Intent to implement and ship: Web Authentication

[J.C. Jones]

The W3C Web Authentication Working Group [1] was formed to produce a
browser-facing standard for using strong, cryptographic scoped credentials
to authenticate to web applications in an un-phishable way. The Working
Group began working from specifications produced by the FIDO Alliance, but
through the W3C process ensured there was a web-focus to the final result.

We have been tracking the Web Authentication standard since last year’s
FIDO U2F announcement [2], and we believe Web Authentication provides a
valuable augmentation to web application security in an inclusive way. We
are proposing to implement the current draft specification for Web
Authentication [3], and then track the evolution through to its final
Recommendation state.

Background: The Mozilla Foundation joined the FIDO Alliance to support the
work of providing augmented security to user logins across the Web. We
encouraged FIDO to evolve their browser specifications within the W3C, to
enable larger community involvement than simply Alliance members. This
specification is a result of that wider effort.

Web Authentication defines a way to use credentials from a secure element
to authenticate to web applications using public key cryptography. As with
FIDO U2F, the browser’s role is mainly to provide the interface between the
secure element (such as a USB dongle) and the web application, and to
enforce a scoped security model to bind the resulting attestation to the
specific web application.

Web Authentication support is currently in development for Microsoft Edge
[4] [5]. Google Chrome’s support is also in-development. Several websites
have deployed support for U2F, the predecessor to WebAuthn, including
Gmail, Dropbox, and Github. Additionally, there are many U2F devices in use
today which will function with the Web Authentication API.

Proposed: To implement the Web Authentication API, with support for the USB
U2F HID token attestation format.

Please send comments on this proposal to the list no later than 21 November
2016.

[1] https://www.w3.org/blog/webauthn/

[2] https://groups.google.com/d/msg/mozilla.dev.platform/
IVGEJnQW3Uo/Eu5tvyLmCgAJ

[3] https://www.w3.org/TR/webauthn/

[4] https://blogs.windows.com/msedgedev/2016/04/12/a-world-
without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97

[5] https://developer.microsoft.com/en-us/microsoft-edge/platform/status/
webauthenticationapi/?q=webauth

- J.C., Crypto Engineering

[berni...@gmail.com]

Hi,

the company I am working for is a small member of the the FIDO alliance.
We are offering our own U2F USB HID tokens (and soon U2F BLE devices...)

As far as I know, there are still several debates inside the Alliance but until recently it was never clearly stated that present U2F tokens/devices will be compatible with the next W3C WebAuthN (I rather understood the contrary as thre was nothing about this point inside the public w3C drafts)

So, do you have new/other information to back your proposition :

"Proposed: To implement the Web Authentication API, with support for the USB
U2F HID token attestation format."

Did I miss something ? (that's possible, communication is kind of messy inside the Alliance...)

[J.C. Jones]

Bernie,

You're right that the current WD does not contain the "U2F HID token"
attestation format, but the WG is _intending_ to add it [1] -- and support
for such devices -- in Working Draft 4 [2] as soon as a larger in-document
refactor is complete.

I won't guarantee success at this point, but I believe it likely that
WebAuthn will ultimately support most fielded U2F HID-compliant devices.

[1] https://github.com/w3c/webauthn/issues/214
[2] https://github.com/w3c/webauthn/milestone/8

Cheers!
J.C.

> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>

[berni...@gmail.com]

> > https://lists.mozilla.org/listinfo/dev-platform
> >

hi JC,

I just realize that your are jcj_moz inside webauthn minutes I am reading every weeks. I followed parts of the debates about CTAP, U2F attestation... and how it appears and disappears on main w3c drafts... I even read
https://fidoalliance.org/specs/fido-v2.0-rd-20161004/FIDO-COMPLETE-v2.0-rd-20161004.pdf
and I still don't get it... CTAPHID, CTAPBT are never linked to U2F HID and BT... (I ammmm goingggg slightllyyy maaaad)

Since you seem to a better perspective on these points, would you be kind enough to explain how U2F will be dealt with to be compatible with WebAuthN architecture ? Thanx !

[berni...@gmail.com]

oh I got it now... it seems there was a change of direction in CTAP 1.1 to be now compatible with U2F... so regarding CTAP 1.1 (and not CTAP 2.0), CTAP HID <=> U2F USB, CTAP NFC <=> U2F NFC and CTAP BT <=> U2F BT...

and "Channel ID" MITM protection is now replaced by "Token Binding ID" but it should stay compatible too...

So now, you'll have to finalize CTAP 1.1 (and U2F BT by the way)

Am I correct on this ?

[J.C. Jones]

Apologies, this got caught in a filter. Re-sending for posterity on the
list.
---------- Forwarded message ----------
From: J.C. Jones
Date: Tue, Nov 15, 2016 at 12:01 PM
Subject: Re: Intent to implement and ship: Web Authentication
To: berni...@gmail.com
Cc: dev-pl...@lists.mozilla.org


Hey Bernie,

That's one possibility, but I expect WebAuthn to support the U2F
attestation payloads in its MakeCredential and GetAssertion calls, and then
Firefox will implement the U2F HID protocol initially rather than jumping
to CTAP v1.1.

Cheers,
J.C.

[Anders Rundgren]

It is a pity that external tokens have become the focus when the majority will rather rely on embedded security solutions which nowadays is a standard feature in Android and Windows platforms.

[Anders Rundgren]

On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren wrote:
> It is a pity that external tokens have become the
> focus when the majority will rather rely on embedded
> security solutions which nowadays is a standard feature
> in Android and Windows platforms.

Slight clarification to the above: The IoT folks pretty much build 100% on embedded security with car-keys as an obvious exception.

On mobile I would say that over 99% of all existing security solutions based on cryptographic keys are relying on embedded (or "App level") keys with Apple Pay as the most advanced example.

That is, the token vendors and security folks do not represent the actual market comprising of end-users and service providers.

Maybe this is a project primarily targeting the desktop?

[J.C. Jones]

Anders,

The first target I'm working on is Desktop, though I've plans in 2017 to
support WebAuthn on Android and iOS [1], too. WebAuthn already has
definitions suitable for Android's Key Attestation [2] and SafetyNet
formats [3], so they'll need implementations that tie into the
dom::WebAuthentication class.

Cheers,
J.C.

[1] https://wiki.mozilla.org/Security/CryptoEngineering#Web_Authentication
[2] https://w3c.github.io/webauthn/#android-key-attestation
[3] https://w3c.github.io/webauthn/#android-safetynet-attestation

[Anders Rundgren]

On Friday, December 2, 2016 at 10:27:30 PM UTC+1, JC Jones wrote:
> Anders,
>
> The first target I'm working on is Desktop, though I've plans in 2017 to
> support WebAuthn on Android and iOS [1], too. WebAuthn already has
> definitions suitable for Android's Key Attestation [2] and SafetyNet
> formats [3], so they'll need implementations that tie into the
> dom::WebAuthentication class.

That's great news!

Regards,
Anders

[Tom Schuster]

So what's our status with regards to implementing FIDO u2f? I really would
like to use my security key natively in Firefox.

Best,
Tom

[J.C. Jones]

Tom,

We're making progress on supporting the USB U2F HID token attestation
format; before the actual U2F/HID code starts appearing in-tree, there's
had to be some refactoring to handle things in a proper asynchronous way --
which is nearing review.

I'm working on that USB U2F support for OSX right now; Linux support is
also looking pretty OK, and we're planning to get Windows this quarter, too.

Independently, we're waiting on updating our Web Authentication
implementation from the WD-02 version currently in-tree, expecting a
significant refactor to happen aligning the way you use Web Authentication
with the W3C Credential Management specification. There's ongoing
discussion [1] and currently one pull request [2] to do that. That's
primarily why we haven't moved forward to the WD-04 draft yet - and we're
working on the HID support.

That said, we're still planning on exposing the USB U2F security key-type
devices only through the W3C Web Authentication API by default -- the older
FIDO U2F API that is currently hidden behind the `security.webauth.u2f`
preference [3] we're currently planning to keep hidden. It doesn't
implement the "Low-level MessagePort API", which makes a some sites that
depend on Chrome's u2f-api.js behave oddly.


[1] https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0162.html
[2] https://github.com/w3c/webauthn/pull/384
[3] (and also the `security.webauth.u2f_enable_softtoken` preference, since
there's no USB support in-tree yet)

Cheers,
J.C.

On Tue, Apr 11, 2017 at 5:05 AM, Tom Schuster <t...@schuster.me> wrote:

> So what's our status with regards to implementing FIDO u2f? I really would
> like to use my security key natively in Firefox.
>
> Best,
> Tom
>

[Tom Schuster]

Hi J.C.!

Thanks for your extensive answer! Seems like there is a lot of progress
going on that wasn't immediately obvious from bugzilla. I am looking
forward to seeing this land.

Thank you,
Tom