Open Bug 1536482 Opened 5 years ago Updated 3 days ago

Web Authentication - Support macOS Touch ID

Categories

(Core :: DOM: Web Authentication, enhancement, P2)

Unspecified
macOS
enhancement

Tracking

()

ASSIGNED
Webcompat Priority P2

People

(Reporter: djc, Assigned: jschanck)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: parity-chrome, parity-safari, Whiteboard: [mac:integration])

I read about webauthn on Windows with biometrics today. I'm on a MacBook Pro with Touch ID, so I'm jealous now. Please consider implementing for macOS.

https://github.com/github/SoftU2F lets you do this today. I agree, it'd be nicer to have it work with Firefox Sync.

Bug 1529973 is about having a soft token. Combining that with our platform-level Data-at-Rest support from Bug 1464828 gets us most of the way to what you're asking for.

This is a cool thing, but marking it P4 for now; we'll have to pick this up after CTAP2 and after making the soft token a real thing.

Depends on: 1464828, 1529973
Priority: -- → P4

There are a lot of developments on in the field of Web Authentication. iOS 13.3 wil start supporting FIDO2 roaming keys. Chrome supports platform authenticators on all desktop environments. Yet firefox only supports platform authenticators on Windows. Is the implementation for macOS that different from Windows? Can feature parity for Firefox on all desktop platforms be achieved anytime soon? Or should we not expect this within the year? In my opinion, Firefox supporting platform authenticators on all environments is a crucial step towards a passwordless future.

Note: This comment really should be on bug 1530370.

I'm currently hoping to work on WebAuthn implementation again in Q1 2020. I've had to take on other projects in 2019, particularly picking up maintainership of the NSS crypto library and some fun WebPKI stuff, but so far everything looks good for me to resume work bringing CTAP2 support to the other platforms in authenticator-rs [0] and do the rewrite of the Firefox-side needed to support that.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1530370
[0a] CTAP2 branch here with prototype Linux support: https://github.com/mozilla/authenticator-rs/tree/ctap2

I found out last week that actually Lockwise already supports TouchID authentication for extracting your passwords (that is, I get a TouchID dialog when I tap the Copy button for a password in my Lockwise store). I'm somewhat surprised that this already works but that WebAuthn still doesn't support TouchID today.

more and more companies introduce 2FA. Now it is able to work with Chrome that supports Touch ID on Macs, but still not available in Firefox.

I'd like to echo blackswanny's comment. This was the very reason why after being a happy Firefox user since forever I switched to Chrome a few months ago. (This morning I had a lucidity moment and came back to my beloved Firefox) When working at a company using 2FA, having the slickest sign in experience seems a very valid motivation to choose a browser over another one. SoftU2F would not be valid from a security perspective for most companies deploying 2FA. I currently compensate by using a Yubikey, which seems very awkward when you have a builtin device integrated directly on you laptop.

Looks like https://github.com/github/SoftU2F has been deprecated and they now recommend using Chrome or Safari :(

if this feature is not implemented, Firefox may loose all corporate clients. Which with Covid may be a bug number. More and more use 2FA with tokens, keys and Touch IDs

This is currently listed as a P4 priority, what would it take to change that priority? I note that https://bugzilla.mozilla.org/show_bug.cgi?id=1530370 is listed as P3. Maybe there's someone else who could work on this? I've been watching this ticket for over a year, really disappointed that we can't make progress.

I'm also curious as to whether this could be made a priority. Are there any huge blockers here or is it just a matter of someone with a working build environment from putting in the time?

The issue with SoftU2F iiuc is that it had to fake a USB HID device at the OS level and thus would require a significant rewrite to be compatible with Apple's new mechanism for extending such things. Apparently it's required disabling SIP for quite some time before that, which wasn't exactly that great of an idea or terribly user-friendly either.

Chrome, by adding direct support for it instead of making users mess around with fake hardware, was able to use much simpler public macOS APIs to store the private keys in the secure enclave and then does the rest itself: https://bugs.chromium.org/p/chromium/issues/detail?id=678128 Sounds like Firefox already has (or had?) a basic Soft Token implementation working already (https://bugzilla.mozilla.org/show_bug.cgi?id=1529973) — could it be polished up for end-users and extended to work with Touch ID?

At least from a user perspective, Firefox not supporting TouchID is breaking the macOS UX on macbook. It's super convenient to use TouchID to unlock the system but also when any admin access is required (even Terminal and sudo are supporting TouchID).
Also it would be great to automatically use TouchID as the default Master Password.

Chrome supports this. I had to go back to YubiKeys when I switched to Firefox. I miss just touching the keyboard to auth.

FWIW I tried to switch back from Chrome to Firefox today and instantly had to give up when I realized this wasn't supported.

+1; this feature would really help me, as my university requires 2FA. On my iPhone, Face ID now works to replace our current standard method of 2FA (Duo Push/SMS), and I so wish that I could use Touch ID on my Mac.

When signing into Cloudflare, it would be nice to have TouchID supported; right now I'm asked to enter in a security key, which I don't have any. I'll still use Firefox since Cloudflare thankfully supports other 2FA methods.

+1 disappointed that Touch ID doesn't work just on Firefox. I'm required to use one at work and the only thing more annoying than carrying a USB thing around is using another browser. :(

This is another loose end in Firefox relating to cryptography and device attestation on the Web. The latter actually got fixed (ECDSA key storage), so it's clear there's some appetite for improving the current situation.

Allowing users to use TouchID (or FaceID) as available on any other mainstream browser would enable passwordless technology to spread further and enter the mainstream.

If this remains unavailable, then sites looking to offer this option to their users will have no other choice but to provide an alternative, more complex user experience to compensate. Or simply not offer passwordless or 2FA authentication at all.

I can only support the previous comments.
Chromium has had this feature since early 2019.
From a developer's point of view, it's really a drawback, now that the major tools (Github, Cloudflare, AWS...) have U2F support.

+1

I'm baffled that Firefox product management has not picked this up and prioritised it for three years?
Security is (or soon was?) one of the major Firefox differentiator compared to other browsers, and if I were the product manager, anything that simplifies and promotes its use should be P1.
I see all dependent enhancements to make this happen have been downprioritised?
I would urge the triage responsible and the team to raise this issue and put it in the roadmap ASAP!

I am also here because I can't believe Firefox is missing such a fundamental functionality, and want to contribute my voice to those calling for its implementation. Please prioritize this!

You can also use the vote button, it's probably a better way to let the folks at Mozilla know about this:

(In reply to Mahdyar Hasanpour from comment #26)

You can also use the vote button, it's probably a better way to let the folks at Mozilla know about this:

I was going to ask how, but I found it. For anyone else wondering, scroll to the top and open the "Details" view.

Keywords: parity-safari
Whiteboard: [mac:integration]

Context for above: I recommend(ed) adding parity-chrome as well, since I had working touchID support with our Duo for a couple years when using Chrome macOS.

That would be really awesome. I don't understand why it's not in place yet when all the competitors are doing it.

That would be a huge time saver!

We can't use MacOS + firefox in our company. Please fix this bug.

Firefox is the last standing independent browser against Chrome\Webkit
This feature is heavily used in corporate segment and by developers yet. If not implemented, it's enough for me to switch to Chrome back, cause inconvenience is huge to scarifies benefits of Firefox

Adding my voice to what everyone else has said. As someone responsible for infra and security at a major tech company, we're migrating away from replayable 2FA and to systems like Webauthn. Full support of platform authenticators is table stakes for a modern browser -- the fact that this issue is outstanding after 3 years reflects poorly on Mozilla's commitment to security.

(In reply to BlastFromPast from comment #34)

Adding my voice to what everyone else has said. As someone responsible for infra and security at a major tech company, we're migrating away from replayable 2FA and to systems like Webauthn. Full support of platform authenticators is table stakes for a modern browser -- the fact that this issue is outstanding after 3 years reflects poorly on Mozilla's commitment to security.

Agreed. For a company that is supposed to value privacy, I thought security went hand-in-hand and assumed it would be valued as well.
I would be happy to help out and write the code myself if I just knew how... I wish this could be prioritized and I'm not sure how it is still so low of a priority for Mozilla after 3 years.

I'm astounded that Firefox hasn't addressed this yet. SAML based 2fa has become ubiquitous in the corporate world. This deprives us of a biometric 2fa option on enterprise Macs. I've upvoted, but most people just shrug and change products when something like this doesn't work. It's terrible friction to have when trying to get companies to switch from Chrome.

Priority: P4 → P2

Thank you for upgrading the priority of this! It is important to so many people, including me!

Without this feature I'm not able to use Firefox at work because I am not able to authenticate biometrically. I would love to be able to use Firefox again because I find it hard to live or work without the Tree Style Tabs plugin. Big high fives to the developer who figures this out!

Yes for sure! I wanted to use touch id from my MacBook, but it wasn't possible. With everything getting 2FA, I know this will be a really useful feature!

SoftU2F was previously proposed as a workaround, but it seems to no longer work due to macOS's many security changes in recent years. Does anyone currently have a workaround, or does no such alternative exist?

Also, is there any way the community can help implement this? If I knew how to, I would be happy to do so myself. However, for now, I am left feeling both a bit helpless and a bit hopeless. I wonder why this important feature – which has existed in both Safari and Chrome for years – has been paid such little attention by Mozilla, an organization supposedly committed to advancing privacy & security on the web.

I appreciate that Mozilla bumped the priority of this issue. Is there any hint of a timeline? Given the current threat environment (e.g. groups targeting Okta and weak MFA - https://blog.group-ib.com/0ktapus), this functionality is critical.

Webauthn based MFA is critical for the security of modern logins, especially too critical and highly privileged systems like SSO providers. The ability to easily deploy this at scale is dependent on utilizing hardware backed MFA. While external hardware backed security keys are probably the best option, the ability to use the onboard biometric security of a users computer makes deployment and use far easier for average users. Firefox is behind the curve on this and that's disappointing. Setup of Okta to use device based biometric hardware tokens is incredibly easy in Chromium based browsers, eg. https://mattslifebytes.com/2022/09/21/using-unbreakable-okta-mfa/. I'm glad to see the priority bump in this but that also was almost half a year ago and the ticket as a whole for the last 4 years, yet still no activity publicly.

Severity: normal → S3
Webcompat Priority: --- → ?
Webcompat Priority: ? → P2

It seems on some SSO login sites, administrators can set them up to require biometric login. That is the case for Twingate VPN for me. The problem is that I can no longer even use Firefox to login to those sites. Even worse, the popup that Firefox shows doesn't even indicate that biometric isn't supported and leaves the user guessing what the problem is. bug 1646274 is a good example of my user experience. The work around of using SoftU2F isn't feasible either since that project seems to have halted development three years ago.

Hi everyone - it's great to see such interest in this feature. However, bugzilla is where we track our implementation work. It's not a place to discuss features and ask why they haven't shipped yet. We are working on WebAuthn (you can follow other bugs in this component), and we will update this bug when we make progress.

Assignee: nobody → jschanck
Status: NEW → ASSIGNED
No longer depends on: 1529973
Depends on: 1821785
Blocks: 1886712
You need to log in before you can comment on or make changes to this bug.