Using hardware security tokens (Yubikeys) to log in to Azure AD with Firefox on Linux

Microsoft currently doesn’t support FIDO2 logins with Firefox on Linux (they do support Chrome) and actively disables this in their login flow. Despite this, I have been able to make it work using the following steps:

1. Enroll a new key via Chrome.

2. Return to Firefox and save the following bookmarklet (drag the code snippet to bookmarks):

   javascript:(function()%7Bwindow.%24Config.urlFidoLogin%3D%22https%3A%2F%2Flogin.microsoft.com%2Fcommon%2Ffido%2Fget%3Fuiflavor%3DWeb%22%3Bwindow.%24Config.fIsFidoSupported%3Dtrue%3Bwindow.%24Config.urlPost%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Flogin%22%3Bwindow.%24Config.urlPostAad%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Flogin%22%3Balert(%22Patched%20variables%20to%20support%20FIDO2%20login%22)%3B%7D)()%3B
   

3. When presented with the Microsoft login portal, instead of entering a username, choose “Sign in options”. You should then be presented with two options to choose from, namely “Sign in with a security key” and “Sign in to an organization”.

4. Before proceeding, run the bookmarklet.

5. Then proceed with “Sign in with a security key” which, if all went right, should successfully prompt you through the complete hardware token authorization flow and log you in.

If the above works then you can automate the patching with Tampermonkey to avoid the need for the bookmarklet using the following userscript as well:

// UserScript
// @name         Azure Firefox FIDO2 patch
// @namespace    https://nick.groenen.me/notes/using-hardware-security-tokens-to-log-in-to-azure-ad-with-firefox-on-linux/
// @version      1.0
// @description  Fixes FIDO2 login with Firefox on Linux by patching variables on the Azure login page
// @author       zoni
// @match        https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize*
// @match        https://login.microsoftonline.com/*/saml2?RelayState=*
// @grant        none
// /UserScript

(function() {
    'use strict';
    window.$Config.urlFidoLogin = "https://login.microsoft.com/common/fido/get?uiflavor=Web\u0026cobrandid=ed5d1924-9524-4e70-8f68-5ee5e35afbef";
    window.$Config.fIsFidoSupported = true;
    window.$Config.urlPost = "https://login.microsoftonline.com/common/login";
    window.$Config.urlPostAad = "https://login.microsoftonline.com/common/login";
})();

References

• webcompat/web-bugs#101753: mysignins.microsoft.com - FIDO2 passwordless authentication is not supported on Firefox for Linux