How to stop Firefox from storing CAC PIN?
I am working on setting up Firefox to use a CAC reader. In the process, it seems that Firefox stores my PIN. For example, in setting up the .dll to get Firefox to see the reader, I went to View Certificates to verify that they had been installed. Firefox (rightfully) asked me for my PIN and I entered.
I then went to a site that required the CAC and while it asked me for the certificate to use (correct), it failed to ask me for my PIN and logged me into the site.
I then closed the tab and went to another site and again, while it asked for the certificate, it didn't ask for the PIN.
I then closed Firefox completely (and all other browsers) and restarted, went to a site. It asks for the certificate but doesn't ask for the PIN.
I installed IE Tab v2 because some sites were refusing to recognize the card in the reader. After doing so, it found the card and asked me for the certificate...but not the PIN.
The only way to get Firefox to forget the PIN is to reboot the computer but as soon as you use your PIN, it is stored in Firefox.
This is an exceedingly huge security hole. The entire point of a CAC is that it requires two-step authentication. I need both the card and the PIN. If someone has my card and they go to a machine that hasn't been rebooted that I used, then they can access sites that require CAC login because Firefox has stored my PIN.
How do I get Firefox to not store the PIN? I should be asked every single time.
Wybrane rozwiązanie
Further investigation reveals the issue is leaving the CAC in the reader. If you have activated the cert with the PIN and leave the CAC in the reader and then go to another site, it asks for cert but since you have already put in the PIN, it won't ask again.
If you pull the CAC and put it back in before going to the site, it will ask you for the PIN again.
Przeczytaj tę odpowiedź w całym kontekście 👍 0Wszystkie odpowiedzi (2)
Wybrane rozwiązanie
Further investigation reveals the issue is leaving the CAC in the reader. If you have activated the cert with the PIN and leave the CAC in the reader and then go to another site, it asks for cert but since you have already put in the PIN, it won't ask again.
If you pull the CAC and put it back in before going to the site, it will ask you for the PIN again.
Is there any Log Out button visible in the Certificate Manager under Security Devices when you select this device to log out from this device?
This might be a Windows feature where you unlock this device by entering the PIN and not a Firefox issue because in that case you would have to reenter the PIN after a restart like is required for the master password (log in to the Software Security Device).