1481890 - [webauthn] Allow to create public key without hardware device

Status: RESOLVED DUPLICATE of bug 1529973

(Core :: DOM: Web Authentication, enhancement, P3)

Description

[Markus Schraeder]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20180626223325

Steps to reproduce:

Just open browser and try to use webauthn without any u2f.

https://webauthn.bin.coffee/


Actual results:

It fails without u2f hardware device.


Expected results:

If there is no hardware token, firefox should just save a public key in internal store as it has been used to for the keygen-tag.

As you can read on 

https://github.com/w3c/webauthn/issues/1027

the webautn is NOT a replacement for client certification without hardware in background. Cause the keygen-tag #1315460 will soon be removed, it would be good to have as soon as possible a solution without any hardware device in background, so users can switch to this and will not be without any solution.

Otherwise users need to buy hardware to be able to use webauthn, a hardware free implementation is missing.

Comment 1

[Markus Schraeder]

Okay, this problem are three problems:

1. security.webauth.webauthn_enable_softtoken is not enabled (true) by default, so a user without a hardware device cannot use webauthn at all.

2. if security.webauth.webauthn_enable_softtoken is enabled (true) but also security.webauth.webauthn_enable_usbtoken, then there is again no possibilty for the user to use webauthn if he has no hardware token.

3. If security.webauth.webauthn_enable_softtoken and security.webauth.webauthn_enable_usbtoken not, then there is no visible interaction that a key has been generated and attached to the browser.

Comment 2

[Markus Schraeder]

If I would try to fix this issue by my own, is there any suggestion I should mention if I try to?

Comment 3

[Darkspirit]

> security.webauth.webauthn_enable_softtoken
> there is no visible interaction that a key has been generated and attached to the browser.

Hopefully it will be integrated into Firefox Lockbox and with necessary dialogs, so trackers can't make use of it.

Comment 4

[Henri Sivonen (:hsivonen)]

While technically it's totally feasible to implement U2F (except for attestation) in software, losing the soft token is a big problem, and it's hard to explain to the user that if they lose their Firefox profile, they'll lose the ability to log into some sites. It's easier to explain that losing your hardware token is a big deal and you need to enroll two and store the other off-site.

Comment 5

[Markus Schraeder]

I would assume the opposite; losing my firefox profile currently means loosing my password cache and cookies. Same appears if I do use the incognito mode, so the user knows already the dependency.

In the other way about the hardware tokens, that I can login on a completely different computer with my hardware device is new to users and will be hard to get into their brain.

By the way: Mostly of our customers want just donnot want this feature; they want to ensure which PC can access a website and not which user or which (mobile) hardware he owns.

Comment 6

[J.C. Jones [:jcj] (he/him)]

This is a good idea, and one which we've discussed for a while. I almost bid this as a Google Summer of Code project, but schedules are going to be tough this summer. I've opened a bug summarizing what I think we'd want to make the soft token a real thing, and I'm going to dupe this bug on that one.

Comment 7

[Markus Schraeder]

@jcj: You removed the blocking of bug #1315460 by closing bug #1529973 !

Comment 8

[Markus Schraeder]

... I mean by closing bug #1481890

Comment 9

[J.C. Jones [:jcj] (he/him)]

@Markus - There is nothing related between bug #1315460 and Web Authentication. I don't believe I affected anything.