Open Bug 1536482 Opened 4 years ago Updated 5 days ago

Web Authentication - Support macOS Touch ID

Categories

(Core :: DOM: Web Authentication, enhancement, P2)

Unspecified
macOS
enhancement

Tracking

()

Webcompat Priority P2

People

(Reporter: djc, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: parity-chrome, parity-safari, Whiteboard: [mac:integration])

I read about webauthn on Windows with biometrics today. I'm on a MacBook Pro with Touch ID, so I'm jealous now. Please consider implementing for macOS.

https://github.com/github/SoftU2F lets you do this today. I agree, it'd be nicer to have it work with Firefox Sync.

Bug 1529973 is about having a soft token. Combining that with our platform-level Data-at-Rest support from Bug 1464828 gets us most of the way to what you're asking for.

This is a cool thing, but marking it P4 for now; we'll have to pick this up after CTAP2 and after making the soft token a real thing.

Depends on: 1464828, 1529973
Priority: -- → P4

There are a lot of developments on in the field of Web Authentication. iOS 13.3 wil start supporting FIDO2 roaming keys. Chrome supports platform authenticators on all desktop environments. Yet firefox only supports platform authenticators on Windows. Is the implementation for macOS that different from Windows? Can feature parity for Firefox on all desktop platforms be achieved anytime soon? Or should we not expect this within the year? In my opinion, Firefox supporting platform authenticators on all environments is a crucial step towards a passwordless future.

Note: This comment really should be on bug 1530370.

I'm currently hoping to work on WebAuthn implementation again in Q1 2020. I've had to take on other projects in 2019, particularly picking up maintainership of the NSS crypto library and some fun WebPKI stuff, but so far everything looks good for me to resume work bringing CTAP2 support to the other platforms in authenticator-rs [0] and do the rewrite of the Firefox-side needed to support that.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1530370
[0a] CTAP2 branch here with prototype Linux support: https://github.com/mozilla/authenticator-rs/tree/ctap2

I found out last week that actually Lockwise already supports TouchID authentication for extracting your passwords (that is, I get a TouchID dialog when I tap the Copy button for a password in my Lockwise store). I'm somewhat surprised that this already works but that WebAuthn still doesn't support TouchID today.

Looks like https://github.com/github/SoftU2F has been deprecated and they now recommend using Chrome or Safari :(

I'm also curious as to whether this could be made a priority. Are there any huge blockers here or is it just a matter of someone with a working build environment from putting in the time?

The issue with SoftU2F iiuc is that it had to fake a USB HID device at the OS level and thus would require a significant rewrite to be compatible with Apple's new mechanism for extending such things. Apparently it's required disabling SIP for quite some time before that, which wasn't exactly that great of an idea or terribly user-friendly either.

Chrome, by adding direct support for it instead of making users mess around with fake hardware, was able to use much simpler public macOS APIs to store the private keys in the secure enclave and then does the rest itself: https://bugs.chromium.org/p/chromium/issues/detail?id=678128 Sounds like Firefox already has (or had?) a basic Soft Token implementation working already (https://bugzilla.mozilla.org/show_bug.cgi?id=1529973) — could it be polished up for end-users and extended to work with Touch ID?

This is another loose end in Firefox relating to cryptography and device attestation on the Web. The latter actually got fixed (ECDSA key storage), so it's clear there's some appetite for improving the current situation.

Allowing users to use TouchID (or FaceID) as available on any other mainstream browser would enable passwordless technology to spread further and enter the mainstream.

If this remains unavailable, then sites looking to offer this option to their users will have no other choice but to provide an alternative, more complex user experience to compensate. Or simply not offer passwordless or 2FA authentication at all.

You can also use the vote button, it's probably a better way to let the folks at Mozilla know about this:

(In reply to Mahdyar Hasanpour from comment #26)

You can also use the vote button, it's probably a better way to let the folks at Mozilla know about this:

I was going to ask how, but I found it. For anyone else wondering, scroll to the top and open the "Details" view.

Keywords: parity-safari
Whiteboard: [mac:integration]

Context for above: I recommend(ed) adding parity-chrome as well, since I had working touchID support with our Duo for a couple years when using Chrome macOS.

Priority: P4 → P2

Thank you for upgrading the priority of this! It is important to so many people, including me!

Yes for sure! I wanted to use touch id from my MacBook, but it wasn't possible. With everything getting 2FA, I know this will be a really useful feature!

SoftU2F was previously proposed as a workaround, but it seems to no longer work due to macOS's many security changes in recent years. Does anyone currently have a workaround, or does no such alternative exist?

Also, is there any way the community can help implement this? If I knew how to, I would be happy to do so myself. However, for now, I am left feeling both a bit helpless and a bit hopeless. I wonder why this important feature – which has existed in both Safari and Chrome for years – has been paid such little attention by Mozilla, an organization supposedly committed to advancing privacy & security on the web.

I appreciate that Mozilla bumped the priority of this issue. Is there any hint of a timeline? Given the current threat environment (e.g. groups targeting Okta and weak MFA - https://blog.group-ib.com/0ktapus), this functionality is critical.

Webauthn based MFA is critical for the security of modern logins, especially too critical and highly privileged systems like SSO providers. The ability to easily deploy this at scale is dependent on utilizing hardware backed MFA. While external hardware backed security keys are probably the best option, the ability to use the onboard biometric security of a users computer makes deployment and use far easier for average users. Firefox is behind the curve on this and that's disappointing. Setup of Okta to use device based biometric hardware tokens is incredibly easy in Chromium based browsers, eg. https://mattslifebytes.com/2022/09/21/using-unbreakable-okta-mfa/. I'm glad to see the priority bump in this but that also was almost half a year ago and the ticket as a whole for the last 4 years, yet still no activity publicly.

Severity: normal → S3
Webcompat Priority: --- → ?
Webcompat Priority: ? → P2
You need to log in before you can comment on or make changes to this bug.