Summary: Support already-enrolled U2F devices with Google Accounts for Web
Authentication
Web Authentication is on-track to ship in Firefox 60 [1], and contains
within it support for already-deployed USB-connected FIDO U2F devices, and
we intend to ship with a spec extension feature implemented to support
devices that were already-enrolled using the older U2F Javascript API [2].
That feature depends on Firefox supporting the older API’s algorithm for
relaxing the same-origin policy [3] which is not completely implemented in
Firefox [4].
It appears that many U2F JS API-compatible websites do not require the
cross-origin features currently unimplemented in Firefox, but notably the
Google Accounts service does: For historical reasons (being the first U2F
implementor) their FIDO App ID is “
www.gstatic.com” [5] for logins to “
google.com” and its subdomains [6]. Interestingly, as the links to
Chromium’s source code in [5] and [6] show, Chrome chooses to hardcode the
approval of this same-origin override rather than complete the
specification’s algorithm for this domain.
As mentioned in the bug linked in [4], I have a variety of reservations
with the U2F Javascript API’s algorithm. I also recognize that Google
Accounts is the largest player in existing U2F device enrollments. The
purpose of the extension feature in [2] is to permit users who already are
using U2F devices to be able to move seamlessly to Web Authentication --
and hopefully also be able to use browsers other than Chrome to do it.
After discussions with appropriate Googlers confirmed that the “
www.gstatic.com” origin used in U2F is being retired as part of their
change-over to Web Authentication, I propose to hard-code support in Gecko
to permit Google Accounts’ cross-origin U2F behavior, the same way as
Chrome has. I propose to do this for a period of 5 years, until 2023, and
to file a bug to remove this code around that date. That would give even
periodically-used U2F-protected Google accounts ample opportunity to
re-enroll their U2F tokens with the new Web Authentication standard and
provide continuity-of-access. The code involved would be a small search
loop, similar to Chrome’s in [6].
If we choose not to do this, Google Accounts users who currently have U2F
enabled will not be able to authenticate using Firefox until their existing
U2F tokens are re-enrolled using Web Authentication -- meaning not only
will Google need to change to the Web Authentication API, they will also
have to prompt users to go back through the enrollment ceremony. This
process is likely to take several years.
Tracking bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=webauthn
Spec:
https://www.w3.org/TR/webauthn/
Estimated target release: 60
Preference behind which this is implemented:
security.webauth.webauthn
DevTools support:
N/A
Support by other browser engines:
- Blink: In-progress
- Edge: In-progress
- Webkit: No public announcements
Testing:
Mochitests in-tree;
https://webauthn.io/;
https://webauthn.bin.coffee/;
https://webauthndemo.appspot.com/; Web Platform Tests in-progress
Cheers,
J.C. Jones and Tim Taubert
[1]
https://groups.google.com/d/msg/mozilla.dev.platform/tsevyqfBHLE/lccldWNNBwAJ
[2]
https://w3c.github.io/webauthn/#sctn-appid-extension and
https://bugzilla.mozilla.org/show_bug.cgi?id=1406471
[3]
https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-appid-and-facets-v1.2-ps-20170411.html
[4]
https://groups.google.com/d/msg/mozilla.dev.platform/UW6WMmoDzEU/8h7DFOfsBQAJ
and
https://bugzilla.mozilla.org/show_bug.cgi?id=1244959
[5]
https://chromium.googlesource.com/chromium/src.git/+/master/chrome/browser/extensions/api/cryptotoken_private/cryptotoken_private_api.cc#30
[6]
https://chromium.googlesource.com/chromium/src.git/+/master/chrome/browser/extensions/api/cryptotoken_private/cryptotoken_private_api.cc#161