Summary: Support already-enrolled U2F devices with Google Accounts for Web Authentication
Web Authentication is on-track to ship in Firefox 60 [1], and contains within it support for already-deployed USB-connected FIDO U2F devices, and we intend to ship with a spec extension feature implemented to support devices that were already-enrolled using the older U2F Javascript API [2]. That feature depends on Firefox supporting the older API’s algorithm for relaxing the same-origin policy [3] which is not completely implemented in Firefox [4]. It appears that many U2F JS API-compatible websites do not require the cross-origin features currently unimplemented in Firefox, but notably the Google Accounts service does: For historical reasons (being the first U2F implementor) their FIDO App ID is “www.gstatic.com” [5] for logins to “ google.com” and its subdomains [6]. Interestingly, as the links to Chromium’s source code in [5] and [6] show, Chrome chooses to hardcode the approval of this same-origin override rather than complete the specification’s algorithm for this domain. As mentioned in the bug linked in [4], I have a variety of reservations with the U2F Javascript API’s algorithm. I also recognize that Google Accounts is the largest player in existing U2F device enrollments. The purpose of the extension feature in [2] is to permit users who already are using U2F devices to be able to move seamlessly to Web Authentication -- and hopefully also be able to use browsers other than Chrome to do it. After discussions with appropriate Googlers confirmed that the “ www.gstatic.com” origin used in U2F is being retired as part of their change-over to Web Authentication, I propose to hard-code support in Gecko to permit Google Accounts’ cross-origin U2F behavior, the same way as Chrome has. I propose to do this for a period of 5 years, until 2023, and to file a bug to remove this code around that date. That would give even periodically-used U2F-protected Google accounts ample opportunity to re-enroll their U2F tokens with the new Web Authentication standard and provide continuity-of-access. The code involved would be a small search loop, similar to Chrome’s in [6]. If we choose not to do this, Google Accounts users who currently have U2F enabled will not be able to authenticate using Firefox until their existing U2F tokens are re-enrolled using Web Authentication -- meaning not only will Google need to change to the Web Authentication API, they will also have to prompt users to go back through the enrollment ceremony. This process is likely to take several years. Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=webauthn Spec: https://www.w3.org/TR/webauthn/ Estimated target release: 60 Preference behind which this is implemented: security.webauth.webauthn DevTools support: N/A Support by other browser engines: - Blink: In-progress - Edge: In-progress - Webkit: No public announcements Testing: Mochitests in-tree; https://webauthn.io/; https://webauthn.bin.coffee/; https://webauthndemo.appspot.com/; Web Platform Tests in-progress Cheers, J.C. Jones and Tim Taubert [1] https://groups.google.com/d/msg/mozilla.dev.platform/tsevyqfBHLE/lccldWNNBwAJ [2] https://w3c.github.io/webauthn/#sctn-appid-extension and https://bugzilla.mozilla.org/show_bug.cgi?id=1406471 [3] https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-appid-and-facets-v1.2-ps-20170411.html [4] https://groups.google.com/d/msg/mozilla.dev.platform/UW6WMmoDzEU/8h7DFOfsBQAJ and https://bugzilla.mozilla.org/show_bug.cgi?id=1244959 [5] https://chromium.googlesource.com/chromium/src.git/+/master/chrome/browser/extensions/api/cryptotoken_private/cryptotoken_private_api.cc#30 [6] https://chromium.googlesource.com/chromium/src.git/+/master/chrome/browser/extensions/api/cryptotoken_private/cryptotoken_private_api.cc#161 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
