okta-signin-widget icon indicating copy to clipboard operation
okta-signin-widget copied to clipboard

Published 20 hours ago verified publisher icon okta

Error: Windows Hello can only be used on Windows Edge with Windows 10

Open yapici opened this issue 4 years ago • 13 comments

I'm submitting a

  • [x] bug report
  • [ ] feature request

Background info

I'm trying to log in to Okta via a custom web application that uses okta-signin-widget. I'm getting this error after entering my credentials and approving the 2FA with my biometric key (i.e., USB Biometric Authenticator):

"Windows Hello can only be used on Windows Edge with Windows 10. Contact your admin for assistance."

It works fine with phone 2FA.

Expected behavior

I expect the login to go through

What went wrong?

Error: "Windows Hello can only be used on Windows Edge with Windows 10. Contact your admin for assistance."

Your environment

  • Okta Sign-In Widget Version: 4.3.2
  • Browser: Chrome, Version 84.0.4147.125 (Official Build) (64-bit)
  • OS: macOS Catalina, Version 10.15.6
  • Language: JS, Vue

yapici avatar Aug 18 '20 23:08 yapici

@yapici To confirm, you are running on a MacOS computer? What factor types have you enabled under Security > Multifactor in the Okta Admin UI?

aarongranick-okta avatar Aug 19 '20 00:08 aarongranick-okta

@aarongranick-okta, I am running this on a MacOS computer. I have Okta Verify and Security Key or Biometric Authenticator with 'MacBook Touch ID' enabled.

yapici avatar Aug 19 '20 00:08 yapici

@yapici Try setting the webauthn feature to true as described here: https://github.com/okta/okta-signin-widget#feature-flags

aarongranick-okta avatar Aug 19 '20 00:08 aarongranick-okta

This helped. Now I don't get that error. I do get a different error though. When I enter my credentials, I get an alert box saying You're using a security key that's not registered with this website. I click 'Try again' button on the alert box, and it lets me choose either USB security key or Built-in sensor. I choose one, and get this error on the widget: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client

yapici avatar Aug 19 '20 17:08 yapici

@yapici can you please confirm that for the particular user you have enrolled the macbook touch id as a 'webauthn' enrollment ? Also please note that when you are using the same chrome profile that you enrolled the touchid with to verify as well. Chrome ties the chrome profile to webauthn enrollment.

You can check for user enrollment in admin UI or user's enduser setting. IF you are not sure i would reset the existing enrollment and try new enrollment just to be sure.

magizh-okta avatar Aug 19 '20 18:08 magizh-okta

@magizh-okta, the user is enrolled in macbook touch ID. They use the same Chrome session to log in to the system via the signin widget. Do you know if I have to add anything additional to my JS code to enable this?

yapici avatar Aug 19 '20 20:08 yapici

@yapici can you try accessing your okta org url and login as this user using webauthn to make sure that works. Can you also provide more context as to how you are hosting the SIW, have you added the host url to trusted urls ?

magizh-okta avatar Aug 19 '20 21:08 magizh-okta

@magizh-okta, of course; context is important. I'm sorry for not providing more details earlier: We're using the SIW in a custom web app that is used within the company intranet. We use the SIW to get a session token first, then use that token to get an access token via @okta/okta-auth-js. We use the access token in our backend (python) to authorize the user via Okta oauth2/v1/introspect endpoint. Host URL is added to the trusted URLs list.

User can access the Okta org URL fine and can log in without any issues. They could also log in to other applications without an issue but none of the other applications are using the SIW.

yapici avatar Aug 19 '20 21:08 yapici

@yapici thanks for providing the context. Since webauthn protocol ties the enrollment to the host url the current behavior is that you need to enroll from the same app url in order to user it for verification for that app. Can you try deleting your enrollment and enroll into webauthn form the same app.

magizh-okta avatar Aug 19 '20 23:08 magizh-okta

Thanks for the information @magizh-okta. Does this mean users cannot use their enrollment for multiple apps? We use Okta in our organization as the SSO service for multiple apps and our app is the only one that utilizes SIW. If I ask the users to re-enroll through our app, that will probably break their login for all the other applications. Besides, asking the whole user base to re-enroll via our app isn't feasible, as this is just one app among many within the organization. Is there a way to make it work with their existing enrollment? Users usually enroll via our organization's Okta page directly (i.e., https://<organization-name>.okta.com/enduser/settings.)

If using their existing enrollment isn't possible, we will just put a warning asking them to use their phone instead.

yapici avatar Aug 20 '20 21:08 yapici

I'm facing a very similar issue with my organization. Was there ever a solution found for this?

martin3walker avatar Nov 16 '21 12:11 martin3walker

Mutual of Omaha logo Windows Hello Windows Hello can only be used on Windows Edge with Windows 10. Contact your admin for assistance. Back to sign in

I'm having the same issue with one website, all the others work fine. using microsoft edge browser on windows 11. have tried to login using multiple browsers (chrome, firefox, opera) to no avail. even tried to login with a laptop (edge) and my iphone (edge and safari), same message. company says it's not their issue, that it's on my end, but their website is the only one this happens on. i'm stumped.

dazandren avatar Oct 05 '23 20:10 dazandren

@yapici We also have some user reports of this issue. Do you remember the steps you took to resolve this? Is there a known fix for this?

gt-bb-0821 avatar Feb 08 '24 16:02 gt-bb-0821