1530373 - Web Authentication - Support CTAP2 via USB HID

Status: RESOLVED FIXED

(Core :: DOM: Web Authentication, enhancement, P1)

Description

[J.C. Jones [:jcj] (he/him)]

This requires implementation in authenticator-rs:

Upstream CTAP2 Issue: https://github.com/mozilla/authenticator-rs/issues/33
Upstream Branch: https://github.com/mozilla/authenticator-rs/tree/ctap2

This work will support CTAP2 on platforms that don't restrict access to security keys:

• 2018-era Windows 10 and all earlier versions of Windows
• Linux
• FreeBSD
• MacOS (at least Mojave and earlier)

Comment 1

[Kurian Thampy]

Can you warn the user that a U2F credential is going to be created on their FIDO2 device because Firefox doesn't support CTAP2 yet?
When using a FIDO2 device, credentials created on (Firefox, macOS) work on all combinations of (Chromium , Firefox) * (macOS, Windows 10) because I assume it creates a U2F credential.
However credentials created on (Chromium, macOS * Windows 10) or (Firefox , Windows 10) do not work on (Firefox, macOS).

Comment 2

[J.C. Jones [:jcj] (he/him)]

It's a good thought, I don't know how to message that effectively. The energy there should probably be spent on the CTAP2 code, if I'm honest with myself.

Comment 3

[Kurian Thampy]

Just upgraded to macOS Catalina Beta 8 and U2F doesn't work any more in Firefox (or FIDO2 in any browser for that matter). Could the OS have blocked directly access to security keys? Will there be a platform API like Windows 10?

Comment 4

[Kurian Thampy]

Correction: U2F doesn't work any more in Firefox or Chromium on U2F-only sites like Google. WebAuthn sites still work with FIDO2 tokens in Chromium.

Comment 5

[J.C. Jones [:jcj] (he/him)]

I wasn't aware of any plans like this. Unfortunately I'm traveling and can't put together a Catalina beta box for testing.

Can you test with https://u2f.bin.coffee/ and let me know what make/model security keys you tried? We'll have to open a separate bug for that.

Comment 6

[J.C. Jones [:jcj] (he/him)]

I've filed an upstream ticket with Apple about this.

Comment 7

[J.C. Jones [:jcj] (he/him)]

I've heard a Googler check Chromium on Catalina Beta 8 with U2F tokens had reports all is okay. Haven't checked Firefox yet, but perhaps it's your computer somehow?

Comment 8

[Kurian Thampy]

(In reply to J.C. Jones [:jcj] (he/him) from comment #5)

Can you test with https://u2f.bin.coffee/ and let me know what make/model security keys you tried? We'll have to open a separate bug for that.
I used a YubiKey 5Ci. When I click "U2F Register" the pop-up appears, but nothing happens when touching the YubiKey. It doesn't even light up.

Comment 9

[Kurian Thampy]

I also used https://webauthndemo.appspot.com/ to test WebAuthn in Firefox with the same results. The YubiKey 5Ci doesn't light up. This works fine in Chromium.

Comment 10

[Kurian Thampy]

I tested https://u2f.bin.coffee/ in Chromium. When I click "U2F Register", there is no pop-up but the YubiKey 5Ci light blinks for a few seconds and shuts off. Nothing happens when I touch it.
https://webauthndemo.appspot.com/ works fine in Chromium - I am able to register my YubiKey 5Ci.

When logging into Google.com in Chromium on macOS Catalina, it says my YubiKey 5Ci has not been registered with the website, though I previously registered it in Chromium on Windows 10. If I try to add it as a new key, there is no pop-up but the light blinks and nothing happens when I touch it.

Comment 12

[0x0ptr]

Any update?

Comment 13

[Bert Van de Poel]

I must admit that it's kind of depressing that this even works with Microsoft Edge on Linux to my surprise, but not on Firefox. Could the priority of this issue and related blockers for full WebAuthn support be reconsidered? This is one of those features that people simply expect from Firefox, and when they buy a device and find out they can't use it with Firefox just feel like they're forced to use another browser (which will most probably be Chrome), and ideally we want to prevent such a thing.

Comment 14

[Erik1000]

(In reply to Bert Van de Poel from comment #13)

I must admit that it's kind of depressing that this even works with Microsoft Edge on Linux to my surprise, but not on Firefox. Could the priority of this issue and related blockers for full WebAuthn support be reconsidered? This is one of those features that people simply expect from Firefox, and when they buy a device and find out they can't use it with Firefox just feel like they're forced to use another browser (which will most probably be Chrome), and ideally we want to prevent such a thing.

Firefox uses a library called authenticator (https://github.com/mozilla/authenticator-rs/). The problem is that - at least that what it's seems like - there are no maintainers for this library. I've talked with an old maintainer (actually the one that opened this issue (see here https://github.com/mozilla/authenticator-rs/issues/33)), but he said that he is no longer at mozilla. The whole thing seems kind of broken to me. I guess there even is no one who could merge a pull request to add this feature.

Comment 15

[Bert Van de Poel]

(In reply to Erik1000 from comment #14)

(In reply to Bert Van de Poel from comment #13)

I must admit that it's kind of depressing that this even works with Microsoft Edge on Linux to my surprise, but not on Firefox. Could the priority of this issue and related blockers for full WebAuthn support be reconsidered? This is one of those features that people simply expect from Firefox, and when they buy a device and find out they can't use it with Firefox just feel like they're forced to use another browser (which will most probably be Chrome), and ideally we want to prevent such a thing.

Firefox uses a library called authenticator (https://github.com/mozilla/authenticator-rs/). The problem is that - at least that what it's seems like - there are no maintainers for this library. I've talked with an old maintainer (actually the one that opened this issue (see here https://github.com/mozilla/authenticator-rs/issues/33)), but he said that he is no longer at mozilla. The whole thing seems kind of broken to me. I guess there even is no one who could merge a pull request to add this feature.

If I'm not mistaken, people at Mozilla have worked on Rust stuff before to help the development of Firefox. Either way, someone at SUSE has very recently worked on a PR that should resolve these problems https://github.com/mozilla/authenticator-rs/pull/150 . It was previously filed as https://github.com/mozilla/authenticator-rs/pull/148 and actually did get a review. So I think there may very well be traction here.

Comment 16

[Erik1000]

(In reply to Bert Van de Poel from comment #15)

(In reply to Erik1000 from comment #14)

(In reply to Bert Van de Poel from comment #13)

I must admit that it's kind of depressing that this even works with Microsoft Edge on Linux to my surprise, but not on Firefox. Could the priority of this issue and related blockers for full WebAuthn support be reconsidered? This is one of those features that people simply expect from Firefox, and when they buy a device and find out they can't use it with Firefox just feel like they're forced to use another browser (which will most probably be Chrome), and ideally we want to prevent such a thing.

Firefox uses a library called authenticator (https://github.com/mozilla/authenticator-rs/). The problem is that - at least that what it's seems like - there are no maintainers for this library. I've talked with an old maintainer (actually the one that opened this issue (see here https://github.com/mozilla/authenticator-rs/issues/33)), but he said that he is no longer at mozilla. The whole thing seems kind of broken to me. I guess there even is no one who could merge a pull request to add this feature.

If I'm not mistaken, people at Mozilla have worked on Rust stuff before to help the development of Firefox. Either way, someone at SUSE has very recently worked on a PR that should resolve these problems https://github.com/mozilla/authenticator-rs/pull/150 . It was previously filed as https://github.com/mozilla/authenticator-rs/pull/148 and actually did get a review. So I think there may very well be traction here.

You are actually right there. Tho I'm still quite unsure. Let's hope they get this going.

Comment 17

[msirringhaus]

Attachment: Bug 1530373 - Support CTAP2 via USB HID r=rmf

Comment 19

[R. Martinho Fernandes [:rmf]]

Attachment: Bug 1530373 - Certify audits of hex 0.4.3 and serde_cbor 0.11.1

Comment 20

[jj746378]

Is there any realistic chance to get full CTAP2 support in Firefox in the foreseeable future?
Every other relevant web browser has supported this for years and yet here we are and I am about to write yet another company newsletter asking folks to use chrome for internal production services because firefox does not support this essential security feature.

Comment 21

[John Schanck [:jschanck]]

Attachment: Bug 1530373 - Certify audits of authenticator and its dependencies. r=bholley

The audit of serde_cbor 0.11.1 was performed by R. Martinho Fernandes. I've
copied his audit statement from https://phabricator.services.mozilla.com/D149897.

Comment 22

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/248d49c7b5a3

Comment 23

[John Schanck [:jschanck]]

I should have attached the certify audits to a different bug. The patch that landed is just a prerequisite for the main work in D129814.

Comment 24

[Pulsebot]

Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/06c98719ac0a
Support CTAP2 via USB HID r=supply-chain-reviewers,fluent-reviewers,flod,jschanck

Comment 25

[Cristian Tuns]

Backed out for causing build bustages on cbindgen-metadata.json

• Backout link
• Push with failures
• Failure Log
• Failure line: gmake[3]: *** [backend.mk:115: config/.deps/cbindgen-metadata.json.stub] Error 101

Comment 26

[John Schanck [:jschanck]]

msirringhaus needed to rebase the patch manually. He's done that, and I've confirmed that it builds now.

Comment 27

[John Schanck [:jschanck]]

Attachment: Bug 1530373 - vendor the latest version of authenticator. r=dveditz

Comment 28

[Pulsebot]

Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ca7c33dd3bd3
vendor the latest version of authenticator. r=dveditz,supply-chain-reviewers
https://hg.mozilla.org/integration/autoland/rev/41701d785f98
Support CTAP2 via USB HID r=supply-chain-reviewers,fluent-reviewers,flod,ckerschb

Comment 29

[Ryan VanderMeulen [:RyanVM]]

Are we going to want a relnote for this?

Comment 30

[John Schanck [:jschanck]]

It's pref'd for nightly only at the moment. I'll request a relnote if we change that.

Comment 31

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/ca7c33dd3bd3
https://hg.mozilla.org/mozilla-central/rev/41701d785f98