info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent-to-Ship: Backward-Compatibility FIDO U2F support for Google Accounts
4,439 views
Skip to first unread message
J.C. Jones
Mar 14, 2019, 2:12:24 PM3/14/19
to dev-platform
Web Authentication (WebAuthn) is our best technical response to
phishing, which is why we’ve championed it as a technology. All major
browsers either support it already, or have their support in-progress,
yet adoption by websites has been slow. The deprecated Javascript API
that WebAuthn replaces, the FIDO U2F API [0], is mostly confined to
Chromium-based browsers.
# tl;dr #
To make security keys work with Google Accounts in the near future, I
propose enabling our FIDO U2F API for google.com domains, controlled
by a whitelist preference. Waiting on Google Accounts to fully support
Web Authentication will probably take too long, since it’s Android
deployments which are holding them up.
# Background #
More than a year ago, I proposed here an interim solution to permit
Google Accounts to use existing FIDO U2F API credentials in Firefox
[1] which was implemented in Bug 1436078. We agreed then to implement
a hard-coded permission for Google Accounts when utilizing FIDO U2F
API credential support, whether that was via Web Authentication’s
backward compatibility extension, or via Firefox’s FIDO U2F API
support hidden behind the “security.webauth.u2f” preference.
We’ve recently learned that Google Accounts has slipped their schedule
for using Web Authentication to register new credentials. This delay
is attributed to security key support on Android being, for most
devices, non-upgradable. WebAuthn is backwards-compatible with
credentials produced by the FIDO U2F API. However, WebAuthn-produced
credentials cannot be used with the FIDO U2F API. Because of that,
credentials created using WebAuthn will never be usable on the
majority of FIDO U2F-only Android devices currently in circulation.
Due to this issue, there has been an unclear timeline communicated to
me for when Google Accounts will support registering security keys
using Web Authentication.
# Proposal #
It appears that if we want full security key support for Google
Accounts in Firefox in the near term, we need to graduate our FIDO U2F
API support from “experimental and behind a pref” to either “enabled
by default” or “enabled for specific domains by default.” I am
proposing the latter.
## Thorny issues in enabling our FIDO U2F API implementation ##
This is not as simple a decision as it might appear. Certainly we want
to encourage adoption of Web Authentication rather than the FIDO U2F
API. There have already been sad cases of well-known web properties
implementing the deprecated standard after we shipped WebAuthn [2].
There’s also the matter that we haven’t built-out the whole of the
FIDO U2F API.
Firefox’s implementation of the FIDO U2F API is deliberately incomplete:
First, we only implemented the optional Javascript version of the API,
not the required MessagePort implementation [3]. This is mostly
semantics, because everyone actually uses the JS API via a
Google-supplied polyfill called u2f-api.js. But the specification is
the specification.
Second, we do not perform the “Trusted Facet List” portions of the
“Determining if a Caller's FacetID is Authorized for an AppID”
algorithm [4] from the specification (we stop at step 3). It seems:
under-specified [5]; of dubious security/privacy advantage [6]; and
it’s rarely necessary [7].
I don’t intend to invest the engineering time to fix the above issues
(neither coding nor spec-wrangling). The anti-phishing future is Web
Authentication, and we should only care about getting Firefox users to
that future.
# Enabling the whole FIDO U2F API for Google Accounts #
Conventional wisdom says that the largest installed base of security
keys in-use remains with Google Accounts, whether via GSuite or public
accounts. It appears that the only way we get Firefox users of Google
Accounts fully able to use security keys is to enable FIDO U2F API
support so that said users can enroll via FIDO U2F API, and then
authenticate via … well, either. We will have to trust that Google
will roll out authentication-via-WebAuthn quickly for the sake of the
standard moving forward.
This also would solve a longstanding issue where users of Tor Browser
can’t enroll in Google Advanced Protection, despite the clear
advantages.
## What this looks like in code ##
First, I would change the existing security.webauth.u2f pref from
being enforced via WebIDL annotation to in-code checks.
Next, I propose to add a new pref:
pref("security.webauth.u2f_enabled_domains", “google.com“);
This would be a list of domain names that would be matched against the
caller, specifically: If one of the listed domains is a registrable
domain suffix of or is equal to [8] caller’s origin’s effective
domain, we’d enable the FIDO U2F API for that domain.
Finally, I would remove the “aOp == U2FOperation::Sign” check from
EvaluateAppID in WebAuthnUtil.cpp, permitting the Google override to
work for Register as well as Sign.
# Concluding thoughts #
As I’ve tried to establish, I’ve had reasons to resist shipping the
FIDO U2F API in Firefox, and I believe those reasons to be valid.
However, a multi-year delay for the largest security key-enabled web
property is, I think, unreasonable to push upon our users. We should
do what’s necessary to enable full security key support on Google
Accounts as quickly as is practical.
I’ve proposed here making the FIDO U2F API whitelist a pref. I can’t
say whether I would welcome adding more domains to it by default; I
think we’re going to have to take them on a case-by-case basis.
[0] I consistently say “FIDO U2F API” in order to disambiguate versus
the wire-protocol used to communicate with “FIDO U2F”-compatible
security keys, and the associated data formats. The overloading of
“FIDO U2F” or “U2F” is an easy source of confusion, and I want to be
clear here.
[1] https://groups.google.com/d/msg/mozilla.dev.platform/Uiu3fwnA2xw/201ynAiPAQAJ
[2] https://aws.amazon.com/blogs/security/use-yubikey-security-key-sign-into-aws-management-console/
[3] https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#low-level-messageport-api
[4] https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-appid-and-facets-v1.2-ps-20170411.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid
[5] Under-specified meaning questions like: Where’s the CORS
preflight? What happens if that fails? Why isn’t the MIME type
registered with IANA? Etc, etc.
[6] The point of the FacetID algorithm for the web is to be a way to
completely bypass the single-origin security policy; WebAuthn adopted
a stricter origin “relaxing” mechanism [8].
[7] Google Accounts needed it in a very small way. Coding around it
was the point of last year’s post, and it was a ~15-line patch.
Facebook also needs it in a much more complex way, but I’ve heard they
don’t expect an issue re-enrolling users to move to WebAuthn.
[8] https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to
phishing, which is why we’ve championed it as a technology. All major
browsers either support it already, or have their support in-progress,
yet adoption by websites has been slow. The deprecated Javascript API
that WebAuthn replaces, the FIDO U2F API [0], is mostly confined to
Chromium-based browsers.
# tl;dr #
To make security keys work with Google Accounts in the near future, I
propose enabling our FIDO U2F API for google.com domains, controlled
by a whitelist preference. Waiting on Google Accounts to fully support
Web Authentication will probably take too long, since it’s Android
deployments which are holding them up.
# Background #
More than a year ago, I proposed here an interim solution to permit
Google Accounts to use existing FIDO U2F API credentials in Firefox
[1] which was implemented in Bug 1436078. We agreed then to implement
a hard-coded permission for Google Accounts when utilizing FIDO U2F
API credential support, whether that was via Web Authentication’s
backward compatibility extension, or via Firefox’s FIDO U2F API
support hidden behind the “security.webauth.u2f” preference.
We’ve recently learned that Google Accounts has slipped their schedule
for using Web Authentication to register new credentials. This delay
is attributed to security key support on Android being, for most
devices, non-upgradable. WebAuthn is backwards-compatible with
credentials produced by the FIDO U2F API. However, WebAuthn-produced
credentials cannot be used with the FIDO U2F API. Because of that,
credentials created using WebAuthn will never be usable on the
majority of FIDO U2F-only Android devices currently in circulation.
Due to this issue, there has been an unclear timeline communicated to
me for when Google Accounts will support registering security keys
using Web Authentication.
# Proposal #
It appears that if we want full security key support for Google
Accounts in Firefox in the near term, we need to graduate our FIDO U2F
API support from “experimental and behind a pref” to either “enabled
by default” or “enabled for specific domains by default.” I am
proposing the latter.
## Thorny issues in enabling our FIDO U2F API implementation ##
This is not as simple a decision as it might appear. Certainly we want
to encourage adoption of Web Authentication rather than the FIDO U2F
API. There have already been sad cases of well-known web properties
implementing the deprecated standard after we shipped WebAuthn [2].
There’s also the matter that we haven’t built-out the whole of the
FIDO U2F API.
Firefox’s implementation of the FIDO U2F API is deliberately incomplete:
First, we only implemented the optional Javascript version of the API,
not the required MessagePort implementation [3]. This is mostly
semantics, because everyone actually uses the JS API via a
Google-supplied polyfill called u2f-api.js. But the specification is
the specification.
Second, we do not perform the “Trusted Facet List” portions of the
“Determining if a Caller's FacetID is Authorized for an AppID”
algorithm [4] from the specification (we stop at step 3). It seems:
under-specified [5]; of dubious security/privacy advantage [6]; and
it’s rarely necessary [7].
I don’t intend to invest the engineering time to fix the above issues
(neither coding nor spec-wrangling). The anti-phishing future is Web
Authentication, and we should only care about getting Firefox users to
that future.
# Enabling the whole FIDO U2F API for Google Accounts #
Conventional wisdom says that the largest installed base of security
keys in-use remains with Google Accounts, whether via GSuite or public
accounts. It appears that the only way we get Firefox users of Google
Accounts fully able to use security keys is to enable FIDO U2F API
support so that said users can enroll via FIDO U2F API, and then
authenticate via … well, either. We will have to trust that Google
will roll out authentication-via-WebAuthn quickly for the sake of the
standard moving forward.
This also would solve a longstanding issue where users of Tor Browser
can’t enroll in Google Advanced Protection, despite the clear
advantages.
## What this looks like in code ##
First, I would change the existing security.webauth.u2f pref from
being enforced via WebIDL annotation to in-code checks.
Next, I propose to add a new pref:
pref("security.webauth.u2f_enabled_domains", “google.com“);
This would be a list of domain names that would be matched against the
caller, specifically: If one of the listed domains is a registrable
domain suffix of or is equal to [8] caller’s origin’s effective
domain, we’d enable the FIDO U2F API for that domain.
Finally, I would remove the “aOp == U2FOperation::Sign” check from
EvaluateAppID in WebAuthnUtil.cpp, permitting the Google override to
work for Register as well as Sign.
# Concluding thoughts #
As I’ve tried to establish, I’ve had reasons to resist shipping the
FIDO U2F API in Firefox, and I believe those reasons to be valid.
However, a multi-year delay for the largest security key-enabled web
property is, I think, unreasonable to push upon our users. We should
do what’s necessary to enable full security key support on Google
Accounts as quickly as is practical.
I’ve proposed here making the FIDO U2F API whitelist a pref. I can’t
say whether I would welcome adding more domains to it by default; I
think we’re going to have to take them on a case-by-case basis.
[0] I consistently say “FIDO U2F API” in order to disambiguate versus
the wire-protocol used to communicate with “FIDO U2F”-compatible
security keys, and the associated data formats. The overloading of
“FIDO U2F” or “U2F” is an easy source of confusion, and I want to be
clear here.
[1] https://groups.google.com/d/msg/mozilla.dev.platform/Uiu3fwnA2xw/201ynAiPAQAJ
[2] https://aws.amazon.com/blogs/security/use-yubikey-security-key-sign-into-aws-management-console/
[3] https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#low-level-messageport-api
[4] https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-appid-and-facets-v1.2-ps-20170411.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid
[5] Under-specified meaning questions like: Where’s the CORS
preflight? What happens if that fails? Why isn’t the MIME type
registered with IANA? Etc, etc.
[6] The point of the FacetID algorithm for the web is to be a way to
completely bypass the single-origin security policy; WebAuthn adopted
a stricter origin “relaxing” mechanism [8].
[7] Google Accounts needed it in a very small way. Coding around it
was the point of last year’s post, and it was a ~15-line patch.
Facebook also needs it in a much more complex way, but I’ve heard they
don’t expect an issue re-enrolling users to move to WebAuthn.
[8] https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to
Alex Gaynor
Mar 14, 2019, 2:25:05 PM3/14/19
to J.C. Jones, dev-platform
There are a lot of good reasons to oppose this:
- This is a very frustrating _expansion_ of non-standard APIs, more than a
year after we shipped the W3C standard API
- It'll put pressure on other browsers, which were only implementing
webauthn, to also support u2f.js
- It'll prolong the period of having multiple APIs, which I think
contributes to a lot of confusion about the ecosystem
- Once we have the whitelist, there will doubtlessly be other websites who
ask to be placed on it, giving them an excuse to not migrate to webauthn
Having said all of those -- which are real and true -- there's one
overriding concern: phishing, particularly moderately-sophisticated
phishing which can handle forms of 2FA such as TOTP, SMS, or push, is a
scourge. It is brutally effective, and far too cheap to scale. If this is
the price we need to pay to give our users the protections of security
keys, it's worth it. Further, support by default in more browsers will
hopefully be a good thing for ecosystem wide security key adoption.
I desperately hope some combination of Google Accounts, Android, and Chrome
have a strategy for migrating Google Accounts to webauthn before all these
older Androids cycle out. But in the meantime, I don't think it's fair that
that block our users from phishing resilient authenticators. Thanks for
putting this together JS.
Alex
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
- This is a very frustrating _expansion_ of non-standard APIs, more than a
year after we shipped the W3C standard API
- It'll put pressure on other browsers, which were only implementing
webauthn, to also support u2f.js
- It'll prolong the period of having multiple APIs, which I think
contributes to a lot of confusion about the ecosystem
- Once we have the whitelist, there will doubtlessly be other websites who
ask to be placed on it, giving them an excuse to not migrate to webauthn
Having said all of those -- which are real and true -- there's one
overriding concern: phishing, particularly moderately-sophisticated
phishing which can handle forms of 2FA such as TOTP, SMS, or push, is a
scourge. It is brutally effective, and far too cheap to scale. If this is
the price we need to pay to give our users the protections of security
keys, it's worth it. Further, support by default in more browsers will
hopefully be a good thing for ecosystem wide security key adoption.
I desperately hope some combination of Google Accounts, Android, and Chrome
have a strategy for migrating Google Accounts to webauthn before all these
older Androids cycle out. But in the meantime, I don't think it's fair that
that block our users from phishing resilient authenticators. Thanks for
putting this together JS.
Alex
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
Daniel Veditz
Mar 14, 2019, 3:23:23 PM3/14/19
to Alex Gaynor, J.C. Jones, dev-platform
On Thu, Mar 14, 2019 at 11:25 AM Alex Gaynor <aga...@mozilla.com> wrote:
> one overriding concern: phishing, particularly moderately-sophisticated
> phishing which can handle forms of 2FA such as TOTP, SMS, or push, is a
> scourge.
TOTP was never much defense against phishing, just password compromise
> one overriding concern: phishing, particularly moderately-sophisticated
> phishing which can handle forms of 2FA such as TOTP, SMS, or push, is a
> scourge.
(shoulder surfing, site breaches). In the late 90's AOL support techs were
regularly phished for their RSA-fob tokens by people trying to get into
AOLs systems. WebAuthn is solving a very real and very old problem.
-Dan Veditz
devsnek
Mar 14, 2019, 5:31:14 PM3/14/19
to
On Thursday, 14 March 2019 13:12:24 UTC-5, JC Jones wrote:
> However, a multi-year delay for the largest security key-enabled web
> property is, I think, unreasonable to push upon our users. We should
> do what’s necessary to enable full security key support on Google
> Accounts as quickly as is practical.
If this is how you feel, encourage Google to fix the problem. This isn't Firefox's fault, Firefox is doing the right thing by supporting standardized APIs instead of "whatever Google uses". It's incredibly frustrating and demoralizing to see web standards being undermined in this way.
> However, a multi-year delay for the largest security key-enabled web
> property is, I think, unreasonable to push upon our users. We should
> do what’s necessary to enable full security key support on Google
> Accounts as quickly as is practical.
Robert O'Callahan
Mar 14, 2019, 5:48:39 PM3/14/19
to devsnek, dev-platform
On Fri, Mar 15, 2019 at 10:35 AM devsnek <fluffyro...@gmail.com>
wrote:
> If this is how you feel, encourage Google to fix the problem. This isn't
> Firefox's fault, Firefox is doing the right thing by supporting
> standardized APIs instead of "whatever Google uses". It's incredibly
> frustrating and demoralizing to see web standards being undermined in this
> way.
>
Mozilla people know this and I'm sure they've made every effort to
"encourage" Google. It's up to you, and whoever else you can organize, to
exert whatever additional pressure you can on Google (on this and similar
issues).
Rob
--
Su ot deraeppa sah dna Rehtaf eht htiw saw hcihw, efil lanrete eht uoy ot
mialcorp ew dna, ti ot yfitset dna ti nees evah ew; deraeppa efil eht. Efil
fo Drow eht gninrecnoc mialcorp ew siht - dehcuot evah sdnah ruo dna ta
dekool evah ew hcihw, seye ruo htiw nees evah ew hcihw, draeh evah ew
hcihw, gninnigeb eht morf saw hcihw taht.
wrote:
> If this is how you feel, encourage Google to fix the problem. This isn't
> Firefox's fault, Firefox is doing the right thing by supporting
> standardized APIs instead of "whatever Google uses". It's incredibly
> frustrating and demoralizing to see web standards being undermined in this
> way.
>
"encourage" Google. It's up to you, and whoever else you can organize, to
exert whatever additional pressure you can on Google (on this and similar
issues).
Rob
--
Su ot deraeppa sah dna Rehtaf eht htiw saw hcihw, efil lanrete eht uoy ot
mialcorp ew dna, ti ot yfitset dna ti nees evah ew; deraeppa efil eht. Efil
fo Drow eht gninrecnoc mialcorp ew siht - dehcuot evah sdnah ruo dna ta
dekool evah ew hcihw, seye ruo htiw nees evah ew hcihw, draeh evah ew
hcihw, gninnigeb eht morf saw hcihw taht.
acze...@google.com
Mar 14, 2019, 7:22:21 PM3/14/19
to
Hi there,
Chiming in from Google. This has nothing to do with our level of motivation (which is high btw). This has to do with OEM burned-in images on Android devices that have already shipped and the lifecycle of these devices out in the field. Without going into too many details, in order to not lock users out of their devices, we cannot switch u2f register to webauthn create() until there is sufficient churn in Android devices. You can expect webauthn get() to come much much sooner, as that is not impacted.
Again, this is only happening because of how the code that adds accounts is burned into certain devices. There are not any other websites, that I'm aware of, that are in a similar unfortunate situation.
And so I'm hoping (and strongly believe) that this move would not encourage more usages of u2f (over webauthn).
Thanks,
-Alexei
Chiming in from Google. This has nothing to do with our level of motivation (which is high btw). This has to do with OEM burned-in images on Android devices that have already shipped and the lifecycle of these devices out in the field. Without going into too many details, in order to not lock users out of their devices, we cannot switch u2f register to webauthn create() until there is sufficient churn in Android devices. You can expect webauthn get() to come much much sooner, as that is not impacted.
Again, this is only happening because of how the code that adds accounts is burned into certain devices. There are not any other websites, that I'm aware of, that are in a similar unfortunate situation.
And so I'm hoping (and strongly believe) that this move would not encourage more usages of u2f (over webauthn).
Thanks,
-Alexei
jona...@titanous.com
Mar 14, 2019, 8:14:47 PM3/14/19
to
On Thursday, March 14, 2019 at 7:22:21 PM UTC-4, acze...@google.com wrote:
> Hi there,
>
> Chiming in from Google. This has nothing to do with our level of motivation (which is high btw). This has to do with OEM burned-in images on Android devices that have already shipped and the lifecycle of these devices out in the field. Without going into too many details, in order to not lock users out of their devices, we cannot switch u2f register to webauthn create() until there is sufficient churn in Android devices. You can expect webauthn get() to come much much sooner, as that is not impacted.
>
> Again, this is only happening because of how the code that adds accounts is burned into certain devices. There are not any other websites, that I'm aware of, that are in a similar unfortunate situation.
Hi Alexei,
> Hi there,
>
> Chiming in from Google. This has nothing to do with our level of motivation (which is high btw). This has to do with OEM burned-in images on Android devices that have already shipped and the lifecycle of these devices out in the field. Without going into too many details, in order to not lock users out of their devices, we cannot switch u2f register to webauthn create() until there is sufficient churn in Android devices. You can expect webauthn get() to come much much sooner, as that is not impacted.
>
> Again, this is only happening because of how the code that adds accounts is burned into certain devices. There are not any other websites, that I'm aware of, that are in a similar unfortunate situation.
Thanks for the info, can you provide some more detail?
1) Is it impossible to update the devices in question or is the OEM just not shipping updates?
2) What workarounds are available on Google's side to resolve this issue without including this ugly hack in Firefox, and why haven't they been deployed?
3) Why are we just finding about this now, in 2019, long after all of the bits for WebAuthn have shipped? It's not like WebAuthn was a surprise on the roadmap, we have been steadily moving towards it for many years now in an ecosystem that Google created.
Jonathan
Henri Sivonen
Mar 21, 2019, 10:08:10 AM3/21/19
to dev-platform
On Thu, Mar 14, 2019 at 8:12 PM J.C. Jones <j...@mozilla.com> wrote:
> It appears that if we want full security key support for Google
> Accounts in Firefox in the near term, we need to graduate our FIDO U2F
> API support from “experimental and behind a pref”
I think it's problematic to describe something as "experimental" if
> It appears that if we want full security key support for Google
> Accounts in Firefox in the near term, we need to graduate our FIDO U2F
> API support from “experimental and behind a pref”
it's not on path to getting enabled. "Experimental and behind a pref"
sounds like it's on track to getting enabled, so simultaneously 1)
sites have a reason to believe they don't need to do anything for
Firefox, since for now users can flip a pref and the feature is coming
anyway and 2) still the feature doesn't actually work by default for
users, and, considering the penalty of using an experimental feature
where the experiment fails is getting locked out of an account for
this particular feature.
So I think it's especially important to move *somewhere* from the
"experimental and behind a pref" state: Either to interop with Chrome
to the extent required by actual sites (regardless of what's de jure
standard) or to clear removal so that the feature doesn't look like
sites should just wait for it to get enabled and that the sites expect
the user to flip a pref.
As a user, I'd prefer the "interop with Chrome" option.
> to either “enabled
> by default” or “enabled for specific domains by default.” I am
> proposing the latter.
the hope that if they don't change, they'll get onto the list
eventually anyway?
> First, we only implemented the optional Javascript version of the API,
> not the required MessagePort implementation [3]. This is mostly
> semantics, because everyone actually uses the JS API via a
> Google-supplied polyfill called u2f-api.js.
interop is implemented?
> As I’ve tried to establish, I’ve had reasons to resist shipping the
> FIDO U2F API in Firefox, and I believe those reasons to be valid.
> However, a multi-year delay for the largest security key-enabled web
> property is, I think, unreasonable to push upon our users. We should
> do what’s necessary to enable full security key support on Google
> Accounts as quickly as is practical.
This concern seems to apply to other services as well.
> property is, I think, unreasonable to push upon our users. We should
> do what’s necessary to enable full security key support on Google
> Accounts as quickly as is practical.
> I’ve proposed here making the FIDO U2F API whitelist a pref. I can’t
> say whether I would welcome adding more domains to it by default; I
> think we’re going to have to take them on a case-by-case basis.
list compared to making the feature available to all domains?
--
Henri Sivonen
hsiv...@mozilla.com
Philip Jägenstedt
Mar 22, 2019, 8:34:44 AM3/22/19
to Henri Sivonen, dev-platform
Hi all,
Some naive questions to understand what's happened here.
Is
https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#high-level-javascript-api
the
API that will be added to Firefox?
Is
https://cs.chromium.org/chromium/src/chrome/browser/resources/cryptotoken/enroller.js
the
relevant bit of code in Chromium?
Is https://github.com/grantila/u2f-api the mentioned Google-supplied
polyfill called u2f-api.js?
Some naive questions to understand what's happened here.
Is
https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#high-level-javascript-api
the
API that will be added to Firefox?
Is
https://cs.chromium.org/chromium/src/chrome/browser/resources/cryptotoken/enroller.js
the
relevant bit of code in Chromium?
Is https://github.com/grantila/u2f-api the mentioned Google-supplied
polyfill called u2f-api.js?
J.C. Jones
Mar 26, 2019, 3:46:14 PM3/26/19
to Henri Sivonen, dev-platform
(Sorry for the delay in replying, had a long-weekend of PTO there)
On Thu, Mar 21, 2019 at 7:08 AM Henri Sivonen <hsiv...@mozilla.com> wrote:
> On Thu, Mar 14, 2019 at 8:12 PM J.C. Jones <j...@mozilla.com> wrote:
> > It appears that if we want full security key support for Google
> > Accounts in Firefox in the near term, we need to graduate our FIDO U2F
> > API support from “experimental and behind a pref”
>
> I think it's problematic to describe something as "experimental" if
> it's not on path to getting enabled.
[...]
> So I think it's especially important to move *somewhere* from the
> "experimental and behind a pref" state: Either to interop with Chrome
> to the extent required by actual sites (regardless of what's de jure
> standard) or to clear removal so that the feature doesn't look like
> sites should just wait for it to get enabled and that the sites expect
> the user to flip a pref.
>
To be clear, our FIDO U2F API support is behind a pref since it's 1)
deprecated in favor of the superior WebAuthn standard, and 2) our
implementation is bare-bones. I think these points have merit, but not
enough to justify waiting as long as we have, let alone longer.
> As a user, I'd prefer the "interop with Chrome" option.
>
Okay.
> > to either “enabled by default” or “enabled for specific
> > domains by default.” I am proposing the latter.
>
> Why not the former? Won't the latter still make other sites wait in
> the hope that if they don't change, they'll get onto the list
> eventually anyway?
>
It's certainly easier to simply pref-flip the feature on by default. I'm
not opposed to that, though it leaves Safari as the lone browser that will
be dragging the ecosystem to move to WebAuthn.
> First, we only implemented the optional Javascript version of the API,
> > not the required MessagePort implementation [3]. This is mostly
> > semantics, because everyone actually uses the JS API via a
> > Google-supplied polyfill called u2f-api.js.
>
> Do I understand correctly that the part that is actually needed for
> interop is implemented?
>
Basically, yes. (See the caveats in the original message)
>
> > As I’ve tried to establish, I’ve had reasons to resist shipping the
> > FIDO U2F API in Firefox, and I believe those reasons to be valid.
> > However, a multi-year delay for the largest security key-enabled web
> > property is, I think, unreasonable to push upon our users. We should
> > do what’s necessary to enable full security key support on Google
> > Accounts as quickly as is practical.
>
> This concern seems to apply to other services as well.
>
Does anyone here disagree with simply flipping the preference on by default
to ride the trains in 68?
[0]
https://www.reddit.com/r/firefox/comments/b39eac/github_no_longer_allows_using_security_keys/
On Thu, Mar 21, 2019 at 7:08 AM Henri Sivonen <hsiv...@mozilla.com> wrote:
> On Thu, Mar 14, 2019 at 8:12 PM J.C. Jones <j...@mozilla.com> wrote:
> > It appears that if we want full security key support for Google
> > Accounts in Firefox in the near term, we need to graduate our FIDO U2F
> > API support from “experimental and behind a pref”
>
> I think it's problematic to describe something as "experimental" if
> it's not on path to getting enabled.
> So I think it's especially important to move *somewhere* from the
> "experimental and behind a pref" state: Either to interop with Chrome
> to the extent required by actual sites (regardless of what's de jure
> standard) or to clear removal so that the feature doesn't look like
> sites should just wait for it to get enabled and that the sites expect
> the user to flip a pref.
>
deprecated in favor of the superior WebAuthn standard, and 2) our
implementation is bare-bones. I think these points have merit, but not
enough to justify waiting as long as we have, let alone longer.
> As a user, I'd prefer the "interop with Chrome" option.
>
> > to either “enabled by default” or “enabled for specific
> > domains by default.” I am proposing the latter.
>
> Why not the former? Won't the latter still make other sites wait in
> the hope that if they don't change, they'll get onto the list
> eventually anyway?
>
not opposed to that, though it leaves Safari as the lone browser that will
be dragging the ecosystem to move to WebAuthn.
> First, we only implemented the optional Javascript version of the API,
> > not the required MessagePort implementation [3]. This is mostly
> > semantics, because everyone actually uses the JS API via a
> > Google-supplied polyfill called u2f-api.js.
>
> Do I understand correctly that the part that is actually needed for
> interop is implemented?
>
>
> > As I’ve tried to establish, I’ve had reasons to resist shipping the
> > FIDO U2F API in Firefox, and I believe those reasons to be valid.
> > However, a multi-year delay for the largest security key-enabled web
> > property is, I think, unreasonable to push upon our users. We should
> > do what’s necessary to enable full security key support on Google
> > Accounts as quickly as is practical.
>
> This concern seems to apply to other services as well.
>
> What user-relevant problem is solved by having to add domains to a
> list compared to making the feature available to all domains?
>
Last week's abrupt loss of support on Github [0] is a good case in point.
> list compared to making the feature available to all domains?
>
Does anyone here disagree with simply flipping the preference on by default
to ride the trains in 68?
[0]
https://www.reddit.com/r/firefox/comments/b39eac/github_no_longer_allows_using_security_keys/
Alex Gaynor
Mar 26, 2019, 3:50:21 PM3/26/19
to J.C. Jones, Henri Sivonen, dev-platform
unfortunate, as it'll leave some websites in a works-sometimes state. While
some larger sites have UIs and help articles explaining that Firefox works
for login but not reigstering a key, many will not. If it's possible to
include register support in what rides the train, that seems preferable.
It's probably worth flagging that there'll still be some sites which do not
work even with this, since we have a different implementation strategy than
Chrome, and so some feature detection efforts break.
Cheers,
Alex
>
> [0]
>
> https://www.reddit.com/r/firefox/comments/b39eac/github_no_longer_allows_using_security_keys/
J.C. Jones
Mar 26, 2019, 3:51:41 PM3/26/19
to Philip Jägenstedt, Henri Sivonen, dev-platform
Hi Philip:
1) Yes
2) I think so -- it's clearly had substantial refactoring in the process of
moving to Web Authentication
3) I think that's the one, but most sites redistribute a much older version
that used to be served by gstatic.com (I can't find it now) archived here:
https://github.com/fido-alliance/google-u2f-ref-code/blob/master/u2f-gae-demo/war/js/u2f-api.js
On Fri, Mar 22, 2019 at 5:34 AM Philip Jägenstedt <foo...@chromium.org>
wrote:
> Hi all,
>
> Some naive questions to understand what's happened here.
>
> Is
>
> https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#high-level-javascript-api
> the
> API that will be added to Firefox?
>
> Is
>
> https://cs.chromium.org/chromium/src/chrome/browser/resources/cryptotoken/enroller.js
> the
> relevant bit of code in Chromium?
>
> Is https://github.com/grantila/u2f-api the mentioned Google-supplied
> polyfill called u2f-api.js?
>
> On Thu, Mar 21, 2019 at 3:08 PM Henri Sivonen <hsiv...@mozilla.com>
> > Henri Sivonen
> > hsiv...@mozilla.com
1) Yes
2) I think so -- it's clearly had substantial refactoring in the process of
moving to Web Authentication
3) I think that's the one, but most sites redistribute a much older version
that used to be served by gstatic.com (I can't find it now) archived here:
https://github.com/fido-alliance/google-u2f-ref-code/blob/master/u2f-gae-demo/war/js/u2f-api.js
On Fri, Mar 22, 2019 at 5:34 AM Philip Jägenstedt <foo...@chromium.org>
wrote:
> Hi all,
>
> Some naive questions to understand what's happened here.
>
> Is
>
> https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#high-level-javascript-api
> the
> API that will be added to Firefox?
>
> Is
>
> https://cs.chromium.org/chromium/src/chrome/browser/resources/cryptotoken/enroller.js
> the
> relevant bit of code in Chromium?
>
> Is https://github.com/grantila/u2f-api the mentioned Google-supplied
> polyfill called u2f-api.js?
>
> wrote:
>
> > On Thu, Mar 14, 2019 at 8:12 PM J.C. Jones <j...@mozilla.com> wrote:
> > > It appears that if we want full security key support for Google
> > > Accounts in Firefox in the near term, we need to graduate our FIDO U2F
> > > API support from “experimental and behind a pref”
> >
> > I think it's problematic to describe something as "experimental" if
>
> > On Thu, Mar 14, 2019 at 8:12 PM J.C. Jones <j...@mozilla.com> wrote:
> > > It appears that if we want full security key support for Google
> > > Accounts in Firefox in the near term, we need to graduate our FIDO U2F
> > > API support from “experimental and behind a pref”
> >
> > I think it's problematic to describe something as "experimental" if
> > it's not on path to getting enabled. "Experimental and behind a pref"
> > sounds like it's on track to getting enabled, so simultaneously 1)
> > sites have a reason to believe they don't need to do anything for
> > Firefox, since for now users can flip a pref and the feature is coming
> > anyway and 2) still the feature doesn't actually work by default for
> > users, and, considering the penalty of using an experimental feature
> > where the experiment fails is getting locked out of an account for
> > this particular feature.
> >
> > sounds like it's on track to getting enabled, so simultaneously 1)
> > sites have a reason to believe they don't need to do anything for
> > Firefox, since for now users can flip a pref and the feature is coming
> > anyway and 2) still the feature doesn't actually work by default for
> > users, and, considering the penalty of using an experimental feature
> > where the experiment fails is getting locked out of an account for
> > this particular feature.
> >
> > So I think it's especially important to move *somewhere* from the
> > "experimental and behind a pref" state: Either to interop with Chrome
> > to the extent required by actual sites (regardless of what's de jure
> > standard) or to clear removal so that the feature doesn't look like
> > sites should just wait for it to get enabled and that the sites expect
> > the user to flip a pref.
> >
> > "experimental and behind a pref" state: Either to interop with Chrome
> > to the extent required by actual sites (regardless of what's de jure
> > standard) or to clear removal so that the feature doesn't look like
> > sites should just wait for it to get enabled and that the sites expect
> > the user to flip a pref.
> >
> > As a user, I'd prefer the "interop with Chrome" option.
> >
> >
> > > to either “enabled
> > > by default” or “enabled for specific domains by default.” I am
> > > proposing the latter.
> >
> > Why not the former? Won't the latter still make other sites wait in
> > the hope that if they don't change, they'll get onto the list
> > eventually anyway?
> >
> > > by default” or “enabled for specific domains by default.” I am
> > > proposing the latter.
> >
> > Why not the former? Won't the latter still make other sites wait in
> > the hope that if they don't change, they'll get onto the list
> > eventually anyway?
> >
> > > First, we only implemented the optional Javascript version of the API,
> > > not the required MessagePort implementation [3]. This is mostly
> > > semantics, because everyone actually uses the JS API via a
> > > Google-supplied polyfill called u2f-api.js.
> >
> > Do I understand correctly that the part that is actually needed for
> > interop is implemented?
> >
> > > not the required MessagePort implementation [3]. This is mostly
> > > semantics, because everyone actually uses the JS API via a
> > > Google-supplied polyfill called u2f-api.js.
> >
> > Do I understand correctly that the part that is actually needed for
> > interop is implemented?
> >
> > > As I’ve tried to establish, I’ve had reasons to resist shipping the
> > > FIDO U2F API in Firefox, and I believe those reasons to be valid.
> > > However, a multi-year delay for the largest security key-enabled web
> > > property is, I think, unreasonable to push upon our users. We should
> > > do what’s necessary to enable full security key support on Google
> > > Accounts as quickly as is practical.
> >
> > This concern seems to apply to other services as well.
> >
> > > FIDO U2F API in Firefox, and I believe those reasons to be valid.
> > > However, a multi-year delay for the largest security key-enabled web
> > > property is, I think, unreasonable to push upon our users. We should
> > > do what’s necessary to enable full security key support on Google
> > > Accounts as quickly as is practical.
> >
> > This concern seems to apply to other services as well.
> >
> > > I’ve proposed here making the FIDO U2F API whitelist a pref. I can’t
> > > say whether I would welcome adding more domains to it by default; I
> > > think we’re going to have to take them on a case-by-case basis.
> >
> > > say whether I would welcome adding more domains to it by default; I
> > > think we’re going to have to take them on a case-by-case basis.
> >
> > What user-relevant problem is solved by having to add domains to a
> > list compared to making the feature available to all domains?
> >
> > --
> > list compared to making the feature available to all domains?
> >
> > Henri Sivonen
> > hsiv...@mozilla.com
JC Jones
Mar 27, 2019, 12:58:30 PM3/27/19
to
On Tuesday, March 26, 2019 at 12:50:21 PM UTC-7, Alex Gaynor wrote:
> Simply flipping the pref, and not including register support seems a bit
> unfortunate, as it'll leave some websites in a works-sometimes state. While
> some larger sites have UIs and help articles explaining that Firefox works
> for login but not reigstering a key, many will not. If it's possible to
> include register support in what rides the train, that seems preferable.
I'm sorry to be unclear. I'm intending to include the register support as well.
> Simply flipping the pref, and not including register support seems a bit
> unfortunate, as it'll leave some websites in a works-sometimes state. While
> some larger sites have UIs and help articles explaining that Firefox works
> for login but not reigstering a key, many will not. If it's possible to
> include register support in what rides the train, that seems preferable.
I have filed Bug 1539541 [0] to do this work:
Enable the security.webauth.u2f by default, to ride the trains
Remove the aOp == U2FOperation::Sign check from EvaluateAppID in WebAuthnUtil.cpp, permitting the Google override to work for Register as well as Sign.
Further discussion is still welcome, either here or on the bug.
[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1539541
Joseph Lorenzo Hall
Mar 28, 2019, 4:15:54 AM3/28/19
to JC Jones, dev-platform
Thanks for being flexible here in the face of adversity, big fan of running
trains even if it seems icky in the short term.
Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
1401 K ST NW STE 200, Washington DC 20005-3497
e: j...@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871
Don't miss out! CDT's Tech Prom is April 10, 2019, at The
Anthem. Please join us: https://cdt.org/annual-dinner/
trains even if it seems icky in the short term.
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
--
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
1401 K ST NW STE 200, Washington DC 20005-3497
e: j...@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871
Don't miss out! CDT's Tech Prom is April 10, 2019, at The
Anthem. Please join us: https://cdt.org/annual-dinner/
sra...@duosecurity.com
May 22, 2019, 10:02:18 AM5/22/19
to
Hi all,
Thank you for enabling U2F! But Duo Security's implementation of U2F is dependent on the Trusted Facet functionality, as we need to reliably enroll/authenticate a U2F credential across subdomains. Until the trusted facet functionality is implemented I don't believe we can enable our users to use U2F in Firefox, even though we have a lot of really passionate U2F users.
Are there any thoughts about investing some time into enabling this functionality, or considering it on your roadmap?
Thank you for enabling U2F! But Duo Security's implementation of U2F is dependent on the Trusted Facet functionality, as we need to reliably enroll/authenticate a U2F credential across subdomains. Until the trusted facet functionality is implemented I don't believe we can enable our users to use U2F in Firefox, even though we have a lot of really passionate U2F users.
Are there any thoughts about investing some time into enabling this functionality, or considering it on your roadmap?
J.C. Jones
Jun 5, 2019, 5:19:40 PM6/5/19
to sra...@duosecurity.com, dev-platform
In short, no. I believe not implementing the facet algorithm is a feature.
I recommend migrating to Web Authentication as soon as practical.
I will also point to a post on blink-dev from Adam Langely calling for
websites targeting Chrome to migrate to WebAuthn:
https://groups.google.com/a/chromium.org/d/msg/Blink-dev/SdceviqfKJo/zIMMWWoLBgAJ
J.C.
I recommend migrating to Web Authentication as soon as practical.
I will also point to a post on blink-dev from Adam Langely calling for
websites targeting Chrome to migrate to WebAuthn:
https://groups.google.com/a/chromium.org/d/msg/Blink-dev/SdceviqfKJo/zIMMWWoLBgAJ
J.C.
0 new messages