Closed Bug 1430150 Opened 6 years ago Closed 6 years ago

Web Authentication - Prompt for permission before permitting "direct" Attestation Conveyance

Categories

(Core :: DOM: Device Interfaces, enhancement, P2)

Product:
Core
Component:
DOM: Device Interfaces
Type:
enhancement

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox59 --- wontfix
firefox60 --- verified

People

(Reporter: jcj, Assigned: ttaubert)

References

(Blocks 1 open bug)

Details

(Whiteboard: [webauthn][webauthn-ux][seceng-ux-needed])

Attachments

(5 files, 2 obsolete files)

Bug 1430150 - Implement WebAuthentication permission prompts
45 bytes, text/x-phabricator-request
johannh
: review+
jcj
: review+
Details | Review
Screenshot (new device registration)
73.90 KB, image/png
Details
Screenshot (authentication w/ existing device)
73.38 KB, image/png
Details
Screenshot (device registration w/ direct attestation)
146.54 KB, image/png
Details
Fingerprint - 32.svg
2.98 KB, image/svg+xml
Details 
Web Authentication tokens have an x509 certificate which could be unique enough to be considered a cross-account tracking fingerprint. Luckily, the tokens won't emit one unless the user interacts with the token (pushing a button, tapping, etc) during second-factor registration.

The WebAuthn standard says that browsers can anonymize that x509 certificate by default, which we will do in Bug 1428916. However, websites can specify that they need a "direct" attestation certificate, in which case we're asked to pass along the not-anonymized certificate directly from the token.

When we see one of these "direct" attestation requests, this bug is to prompt the user as to how to proceed. A draft question might be:

---
    "The website at <origin> is asking for your second factor's digital certificate, which could be used to associate this account with other accounts you might have here. Firefox can anonymize this for you, but the website might decline this second factor. If declined, you can try again."

1) Cancel
2) Proceed but anonymize anyway
3) Proceed
---

Obviously I'm not the best tech writer for a broad audience, but that's the gist.

This sort of a prompt should not happen often (only when registering a credential of "direct" type), so I don't know if it's worth it to have "Never show this again" semantics. I leave that up to those more wise in the ways of UX.

Note: Until this bug lands, we'll implicitly always choose #2, as it's the safe option.
Per :jkt, Bug 1381628 has a JS/C++ combination permission prompt.

It uses the permission prompt to gate the whole function from Navigator, whereas we won't know we need to provide the prompt until we've started decoding the MakeCredentialOptions -- but it looks like one could probably use MozPromise and pause waiting on its resolution.
Whiteboard: [webauthn][webauthn-ux] → [webauthn][webauthn-ux][seceng-ux-needed]
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Attached image Screenshot (WIP) (obsolete) — 
Here's a screenshot of the WIP patch. Quite a lot of text...

The patch doesn't yet honor the checkbox, but it does proceed or cancel.
Attachment #8949698 - Attachment is obsolete: true
Flags: needinfo?(jhofmann)
Flags: needinfo?(jhofmann)
Flags: needinfo?(jhofmann)
Depends on: 1409202
Flags: needinfo?(jhofmann)

        Attachment #8949699 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached image
          
        Fingerprint - 32.svg
      

    


  
I created a mock for the web authentication prompt https://mozilla.invisionapp.com/share/NKG898LJHVS#/screens/283734920_Artboard. After trying literal metaphors like yubikeys pictograms we opted for a more abstract identity-related metaphor that can potentially support other formats beside yubikeys. 

For styles and spec please refer to the permissions panels.

    
    

    
  
Comment on attachment 8953397 [details]
Bug 1430150 - Implement WebAuthentication permission prompts

Johann Hofmann [:johannh] has approved the revision.
J.C. Jones [:jcj] has approved the revision.

https://phabricator.services.mozilla.com/D638

        Attachment #8953397 -
        Flags: review+

    
    

    
  
(In reply to Amin Al Hazwani [:amin] (Firefox UX) from comment #9)
> I created a mock for the web authentication prompt
> https://mozilla.invisionapp.com/share/NKG898LJHVS#/screens/
> 283734920_Artboard. After trying literal metaphors like yubikeys pictograms
> we opted for a more abstract identity-related metaphor that can potentially
> support other formats beside yubikeys. 

This is great, thank you Amin! I'll take this to a follow-up. We probably have to uplift it, but that shouldn't be too hard hopefully.

    
    

    
  
Pushed by ttaubert@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8d91193cd766
Implement WebAuthentication permission prompts r=jcj,johannh

    
    

    
  
Pushed by ttaubert@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/497aead7d738
Disable browser_webauthn_telemetry.js on TV runs for now r=bustage
Depends on: 1444756

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/8d91193cd766
Status: ASSIGNED → RESOLVED
Closed: 6 years ago

          status-firefox60:
          --- → fixed
Resolution: --- → FIXED

    
    

    
  
Sorry for abusing a closed bug for questions, but I assume other people will land here from the strings.

This patch introduces a lot of concepts (terminology) that I've never met in Firefox (security tokens, authenticator). It seems also quite technical, on the edge of jargony. Who's the target audience for this feature? I see an Invision board, so I assume the copy was reviewed?

For example: 
- "%S wants to register an account with one of your security tokens". Do I have security tokens in Firefox? What are they? Where do I manage them? I went through the tracking bug, and couldn't spot open dependencies with UI (or I missed them)
- "You can authorize now or cancel", then the buttons are "Cancel" and "Proceed". Why not "Authorize"?

P.S. Localization comments are used to help localizers get context on strings. The whole comment on webauthn.registerDirectPrompt seems to have a different target though (users of the feature). It doesn't hurt, but it's also surprising.
Flags: needinfo?(ttaubert)
Depends on: 1444829
Target Milestone: Future → mozilla60

    
    

    
  
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0

Hi,
I have just tested this fix on Firefox Beta 60.0b5 and the icon is in place and the notification looks good. 
Marking this issue as verified fixed.
Status: RESOLVED → VERIFIED

          status-firefox60:
          fixedverified
Flags: needinfo?(ttaubert)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: