u2f

[greyhorseman]

question is when, if ever, Firefox is going to support this standard fully and allow me to use my ubikeys?

[Daniel Veditz]

On Fri, Jan 26, 2018 at 6:06 PM, greyhorseman <trah...@gmail.com> wrote:

> question is when, if ever, Firefox is going to support this standard fully
> and allow me to use my ubikeys?
>

https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/

[greyhorseman]

Thanks for the link.

so we're talking 2 full releases and maybe 6-7 months? Am I at at least close to correct.

[Boris Zbarsky]

On 1/27/18 9:35 PM, greyhorseman wrote:
> so we're talking 2 full releases and maybe 6-7 months? Am I at at least close to correct.

According to <https://wiki.mozilla.org/RapidRelease/Calendar>, Firefox
60 should shop in about 3.5 months if nothing weird happens.

-Boris

[Daniel Veditz]

On Sat, Jan 27, 2018 at 6:35 PM, greyhorseman <trah...@gmail.com> wrote:

> so we're talking 2 full releases and maybe 6-7 months? Am I at at least
> close to correct.
>

If your question was truly "allow ME to use my ubikeys?" (emphasis mine)
then you can do that since Firefox 57, by changing some internal prefs.
https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/

If you question was more the "support this standard fully" part that's a
trick question. U2F is not a standard and even members of the group that
pushed it have implemented some things incompatibly (due to ambiguities in
the spec). The actual standard that grew out of it, Web Authentication,
seems pretty stable but it's not official yet. The published "Working
Draft (https://www.w3.org/TR/webauthn/) was updated in December, and the
Editors Draft has updates even more recent.

This spec flux also means that the answer to the first possible question
varies because different sites have implemented U2F based on different
versions of the spec so Firefox may not work even though both site and
browser nominally support it.

-Dan Veditz

[Kurt Roeckx]

On 28/01/2018 21:03, Daniel Veditz wrote:
> On Sat, Jan 27, 2018 at 6:35 PM, greyhorseman <trah...@gmail.com> wrote:
>
>> so we're talking 2 full releases and maybe 6-7 months? Am I at at least
>> close to correct.
>>
>
> If your question was truly "allow ME to use my ubikeys?" (emphasis mine)
> then you can do that since Firefox 57, by changing some internal prefs.
> https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/

I've tried this in 57 at that time and 58 this weekend on Linux without
getting it to work. So for sites I need to log in that support U2F I
currently need to use either the ESR version with the plugin or chromium.


Kurt

[J.C. Jones]

Our U2F support is incomplete, due to complexities with and ambiguities
related to the algorithm U2F uses to bypass the single-origin security
policy. I chose not to spend the time to implement that in favor of Web
Authentication.

The only big U2F property I am familiar with that our support doesn't
function for is Google Accounts, but I'm sure there are others. (It'd be
interesting to get a list. I'll take that to a different thread, though)

Kurt - So the webauthn support isn't working on Linux for you? The only
dependency is libudev, but there may be a hid profile somewhere needed. At
least one person on IRC reported that it didn't work on arch until
installing pcscd- but it was clearly something in the dependency tree, not
pcscd itself. If you find the answer, let me know... We need to nail that
down for the release notes.

Thanks,
J.C.

_______________________________________________
dev-platform mailing list
dev-pl...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

[greyhorseman]

On Sunday, January 28, 2018 at 3:03:54 PM UTC-5, Daniel Veditz wrote:

Thanks Dan,
I've done the hack in Firefox and it sill doesn't work. And I sure can't ask Google to help me totally stop using their browser which I'd like to do. But that said there are still a couple sites that I could use it on but I think they probably can't help - too small?

[Kurt Roeckx]

On Mon, Jan 29, 2018 at 09:36:15AM -0700, J.C. Jones wrote:
> The only big U2F property I am familiar with that our support doesn't
> function for is Google Accounts, but I'm sure there are others. (It'd be
> interesting to get a list. I'll take that to a different thread, though)

I've spend some time trying to figure out some of the problems.

u2f-host pointed out that it couldn't find any U2F device. strace
showed it tried to open /dev/hidraw* and I needed to give myself
write access to that file. After fixing that most things started
to work. It seems that chromium also stopped working and also
needed that permission change.

I was under the impression that
/lib/udev/rules.d/70-debian-uaccess.rules (part of the udev
package) should have fixed those permissions for me, and that that
used to work correctly. In stable I do get the correct
permissions.

The only other site I can't get working is facebook.

> Kurt - So the webauthn support isn't working on Linux for you? The only
> dependency is libudev, but there may be a hid profile somewhere needed. At
> least one person on IRC reported that it didn't work on arch until
> installing pcscd- but it was clearly something in the dependency tree, not
> pcscd itself. If you find the answer, let me know... We need to nail that
> down for the release notes.

I already had pcscd installed.


Kurt

[J.C. Jones]

OK, that seems to jive with the Fedora bug that needed u2f-hidraw-policy:

https://bugzilla.redhat.com/show_bug.cgi?id=1513968

Given that, ibhidapi-hidraw0 might be what's needed on Debian, but I
haven't tested it yet.

I've filed Bug 1434277
<https://bugzilla.mozilla.org/show_bug.cgi?id=1434277> to collect
information on Linux dependencies for the Firefox 60 release notes. Let's
take the analysis there for anyone up for helping us pin this down.

Thanks!
J.C.