Open Bug 1404283 Opened 7 years ago Updated 8 months ago

Add security key support to master password prompt

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Version:
57 Branch
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: ignisvulpis, Unassigned)

Details

Attachments

(1 file)

Firefox-Yubikey.png
7.09 KB, image/png
Details
Attached image Firefox-Yubikey.png 
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20170925150345

Steps to reproduce:

Allow adding a hardware key to Firefox


Actual results:

In Passwordsafe I can add support for a yubikey. 
If a yubikey is registered with Passwordsafe then the user-entered password to unlock the passwordsafe is combined with the security key. Passwordsafe uses a Yubico proprietary API but I assume that now that bug1294514 makes good progress we have all the parts available to build this using the webauthn API.


Expected results:

1) Provide a UI to add a security key
2) Change the Master Password Prompt and add security key support.

The attached UI proposal is stitched together from the Firefox Master Password Prompt and the Passwordsafe Login Dialog. The new Firefox Master Password Prompt should not show Yubikey only support but support any WebAuthn compliant hardware key.

I guess the code implementing this would not use the webauthn JS interface but the low-level API to communicate with the security key.

https://w3c.github.io/webauthn
Severity: normal → enhancement
Component: Untriaged → Security
Interesting idea!

The current U2F token implementation can only sign data, though, so while we can have a business-logic proof-of-possession, we can't use the token as a necessary component for decryption of the master secret. I don't believe CTAP can [1], either, as its only methods are makeCredential / getAssertion [2].

Yubikeys, however, can -- we'd need to implement some of their extended functionality.



[1] https://github.com/jcjones/u2f-hid-rs/issues/33
[2] https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.html

How about using the 'HMAC secret' extension of FIDO2?

Severity: normal → S3

Pinging this. This would be useful.
#839769 is a copy of this (for yubikey only)

Now that FIDO2 is supported and widely used in Firefox, Master password without FIDO2-compatible secure key has became the weakest spot of Firefox security. Entering Master password multiple time per day is so 2000.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: