Problems with freezing SEB during login prompt via Microsoft OIDC and MFA about seb-win-refactoring HOT 16 CLOSED

@AntonT76 For a successful FIDO Identification to occur, Windows opens a Windows Hello window, which guides you through the process of inserting your Security Key and potentially entering a PIN.
Windows puts this window in the foreground and kind of freezes everything else.
For students to be able to authenticate with hardware tokens, which you should definitely support btw, you would probably have to just allow another the windows hello exe...
If I have time I'll test this.

from seb-win-refactoring.

I wouldn't ever have noticed so, but it could be. I'll test that if I have some time.

I wouldn't recommend my students a vendor locked or comparably insecure 2FA method.

from seb-win-refactoring.

I tested a bit earlier today. Although one process is started, it does not open the window required. I believe there is something missing in the config for CEF which results in this...

from seb-win-refactoring.

Thanks for the report. At first glance, there is nothing suspicious in the log files. You might find relevant information in the system event logs (Event Viewer > Windows Logs > Application). Apart from that, there's unfortunately not much we can do unless you provide a way to reliably reproduce the problem.

from seb-win-refactoring.

Dear @dbuechel

thank you for your answer. It looks like we have found the issue but we have to test it in detail: the user uses for authentication a YubiKey (https://www.yubico.com/der-yubikey/?lang=de). It seems to be that this authentication method will not work in our SEB settings ...

Do you have any experiences by using this keys in SEB?

thanks & br, Anton

from seb-win-refactoring.

Unfortunately not, but you might be able to get to the root of the issue by contacting the support of YubiKey.

from seb-win-refactoring.

Hi @strau0106

thank you very much for your advice. We also think that a special website is being accessed during the authentication process. So, we need to add this to the whitelist in SEB so that it is also permitted by SEB. But we have to test that.

However, we are still considering whether we should generally recommend students to obtain the second factor via app or SMS during exams if FIDO causes problems.

Best regards, Anton

from seb-win-refactoring.

If it were to be an issue with SEB blocking any application (which might well be, thanks indeed for the input @strau0106) then you should see that in the client log of the affected session.

For debugging, you could and should enable the live application log (see Security > Allow application log etc.) and then open the application log and check in real time as to whether SEB blocks anything in particular while trying to authenticate.

from seb-win-refactoring.

Did you check whether a particular window or process is not being suppressed by SEB? If you think that it is an issue with the browser engine, you could verify this by using the CEF sample application and test your use case with it: https://cef-builds.spotifycdn.com/index.html.

from seb-win-refactoring.

Gotta go get my windows testing device first, but will defo try.

from seb-win-refactoring.

PS: I couldn't reproduce the freezing. That could be MS. I tried with the YubiKey Demo Page.

from seb-win-refactoring.

Tested with the CEF sample application, I can successfully register and authenticate there. Seems to be an application blocking issue after all.

from seb-win-refactoring.

Thanks for following up and the information. In the end, we'd however need a reliable way to reproduce the issue, otherwise there's not much we can do. If SEB were to block a window or process, that should as mentioned be logged in the client logs.

from seb-win-refactoring.

from seb-win-refactoring.

This issue is stale because it has been open for 28 days with no activity. It will soon be closed automatically if there are no updates.

from seb-win-refactoring.

This issue was closed because it has been inactive for 14 days since being marked as stale.

from seb-win-refactoring.