Open Bug 1530370 (webauthn-ctap2) Opened 3 years ago Updated 11 days ago

[meta] Support CTAP2 (FIDO2) Passwordless Web Authentication

Categories

(Core :: DOM: Web Authentication, enhancement, P3)

66 Branch
enhancement

Tracking

()

Webcompat Priority revisit

People

(Reporter: jcj, Unassigned)

References

(Depends on 3 open bugs, Blocks 2 open bugs)

Details

(Keywords: meta, Whiteboard: [webauthn])

Web Authentication is specified for the second-factor-only CTAP 1.1 protocol and a passwordless-supporting CTAP 2.0 protocol. This meta-bug tracks support for CTAP 2 and passwordless support.

Depends on: 1508115
Depends on: 1530373
Depends on: 1391438
Alias: webauthn-ctap2
Priority: -- → P1
Duplicate of this bug: 1535730

Given that the live.com site only supports passwordless login via CTAP2, and this metabug is marked as a P1 for the last 7 months, could we get an update? It's unclear what the status is for authenticator-rs to support CTAP2, and that's the only dependency I'm seeing (which is curiously marked as a P3 for this P1 metabug).

Webcompat Priority: --- → ?

I'm busy elsewhere at present; I keep hoping I'll have some free time to work on WebAuthn soonish, but there's nothing definitive planned. Realistically, I have to rework the UX before I can really integrate the CTAP2 branch of authenticator-rs properly (since I need to do things like solicit PINs) and what passes for a WebAuthn UX today is currently broken anyway (Bug 1573190, Bug 1540309, Bug 1579927). So I need to learn how to do UX design as a practical prereq, which makes it harder to just casually work on.

Priority: P1 → P3

Thanks for the update, here's hoping we can get some assistance for you on the UX end.

Webcompat Priority: ? → revisit

Regarding your comment on https://bugzilla.mozilla.org/show_bug.cgi?id=1536482#c4, did you find the time?

Can I help to triage or groom anything?

I got Bug 1616675 handled, but not quite yet, still working on diffs for CRLite, among other things. I also have PRs to write for the WebAuthn spec that have to happen before the fun stuff...

Thanks for the response, and great to see you working in this. If I can help with the WebAuthn spec PRs, give a shout. (feedback, proofreading, writing out use cases, etc.)

Duplicate of this bug: 1619850

Any update on this? We are using FIDO MDS to verify attestations and only get useless fido-u2f type attestation statement (no aaguids included) with Firefox on Linux. This works fine in Chrome. I believe it's related to this issue. The situation forces us to put disclaimer on our service: "Do not use Firefox for FIDO2 token registrations". It makes me sad since Firefox has always been my favourite browser. Hope this will move forward.

Agree, any update? This makes Firefox useless on MacOS and Linux. How come Windows works?
Also, isn't this related/same as https://bugzilla.mozilla.org/show_bug.cgi?id=1530373 ?

(In reply to 0x0ptr from comment #10)

Agree, any update? This makes Firefox useless on MacOS and Linux. How come Windows works?

Sorry for the delay in getting this finished. We don't currently have anyone available to work on this. We will prioritize this as soon as we can. Windows works because of the work in Bug 1508115.

Also, isn't this related/same as https://bugzilla.mozilla.org/show_bug.cgi?id=1530373 ?

This is a meta bug and bug 1530373 is one of the dependencies.

Blocks: webauthn

(In reply to Neha Kochar [:neha] from comment #11)

Sorry for the delay in getting this finished. We don't currently have anyone available to work on this. We will prioritize this as soon as we can. Windows works because of the work in Bug 1508115.

I appreciate the work that you guys for free and I understand that resources are tight. Is there some way we could provide some financial support to address this specific issue?

How can Firefox claim to be all about Privacy, Security and Speed when it doesn't support the greatest improvement we have ever had to all of those things when it comes to logins? I expected Firefox to be the very first to get this working, not the last.

Again, I do really appreciate what the developers do but I really think that this issue deserves to be a top priority and I'm sure there are plenty of people who would be willing to fund it.

(In reply to paul from comment #12)

(In reply to Neha Kochar [:neha] from comment #11)

Sorry for the delay in getting this finished. We don't currently have anyone available to work on this. We will prioritize this as soon as we can. Windows works because of the work in Bug 1508115.

I appreciate the work that you guys for free and I understand that resources are tight. Is there some way we could provide some financial support to address this specific issue?

How can Firefox claim to be all about Privacy, Security and Speed when it doesn't support the greatest improvement we have ever had to all of those things when it comes to logins? I expected Firefox to be the very first to get this working, not the last.

Again, I do really appreciate what the developers do but I really think that this issue deserves to be a top priority and I'm sure there are plenty of people who would be willing to fund it.

Currently someone from SUSE has been working on authenticator-rs. They really want to see webauthn added to firefox and have been working for weeks on CTAP2 support now. You can check out https://github.com/mozilla/authenticator-rs/pull/150 https://github.com/mozilla/authenticator-rs/pull/154 and their own development branch on https://github.com/msirringhaus/authenticator-rs/tree/ctap2-cont

Of course, work would be much light if it wasn't a single person doing all the work!

Maybe this gives you some idea of the progress of things right now :)

Duplicate of this bug: 1719806
Duplicate of this bug: 1695380
Depends on: 1711427
Depends on: 1694336
You need to log in before you can comment on or make changes to this bug.