Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Rohkem teavet

How to stop Firefox from storing CAC PIN?

  • 2 vastust
  • 1 on selline probleem
  • 2 views
  • Viimati vastas cor-el

more options

I am working on setting up Firefox to use a CAC reader. In the process, it seems that Firefox stores my PIN. For example, in setting up the .dll to get Firefox to see the reader, I went to View Certificates to verify that they had been installed. Firefox (rightfully) asked me for my PIN and I entered.

I then went to a site that required the CAC and while it asked me for the certificate to use (correct), it failed to ask me for my PIN and logged me into the site.

I then closed the tab and went to another site and again, while it asked for the certificate, it didn't ask for the PIN.

I then closed Firefox completely (and all other browsers) and restarted, went to a site. It asks for the certificate but doesn't ask for the PIN.

I installed IE Tab v2 because some sites were refusing to recognize the card in the reader. After doing so, it found the card and asked me for the certificate...but not the PIN.

The only way to get Firefox to forget the PIN is to reboot the computer but as soon as you use your PIN, it is stored in Firefox.

This is an exceedingly huge security hole. The entire point of a CAC is that it requires two-step authentication. I need both the card and the PIN. If someone has my card and they go to a machine that hasn't been rebooted that I used, then they can access sites that require CAC login because Firefox has stored my PIN.

How do I get Firefox to not store the PIN? I should be asked every single time.

I am working on setting up Firefox to use a CAC reader. In the process, it seems that Firefox stores my PIN. For example, in setting up the .dll to get Firefox to see the reader, I went to View Certificates to verify that they had been installed. Firefox (rightfully) asked me for my PIN and I entered. I then went to a site that required the CAC and while it asked me for the certificate to use (correct), it failed to ask me for my PIN and logged me into the site. I then closed the tab and went to another site and again, while it asked for the certificate, it didn't ask for the PIN. I then closed Firefox completely (and all other browsers) and restarted, went to a site. It asks for the certificate but doesn't ask for the PIN. I installed IE Tab v2 because some sites were refusing to recognize the card in the reader. After doing so, it found the card and asked me for the certificate...but not the PIN. The only way to get Firefox to forget the PIN is to reboot the computer but as soon as you use your PIN, it is stored in Firefox. This is an exceedingly huge security hole. The entire point of a CAC is that it requires two-step authentication. I need both the card and the PIN. If someone has my card and they go to a machine that hasn't been rebooted that I used, then they can access sites that require CAC login because Firefox has stored my PIN. How do I get Firefox to not store the PIN? I should be asked every single time.

Valitud lahendus

Further investigation reveals the issue is leaving the CAC in the reader. If you have activated the cert with the PIN and leave the CAC in the reader and then go to another site, it asks for cert but since you have already put in the PIN, it won't ask again.

If you pull the CAC and put it back in before going to the site, it will ask you for the PIN again.

Loe vastust kontekstis 👍 0

All Replies (2)

more options

Valitud lahendus

Further investigation reveals the issue is leaving the CAC in the reader. If you have activated the cert with the PIN and leave the CAC in the reader and then go to another site, it asks for cert but since you have already put in the PIN, it won't ask again.

If you pull the CAC and put it back in before going to the site, it will ask you for the PIN again.

more options

Is there any Log Out button visible in the Certificate Manager under Security Devices when you select this device to log out from this device?

This might be a Windows feature where you unlock this device by entering the PIN and not a Firefox issue because in that case you would have to reenter the PIN after a restart like is required for the master password (log in to the Software Security Device).