Duo U2F support doesn't work with Firefox's implementation



2 years ago
a year ago


(Reporter: jcj, Assigned: kang)


(Blocks 1 bug)


(Whiteboard: [webauthn], URL)


(1 attachment)

In testing U2F support using Firefox Release with the "security.webauth.u2f" and "security.webauth.u2f_enable_softtoken" preferences enabled [0], Duo's script [1] crashes on line 1, col 18:

> TypeError: setting a property that has only a getter

The code in question is simply:
> var u2f=u2f||{};

Firefox implements U2F version 1.1 [2], particularly its "High-level JavaScript API", in compliance with the non-normative text in the "Background" section saying  Relying Parties should implement only the High-level JavaScript API. In compliance with section 3.2 of the specification, Firefox reveals the API in a namespace object named u2f, which is read-only.

Unfortunately, Google's sample code for interacting with U2F included this exact line, so I'm guessing that's where Duo picked it up from. Despite it coming from Google, it's clearly bad behavior to attempt to overwrite a namespace object exposed by WebIDL. I'm not sure what implementation peculiarity lets this work on Chrome, but it's odd.

Google's test site has this same issue [3] when used with Firefox, but it's not a crash bug because their code is split into two scripts:
u2f-api.js, which crashes like Duo's with the same error, and u2fdemo.js, which contains the actual functionality. In that case, while u2f-api.js errors out, u2fdemo.js just expects to find a functioning "u2f" javascript interface to use, and Firefox is happy to provide it.

If Duo could split their logic in a similar way, it would be the most straightfoward way I can think of to fix this.

[0] https://u2f.bin.coffee/
[1] https://api-4b043da5.duosecurity.com/frame/static/shared/lib/u2f/u2f.min.js
[2] https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#high-level-javascript-api
[3] https://u2fdemo.appspot.com/
Duo support indicated that they're working on this and will email me when they have something working.
@jcj - Duo never got back to me (I did nag a few times) - wondered if you had any news on your side?
Flags: needinfo?(jjones)
No. At this point it'd probably be better to nag them about supporting W3C Web Authentication.

FWIW, the error at hand here is a duplicate of Bug 1411710, but at Duo instead of Google.
Flags: needinfo?(jjones)

I'm making this as WONTFIX for now, basically because we are unable to fix it at this time and do not know if the vendor will fix it - it's been 10 mo without any update.
Hopefully, W3C Web auth will supersede all this :)
Last Resolved: a year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.