Open Bug 1543674 Opened 6 years ago Updated 4 months ago

Implement CTAP2 hybrid transport for platforms that use authenticator-rs (e.g. Linux)

Categories

(Core :: DOM: Web Authentication, enhancement, P3)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 113
Type:
enhancement

Tracking

()

Status:
ASSIGNED

People

(Reporter: ignisvulpis, Assigned: jschanck)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

Steps to reproduce:

Implement WebAuthn cloud-based BLE extension

Currently using an Android phone as an WebAuthn authenticator is not possible with Firefox because Firefox does not implement the cloud-based WebAuthn extension which is currently still in the W3C standardization process.

Google has implemented this extension in Chrome.

Not sure the progress of the specification is. Asked Christaan Brands to provide a link to the spec.

Link to spec and discussion in which @jcjones is involved https://github.com/w3c/webauthn/pull/909

Status: UNCONFIRMED → NEW
Type: defect → enhancement
Component: Untriaged → DOM: Web Authentication
Ever confirmed: true
Product: Firefox → Core

CABLE would be cool; it's a major undertaking, though. We'll have to tackle this one after we get the rest of CTAP2/FIDO2 support in.

Severity: normal → major
OS: Unspecified → All
Priority: -- → P4
Hardware: Unspecified → All
QA Whiteboard: qa-not-actionable

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: major → --
Assignee: nobody → jschanck
Blocks: passkeys
Status: NEW → ASSIGNED
Priority: P4 → P2
Summary: Implement WebAuthn cloud-based BLE extension → Implement CTAP2 hybrid transport
Version: 67 Branch → Firefox 113

FIDO has released a first public draft of the CTAP 2.2 specification, which includes details about the hybrid transport. https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html

On Windows, the CTAP 2.2 Hybrid protocol is being implemented as a part of the OS.

While Firefox will get the ability to sign in with passkeys located on phones, the best experience for the users will be when Firefox can integrate the new webauthn.h header and its new WEBAUTHN_CTAP_TRANSPORT_HYBRID flag as a part of Firefox's WebAuthn mappings:

https://searchfox.org/mozilla-central/source/dom/webauthn/WinWebAuthnManager.cpp#342
https://searchfox.org/mozilla-central/source/dom/webauthn/WinWebAuthnManager.cpp#570

Integration into these mappings will ensure that passkeys created through Firefox will receive the proper transport tagging when the passkey is provided to the RPs.

The updated webauthn.h header containing the new fields needed for CTAP Hybrid can be found here: https://github.com/microsoft/webauthn/blob/master/webauthn.h

You can start testing some of the integrations on the Windows Dev insider channel (currently supporting up to WEBAUTHN_API_VERSION_6, with WEBAUTHN_API_VERSION_7 features coming in the nearish future): https://blogs.windows.com/windows-insider/2023/06/22/announcing-windows-11-insider-preview-build-23486/

Duplicate of this bug: 1895756
Duplicate of this bug: 1913747

We support the hybrid transport on recent versions of Windows and macOS. I'm changing the title of this bug to make it clear that we still don't have support on platforms that lack a OS-level WebAuthn/CTAP2 API.

Severity: -- → N/A
Priority: P2 → P3
Summary: Implement CTAP2 hybrid transport → Implement CTAP2 hybrid transport for platforms that use authenticator-rs (e.g. Linux)
Duplicate of this bug: 1940483

Just a question about the state of this bug. Are you waiting for something from the linux kernel team or you will implement your own way for webauthn rather than the an OS-level way ?

I personally think that the operating system (broadly construed, not necessarily the kernel but possibly some user-space service) should be responsible for communicating with authenticators (whether that's over USB, NFC, Bluetooth, or the hybrid transport). The operating system is in the best position to provide a consistent and secure UI for all applications. So, yes, I would like it if Linux had something like Windows Hello that we could interface with.

If no one steps up to write that for Linux, then we might implement the hybrid transport ourselves. It's not currently a priority.

Umm I don't know but for me if I found the time I might work on something like this. But just to make sure that I get it right. Will this be an application that firefox will interact with and do the authentication ? and how this interaction should be implemented ? Like should this be a rust crate that you want to integrate into authenticate-rs or this should be a shared object that firefox will dynamic link to it ? or what do you think ?

There are already two projects that together try to get a "Windows Hello"-like system level feature on Linux, implemented as a XDG-portal:
https://github.com/AlfioEmanueleFresta/xdg-credentials-portal
https://github.com/iinuwa/linux-webauthn-platform-api

Despite the name (which will most likely change soon), the first project tries to only provide the library for all FIDO-operations, and the second one is planned to be a consumer of that and implement a frontend.

Both are still very much work in progress, but this seems currently to be the best bet.

Depends on: 1983767
You need to log in before you can comment on or make changes to this bug.