Open
Bug 1404283
Opened 7 years ago
Updated 8 months ago
Add security key support to master password prompt
Categories
(Firefox :: Security, enhancement)
Tracking
()
UNCONFIRMED
People
(Reporter: ignisvulpis, Unassigned)
Details
Attachments
(1 file)
7.09 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20170925150345 Steps to reproduce: Allow adding a hardware key to Firefox Actual results: In Passwordsafe I can add support for a yubikey. If a yubikey is registered with Passwordsafe then the user-entered password to unlock the passwordsafe is combined with the security key. Passwordsafe uses a Yubico proprietary API but I assume that now that bug1294514 makes good progress we have all the parts available to build this using the webauthn API. Expected results: 1) Provide a UI to add a security key 2) Change the Master Password Prompt and add security key support. The attached UI proposal is stitched together from the Firefox Master Password Prompt and the Passwordsafe Login Dialog. The new Firefox Master Password Prompt should not show Yubikey only support but support any WebAuthn compliant hardware key. I guess the code implementing this would not use the webauthn JS interface but the low-level API to communicate with the security key. https://w3c.github.io/webauthn
Comment 1•7 years ago
|
||
Interesting idea! The current U2F token implementation can only sign data, though, so while we can have a business-logic proof-of-possession, we can't use the token as a necessary component for decryption of the master secret. I don't believe CTAP can [1], either, as its only methods are makeCredential / getAssertion [2]. Yubikeys, however, can -- we'd need to implement some of their extended functionality. [1] https://github.com/jcjones/u2f-hid-rs/issues/33 [2] https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.html
Updated•2 years ago
|
Severity: normal → S3
Comment 3•1 year ago
|
||
Pinging this. This would be useful.
#839769 is a copy of this (for yubikey only)
Now that FIDO2 is supported and widely used in Firefox, Master password without FIDO2-compatible secure key has became the weakest spot of Firefox security. Entering Master password multiple time per day is so 2000.
You need to log in
before you can comment on or make changes to this bug.
Description
•