Open Bug 1536482 Opened 3 years ago Updated 10 days ago

Web Authentication - Support macOS Touch ID

Categories

(Core :: DOM: Web Authentication, enhancement, P2)

Unspecified
macOS
enhancement

Tracking

()

People

(Reporter: djc, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: parity-chrome, parity-safari, Whiteboard: [mac:integration])

I read about webauthn on Windows with biometrics today. I'm on a MacBook Pro with Touch ID, so I'm jealous now. Please consider implementing for macOS.

https://github.com/github/SoftU2F lets you do this today. I agree, it'd be nicer to have it work with Firefox Sync.

Bug 1529973 is about having a soft token. Combining that with our platform-level Data-at-Rest support from Bug 1464828 gets us most of the way to what you're asking for.

This is a cool thing, but marking it P4 for now; we'll have to pick this up after CTAP2 and after making the soft token a real thing.

Depends on: 1464828, 1529973
Priority: -- → P4
Duplicate of this bug: 1565496

There are a lot of developments on in the field of Web Authentication. iOS 13.3 wil start supporting FIDO2 roaming keys. Chrome supports platform authenticators on all desktop environments. Yet firefox only supports platform authenticators on Windows. Is the implementation for macOS that different from Windows? Can feature parity for Firefox on all desktop platforms be achieved anytime soon? Or should we not expect this within the year? In my opinion, Firefox supporting platform authenticators on all environments is a crucial step towards a passwordless future.

Note: This comment really should be on bug 1530370.

I'm currently hoping to work on WebAuthn implementation again in Q1 2020. I've had to take on other projects in 2019, particularly picking up maintainership of the NSS crypto library and some fun WebPKI stuff, but so far everything looks good for me to resume work bringing CTAP2 support to the other platforms in authenticator-rs [0] and do the rewrite of the Firefox-side needed to support that.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1530370
[0a] CTAP2 branch here with prototype Linux support: https://github.com/mozilla/authenticator-rs/tree/ctap2

Duplicate of this bug: 1619680

I found out last week that actually Lockwise already supports TouchID authentication for extracting your passwords (that is, I get a TouchID dialog when I tap the Copy button for a password in my Lockwise store). I'm somewhat surprised that this already works but that WebAuthn still doesn't support TouchID today.

Duplicate of this bug: 1646274

Looks like https://github.com/github/SoftU2F has been deprecated and they now recommend using Chrome or Safari :(

I'm also curious as to whether this could be made a priority. Are there any huge blockers here or is it just a matter of someone with a working build environment from putting in the time?

The issue with SoftU2F iiuc is that it had to fake a USB HID device at the OS level and thus would require a significant rewrite to be compatible with Apple's new mechanism for extending such things. Apparently it's required disabling SIP for quite some time before that, which wasn't exactly that great of an idea or terribly user-friendly either.

Chrome, by adding direct support for it instead of making users mess around with fake hardware, was able to use much simpler public macOS APIs to store the private keys in the secure enclave and then does the rest itself: https://bugs.chromium.org/p/chromium/issues/detail?id=678128 Sounds like Firefox already has (or had?) a basic Soft Token implementation working already (https://bugzilla.mozilla.org/show_bug.cgi?id=1529973) — could it be polished up for end-users and extended to work with Touch ID?

This is another loose end in Firefox relating to cryptography and device attestation on the Web. The latter actually got fixed (ECDSA key storage), so it's clear there's some appetite for improving the current situation.

Allowing users to use TouchID (or FaceID) as available on any other mainstream browser would enable passwordless technology to spread further and enter the mainstream.

If this remains unavailable, then sites looking to offer this option to their users will have no other choice but to provide an alternative, more complex user experience to compensate. Or simply not offer passwordless or 2FA authentication at all.

You can also use the vote button, it's probably a better way to let the folks at Mozilla know about this:

(In reply to Mahdyar Hasanpour from comment #26)

You can also use the vote button, it's probably a better way to let the folks at Mozilla know about this:

I was going to ask how, but I found it. For anyone else wondering, scroll to the top and open the "Details" view.

Duplicate of this bug: 1738005
Keywords: parity-safari
Whiteboard: [mac:integration]

Context for above: I recommend(ed) adding parity-chrome as well, since I had working touchID support with our Duo for a couple years when using Chrome macOS.

Duplicate of this bug: 1752306
Priority: P4 → P2

Thank you for upgrading the priority of this! It is important to so many people, including me!

You need to log in before you can comment on or make changes to this bug.