Using hardware security tokens (Yubikeys) to log in to Azure AD with Firefox on Linux
Microsoft currently doesn’t support FIDO2 logins with Firefox on Linux (they do support Chrome) and actively disables this in their login flow. Despite this, I have been able to make it work using the following steps:
-
Enroll a new key via Chrome.
-
Return to Firefox and save the following bookmarklet (drag the code snippet to bookmarks):
javascript:(function()%7Bwindow.%24Config.urlFidoLogin%3D%22https%3A%2F%2Flogin.microsoft.com%2Fcommon%2Ffido%2Fget%3Fuiflavor%3DWeb%22%3Bwindow.%24Config.fIsFidoSupported%3Dtrue%3Bwindow.%24Config.urlPost%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Flogin%22%3Bwindow.%24Config.urlPostAad%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Flogin%22%3Balert(%22Patched%20variables%20to%20support%20FIDO2%20login%22)%3B%7D)()%3B
-
When presented with the Microsoft login portal, instead of entering a username, choose “Sign in options”. You should then be presented with two options to choose from, namely “Sign in with a security key” and “Sign in to an organization”.
-
Before proceeding, run the bookmarklet.
-
Then proceed with “Sign in with a security key” which, if all went right, should successfully prompt you through the complete hardware token authorization flow and log you in.
If the above works then you can automate the patching with Tampermonkey to avoid the need for the bookmarklet using the following userscript as well:
// UserScript
// @name Azure Firefox FIDO2 patch
// @namespace https://nick.groenen.me/notes/using-hardware-security-tokens-to-log-in-to-azure-ad-with-firefox-on-linux/
// @version 1.0
// @description Fixes FIDO2 login with Firefox on Linux by patching variables on the Azure login page
// @author zoni
// @match https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize*
// @match https://login.microsoftonline.com/*/saml2?RelayState=*
// @grant none
// /UserScript
(function() {
'use strict';
window.$Config.urlFidoLogin = "https://login.microsoft.com/common/fido/get?uiflavor=Web\u0026cobrandid=ed5d1924-9524-4e70-8f68-5ee5e35afbef";
window.$Config.fIsFidoSupported = true;
window.$Config.urlPost = "https://login.microsoftonline.com/common/login";
window.$Config.urlPostAad = "https://login.microsoftonline.com/common/login";
})();