On June 3, 2025, customers using FIDO2 two-factor authentication to access Secret Server Cloud experienced a login failure. The typical login flow involved:
This issue affected customers using FIDO2 security keys as their second factor in any federated or embedded authentication flow, regardless of identity provider. The login failure occurred without displaying an error to the user, making the problem harder to detect initially.
Users not relying on FIDO2 - such as those using TOTP, mobile authenticators, or password-based authentication - were not affected.
A rollback was initiated and completed across all regions by 7:10 PM ET, restoring login functionality. Some users also regained access by temporarily removing FIDO2 from their accounts.
The incident was triggered by a change to the Permissions-Policy HTTP header during a recent deployment. Specifically, the directive interest-cohort=(), originally included to opt out of Google’s deprecated FLoC feature was removed.
While the Permissions-Policy header itself remained present, it did not include explicit permission for required features, most importantly publickey-credentials-get, which governs browser access to WebAuthn APIs used by FIDO2 security keys.
Secret Server Cloud’s login experience utilizes iframes to render authentication panels. Modern browsers such as Chrome enforce stricter default restrictions for iframe-embedded content, requiring explicit delegation in the Permissions-Policy header to allow WebAuthn in cross-origin or nested iframes.
Because the publickey-credentials-get feature was not delegated via the Permissions-Policy header:
We sincerely apologize for the disruption and are committed to continuing to strengthen the reliability of our platform.