Closed Bug 1399959 Opened 7 years ago Closed 7 years ago

Set preference to prefer hardware U2F tokens (but not shipping any U2F/WebAuthn APIs)

Categories

(Core :: DOM: Device Interfaces, enhancement, P2)

Other Branch
enhancement

Tracking

()

RESOLVED FIXED
mozilla57
Tracking Status
firefox57 --- fixed

People

(Reporter: jcj, Assigned: jcj)

References

Details

(Whiteboard: [webauthn] [u2f])

Attachments

(1 file)

The general case of enabling U2F / WebAuthn should only require flipping one pref, not two or three. Let's leave u2f and webauthn off (because not ready to ship), but change 

pref("security.webauth.webauthn_enable_softtoken", false);
pref("security.webauth.webauthn_enable_usbtoken", false);


to

pref("security.webauth.webauthn_enable_softtoken", false);
pref("security.webauth.webauthn_enable_usbtoken", true);
Summary: Set preference to enable hardware U2F support by default (but not U2F/WebAuthn JS) → Set preference to prefer hardware U2F tokens (but not shipping any U2F/WebAuthn APIs)
Comment on attachment 8908258 [details]
Bug 1399959 - Prefer hardware instead of software U2F tokens

https://reviewboard.mozilla.org/r/179908/#review185146

Sounds good.

::: security/manager/ssl/security-prefs.js:119
(Diff revision 1)
>  pref("security.pki.certificate_transparency.mode", 0);
>  
> +// Hardware Origin-bound Second Factor Support
>  pref("security.webauth.u2f", false);
>  pref("security.webauth.webauthn", false);
> +// Only one of "enable_softtoken" and "enable_usbtoken" can be true

Do we have code that enforces this?
Attachment #8908258 - Flags: review?(dkeeler) → review+
(In reply to David Keeler [:keeler] (use needinfo?) from comment #2)
> Comment on attachment 8908258 [details]
> Bug 1399959 - Prefer hardware instead of software U2F tokens
> 
> https://reviewboard.mozilla.org/r/179908/#review185146
> 
> Sounds good.
> 
> ::: security/manager/ssl/security-prefs.js:119
> (Diff revision 1)
> >  pref("security.pki.certificate_transparency.mode", 0);
> >  
> > +// Hardware Origin-bound Second Factor Support
> >  pref("security.webauth.u2f", false);
> >  pref("security.webauth.webauthn", false);
> > +// Only one of "enable_softtoken" and "enable_usbtoken" can be true
> 
> Do we have code that enforces this?

We do: http://searchfox.org/mozilla-central/source/dom/webauthn/U2FTokenManager.cpp#208

Thanks for the review!
Priority: -- → P2
This is a pref change that doesn't ship anything, just makes for easier testing. Try run looks good [1]

[1] https://treeherder.mozilla.org/#/jobs?repo=try&revision=f454fa9a0da3
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/b406b52fd2e3
Prefer hardware instead of software U2F tokens r=keeler
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/b406b52fd2e3
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in before you can comment on or make changes to this bug.