Firefox 96 broke iCloud 2FA 95.0.2 still works
I have two computers, a desktop and a laptop. A few days ago FF auto updated to 96.0 on the desktop. The laptop is still at 95.0.2 (thankfully I turned auto update off on that one.)
Now iCloud 2FA does not work on the desktop with FF 96.0.0. The six digit code is correctly sent to my iPhone but on the website in the browser, the 6 character box for entry does not appear and the error message is "Failed to verify your identity. Try again." See attached screen shot.
I disabled HTTP3 but this did nothing.
Version 95.0.2 works fine and I am able to logon to iCloud on.
As you know, there is no way to rollback FF. I do not want reinstall the old version and have to create another profile and lose all my settings!
Please confirm. Now I have to use Chrome on my desktop as the work around which I really don't want to do.
Thank you, Scott Keller
Chosen solution
Hi Scott, there were some changes in Firefox 96 affecting cookies. Specifically, which ones are considered same site versus cross-site, and an HTTPS requirement for certain cases. (SameSite parameter, Fx96 Change)
This change seems to be causing cross-site sign-in issues on a number of sites. I don't know that iCloud uses cross-site/third party cookies, but it's possible.
Could you help test:
(1) Flush current site cookies
If you press Shift+F9 on that error page, Firefox should display the cookies set for that site. You can right-click any entry and Delete All.
(2) Toggle laxByDefault back to the Firefox 95 behavior
(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
More info on about:config: Configuration Editor for Firefox. The moderators would like us to remind you that changes made through this back door aren't fully supported and aren't guaranteed to continue working in the future. But we need to test...
(B) In the search box in the page, type or paste laxByDefault and pause while the list is filtered
Firefox should list two preferences:
- General policy: network.cookie.sameSite.laxByDefault
- Site exceptions: network.cookie.sameSite.laxByDefault.disabledHosts
(C) Double-click the network.cookie.sameSite.laxByDefault preference to switch the value from true to false
Any difference with logging in?
Read this answer in context 👍 0All Replies (5)
Chosen Solution
Hi Scott, there were some changes in Firefox 96 affecting cookies. Specifically, which ones are considered same site versus cross-site, and an HTTPS requirement for certain cases. (SameSite parameter, Fx96 Change)
This change seems to be causing cross-site sign-in issues on a number of sites. I don't know that iCloud uses cross-site/third party cookies, but it's possible.
Could you help test:
(1) Flush current site cookies
If you press Shift+F9 on that error page, Firefox should display the cookies set for that site. You can right-click any entry and Delete All.
(2) Toggle laxByDefault back to the Firefox 95 behavior
(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
More info on about:config: Configuration Editor for Firefox. The moderators would like us to remind you that changes made through this back door aren't fully supported and aren't guaranteed to continue working in the future. But we need to test...
(B) In the search box in the page, type or paste laxByDefault and pause while the list is filtered
Firefox should list two preferences:
- General policy: network.cookie.sameSite.laxByDefault
- Site exceptions: network.cookie.sameSite.laxByDefault.disabledHosts
(C) Double-click the network.cookie.sameSite.laxByDefault preference to switch the value from true to false
Any difference with logging in?
Hi Jefferson,
Thank you so much for the prompt reply.
I turned HTTP3 back on.
I made the change to: (C) Double-click the network.cookie.sameSite.laxByDefault preference to switch the value from true to false
I successfully logged on to iCloud because the 6 character boxes are now there and I was able to enter the 6 digit code.
I will leave the setting to false.
Thank you so much for the work around. I appreciate it.
Scott
Thanks, Scott. If you have another moment:
Could you go back to the login page and check the cookies list again? One of the domains listed here is not set up for the change in Firefox, even though I think it's the same policy enforced in Chrome 80+ and Edge 86+. Maybe the developers can make an exception for that domain, or contact Apple and ask them to fix it -- if you can figure out which one is the culprit. I'm not sure it will be obvious...
Hi Jefferson,
With the config item "network.cookie.sameSite.laxByDefault still set to False there are two cookies with iCloud and now one cookie is blank (https;// idmsa.apple.com with the name X_APPLE.WEBAUTH.HSA.TRUST) and the other cookie (https://www.icloud.com WITH THE NAME X_APPLE_WEB_KB-NTMQYX2X1LU04N48GIBNCZOZGE) is set to a long string of characters. See the attached screen shot. I would think that it is the idmsa.
Using shift F9 does not allow me to copy the information in the browser. I attached a screen shot. If that doesn't provide the information you want to see, let me know and suggest how I can capture what ever information you'd like to see.
Regards, Scott
Thanks, Scott. I think the important thing to note for future is that the two domains that seem to need to share cookies are:
- idmsa.apple.com
- www.icloud.com