platform are affected.
  3. Configure WebAuthn settings for the relying party:
    For organizations that are using the YubiKey to authenticate against an Identity Provider that has configurable WebAuthn settings, configuring that identity provider to prefer or require “user verification” will work around this issue.

Issue 2

The second issue occurs on YubiKeys that have FIDO2 enabled, and have a PIN set.  With these devices, Safari will always ask for a PIN during authentication, even if user verification is not requested by the relying party or web site. If the PIN is known, this may simply be annoying.  If the PIN has been forgotten, having it suddenly be required for authentication will block authentication.

 

Issue 2 possible mitigations and workarounds

  1. Use a different browser:
    • On MacOS, Chromium based browsers are unaffected by this issue.
    • On iOS and iPadOS, all browsers on the platform are affected, so no known workarounds are available at this time.