Closed Bug 1444101 Opened 2 years ago Closed 2 years ago

Enable FIDO U2F for Thunderbird

Categories

(Thunderbird :: Preferences, enhancement)

enhancement
Not set

Tracking

(thunderbird60 fixed, thunderbird61 fixed)

RESOLVED FIXED
Thunderbird 61.0
Tracking Status
thunderbird60 --- fixed
thunderbird61 --- fixed

People

(Reporter: jcj, Assigned: Fallen)

Details

Attachments

(1 file)

Gecko 59+ supports FIDO U2F tokens via the FIDO U2F JS API (and 60 will support WebAuthn, too!).

FIDO U2F tokens are required to authenticate with GMail when using the Advanced Protection Program [1], and as such Google Accounts people have reached out to me wanting to confirm support for U2F in Thunderbird.

I downloaded the most recent version of Thunderbird 60 and did the following:

    Opened Preferences -> Advanced -> Config Editor
    Searched for security.webauthn.u2f and double-clicked it to turn it true
    Opened Tools -> Developer Tools -> Developer Toolbox
    Ran: window.open("https://u2f.bin.coffee", "_blank", "chrome");

Then I passed my little conformance test I have on that site, from within Thunderbird, indicating to me that U2F works fine.

Firefox is not turning U2F on by default in favor of the new hotness of Web Authentication. Since email moves slower than the Web, and there's already a deployed U2F-requiring mechanism in Google Accounts, perhaps Thunderbird would like to take a different choice here and enable U2F by default, letting Thunderbird more easily pick up Google A.P.P. users?

All that would be necessary from the Thunderbird side would be flipping the pref. Google would then need to make sure their login flow accommodates Thunderbird users with U2F tokens.

[1] https://landing.google.com/advancedprotection/
Interesting, thanks for letting us know. Opinions, Magnus, Philipp?
Flags: needinfo?(philipp)
Flags: needinfo?(mkmelin+mozilla)
Is the only reason Firefox didn't enable u2f that WebAuthn is more preferred, or is there also a technical reason? Maybe you have a link to the Firefox bug where this was decided?

Did Firefox want to add some code that would auto-migrate u2f tokens to webauthn (I don't know if that is possible, but I remember reading something along the lines)? 

If the former is not the case and we enable u2f now, would we have to write our own migration code once everyone moves to WebAuthn?


Thunderbird 60 will be the first release since Thunderbird 52, so if 60 supports WebAuthn and Google is also moving towards it, it may make sense to follow Firefox's decision. If there is no technical reason not to enable u2f, and the worst that can happen is that users will have to re-authenticate when moving from u2f to WebAuthn then I'd be open to enabling it.
Flags: needinfo?(philipp)
Flags: needinfo?(mkmelin+mozilla)
Flags: needinfo?(jjones)
(In reply to Philipp Kewisch [:Fallen]  from comment #2)
> Is the only reason Firefox didn't enable u2f that WebAuthn is more
> preferred, or is there also a technical reason? Maybe you have a link to the
> Firefox bug where this was decided?

It's 2 things:

1) We want to force the web to move to WebAuthn from U2F JS API, as the U2F JS API wasn't done in W3C/IETF, and

2) I haven't implemented the U2F JS API's method of bypassing the single-origin security policy, because I don't think it's a good method. This is irrelevant for most sites, and we landed a hardcoded value for Google Accounts in Bug 1436078, so it's not much of a hangup. However, being as I don't implement the whole standard, we'd have to explain very clearly why we're shipping a half-complete implementation.


> Did Firefox want to add some code that would auto-migrate u2f tokens to
> webauthn (I don't know if that is possible, but I remember reading something
> along the lines)? 

We have an extension for WebAuthn to help sites do this (Bug 1406471), but it's ultimately up to the relying party (e.g., Google Accounts).

> If the former is not the case and we enable u2f now, would we have to write
> our own migration code once everyone moves to WebAuthn?

Nope. Totally up to the relying party.  You'll just want to enable WebAuthn -- which is already the default in 60.

 
> Thunderbird 60 will be the first release since Thunderbird 52, so if 60
> supports WebAuthn and Google is also moving towards it, it may make sense to
> follow Firefox's decision. If there is no technical reason not to enable
> u2f, and the worst that can happen is that users will have to
> re-authenticate when moving from u2f to WebAuthn then I'd be open to
> enabling it.

Cool!

So the political point above, numbered #2, is what I think you need to chew on a bit. To my knowledge, the only sites affected by my half-U2F implementation are:

 * Facebook, which doesn't affect Thunderbird
 * Google Accounts, which is enabled in Bug 1436078

so IMO I think you can choose how you like without regard to Firefox's web-standards politics.


Let me know if I can be of more help!
Flags: needinfo?(jjones)
Deferring the decision to Magnus as the module owner. 

Does Google Accounts also support Web Authentication, or just U2F currently? If the former, then given 60 is our next major release and 52 was our last, I think it might make sense to just have Web Authentication enabled.
Flags: needinfo?(mkmelin+mozilla)
Google Accounts has not announced a timeline for supporting Web Authentication. Chrome hasn't committed to a shipping timeline yet, either, though there are signals suggesting M68 or M69. (It's in Beta now behind a flag).
Sounds pretty cool, actually! I think I'm in favor of enabling U2F support.
Flags: needinfo?(mkmelin+mozilla)
Attached patch Fix - v1 β€” β€” Splinter Review
Assignee: nobody → philipp
Status: NEW → ASSIGNED
Attachment #8964839 - Flags: review?(mkmelin+mozilla)
Attachment #8964839 - Flags: approval-comm-beta?
Attachment #8964839 - Attachment is patch: true
Comment on attachment 8964839 [details] [diff] [review]
Fix - v1

Review of attachment 8964839 [details] [diff] [review]:
-----------------------------------------------------------------

Yes let's do this. r=mkmelin
Attachment #8964839 - Flags: review?(mkmelin+mozilla) → review+
Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/08fa74b75cc5
Enable FIDO U2F for Thunderbird. r=mkmelin
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 61.0
Attachment #8964839 - Flags: approval-comm-beta? → approval-comm-beta+
1) "All that would be necessary from the Thunderbird side would be flipping the pref. Google would then need to make sure their login flow accommodates Thunderbird users with U2F tokens."

It sounds like the U2F support was verified, but nobody verified that Thunderbird 60.0 can actually use a FIDO U2F Yubikey with a email provider. Is that correct?

There appear to be only two threads about Thunderbird supporting U2F on SUMO.

In https://support.mozilla.org/en-US/questions/1230131 somebody complained that they got error messages when trying to use U2F with Gmail, and gave up as it was too hard to figure out what to do. They didn't reply when I asked for more details.

I asked in https://support.mozilla.org/en-US/questions/1230107 whether anybody had ever gotten U2F to work with Gmail or any other email provider, no answer. I contacted Fastmail support and confirmed that they don't support it yet. 

2) "I haven't implemented the U2F JS API's method of bypassing the single-origin security policy, because I don't think it's a good method. This is irrelevant for most sites, and we landed a hardcoded value for Google Accounts in Bug 1436078, so it's not much of a hangup. However, being as I don't implement the whole standard, we'd have to explain very clearly why we're shipping a half-complete implementation."

Where is this explained? All the release notes say is "New FIDO U2F support" and there is no knowledge base article about U2F, FIDO or Yubikey for Thunderbird.

3) https://support.mozilla.org/en-US/questions/1228925 asks "Why won't the Google Titan Key work with FireFox Quantum 61.0.2 even with U2F enabled in the browser?" . This makes me wonder whether the same problem would occur with Thunderbird 60. Is any information available on which U2F FIDO keys are expected to work with Thunderbird?
(In reply to Eric Moore from comment #11)
> 1) "All that would be necessary from the Thunderbird side would be flipping
> the pref. Google would then need to make sure their login flow accommodates
> Thunderbird users with U2F tokens."
> 
> It sounds like the U2F support was verified, but nobody verified that
> Thunderbird 60.0 can actually use a FIDO U2F Yubikey with a email provider.
> Is that correct?

At the time we shipped this, there wasn't anything to test with upstream.

> 2) "I haven't implemented the U2F JS API's method of bypassing the
> single-origin security policy, because I don't think it's a good method.
> This is irrelevant for most sites, and we landed a hardcoded value for
> Google Accounts in Bug 1436078, so it's not much of a hangup. However, being
> as I don't implement the whole standard, we'd have to explain very clearly
> why we're shipping a half-complete implementation."
> 
> Where is this explained? All the release notes say is "New FIDO U2F support"
> and there is no knowledge base article about U2F, FIDO or Yubikey for
> Thunderbird.

It's spread around for Firefox. I agree we should probably have a knowledgebase article written for Thunderbird and WebAuthn/U2F. I can certainly help contribute to it.

> 3) https://support.mozilla.org/en-US/questions/1228925 asks "Why won't the
> Google Titan Key work with FireFox Quantum 61.0.2 even with U2F enabled in
> the browser?" . This makes me wonder whether the same problem would occur
> with Thunderbird 60. Is any information available on which U2F FIDO keys are
> expected to work with Thunderbird?

I don't have the actual Google Titan Key, but the OEM version of it from Feitian works fine in Firefox and in my synthetic test in Thunderbird from comment 0, and I would hope that would mean the Google-branded one would, too. Perhaps I need to order a Titan Key and take a look. But that really should be a follow-on bug, if the Titan Key isn't working.

It sounds like the U2F support was verified, but nobody verified that Thunderbird 60.0 can actually use a FIDO U2F Yubikey with a email provider. Is that correct?

I just came across this issue after finding that U2F is not usable with GMail on Thunderbird 60.7.2. I can confirm that it is usable on 68.0b3, so I think this issue is fixed, although the tracking information appears to be incorrect . I can bisect further if that would be useful.

You need to log in before you can comment on or make changes to this bug.