Closed Bug 1539541 Opened 5 years ago Closed 5 years ago

Enable FIDO U2F API, and permit registrations for Google Accounts

Categories

(Core :: DOM: Web Authentication, enhancement, P1)

Product:
Core
Component:
DOM: Web Authentication
Version:
68 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
relnote-firefox --- 67+
firefox67 + fixed
firefox68 --- fixed

People

(Reporter: jcj, Assigned: jcj)

References

(
URL
)

Details

(Keywords: feature)

Attachments

(1 file)

Bug 1539541 - Enable FIDO U2F API, and permit registrations for Google Accounts
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

Per the thread Intent-to-Ship: Backward-Compatibility FIDO U2F support for Google Accounts on dev-platform [0], this bug is to:

  1. Enable the security.webauth.u2f by default, to ride the trains
  2. Remove the aOp == U2FOperation::Sign check from EvaluateAppID in WebAuthnUtil.cpp, permitting the Google override to work for Register as well as Sign.

This would enable Firefox users to use FIDO U2F API on most all sites, subject to the algorithm limitations discussed in the section ## Thorny issues in enabling our FIDO U2F API implementation ## of that post.

[0] https://groups.google.com/d/msg/mozilla.dev.platform/q5cj38hGTEA/lC834665BQAJ

Per the thread "Intent-to-Ship: Backward-Compatibility FIDO U2F support for
Google Accounts" on dev-platform [0], this bug is to:

  1. Enable the security.webauth.u2f by default, to ride the trains

  2. Remove the aOp == U2FOperation::Sign check from EvaluateAppID in
    WebAuthnUtil.cpp, permitting the Google override to work for Register as
    well as Sign.

This would enable Firefox users to use FIDO U2F API on most all sites, subject
to the algorithm limitations discussed in the section "Thorny issues in
enabling our FIDO U2F API implementation" of that post.

[0] https://groups.google.com/d/msg/mozilla.dev.platform/q5cj38hGTEA/lC834665BQAJ

[Tracking Requested - why for this release]:
I'd like this to be considered for Beta 67 uplift:

  • This is enabling an already-well-used behind-pref feature.
  • The sooner we enable the feature, the faster Google Accounts can turn this functionality on for Firefox users.

My intention is to land this in Nightly as soon as review is complete, and with luck, request uplift on Monday.

tracking-firefox67: --- → ?
relnote-firefox: --- → ?
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e27fc0c01a97
Enable FIDO U2F API, and permit registrations for Google Accounts r=keeler,qdot

https://hg.mozilla.org/mozilla-central/rev/e27fc0c01a97

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Comment on attachment 9054217 [details]
Bug 1539541 - Enable FIDO U2F API, and permit registrations for Google Accounts

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: n/a
  • User impact if declined: Delay in providing security key registration support for Google Accounts (to 68)
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: (It's just a pref flip, and Google has checked it)
  • List of other uplifts needed: n/a
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): FIDO U2F API has been used by a power user audience via pref-flip since 57 without issues. The Google Accounts piece is a simple if-condition change. Since it's shipping a feature, it's probably at least a "medium" risk rather than low, but otherwise I'd be tempted to call it "low".
  • String changes made/needed: None
Attachment #9054217 - Flags: approval-mozilla-beta?

Comment on attachment 9054217 [details]
Bug 1539541 - Enable FIDO U2F API, and permit registrations for Google Accounts

Uplift approved for 67 beta 9, thanks.

Attachment #9054217 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-

Added to 67 beta release notes with this wording:
Enable FIDO U2F API, and permit registrations for Google Accounts

(We may want a more consumer-friendly wording for the final release)

relnote-firefox: ?67+

Is this something you're aiming to get into ESR 60.7? I notice it is mentioned on the ESR trello board.

Flags: needinfo?(dkeeler)

I think J.C.'s back today, so I'll ask him.

Flags: needinfo?(dkeeler)

I don't think it's important enough to uplift into 60.7, I think it's okay to wait for ESR 68.0.

Regressions: 1551282

This does not fix registration for Google Accounts in 67 Stable as google says "this browser is not supported please try in Chrome."
this needs to be fixed on their end.

Thanks. I'll remind Google. :)

Regressions: 1553436

Using the latest firefox mobile I am not able to sign-in in google using a yubikey. It seems google doesn't like firefox mobile.

Riccardo, I'm seeing the same behavior. I've reached out to the Google Accounts team over email to see what the deal is. Thanks!

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: