Open Bug 1550164 Opened 7 years ago Updated 3 days ago

Web Authentication - Support Opting-in to Direct Attestations on Android

Categories

(Firefox for Android :: WebAuthn, enhancement, P3)

Unspecified
Android
enhancement

Tracking

()

People

(Reporter: jcj, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: parity-chrome)

We don't have a UI mechanism on Android presently to present a prompt like Bug 1430150, which means we don't support permitting the user to anonymize the attestations. We should find some mechanism to support that, even if it's a preference as a temporary measure.

Type: defect → enhancement
See Also: → 1551229

Update: In Bug 1551229 we chose to always assume anonymity, declining to provide Direct Attestation ability to users. So this would be to present a UI to solicit whether to permit Direct Attestations. Desktop has such a UI already.

Summary: Web Authentication - Support Attestation Anonymity on Android → Web Authentication - Support Opting-in to Direct Attestations on Android

This is something we can do Android Components/Fenix if we can figure out the UX of how we want this to work. Similar to the other permission prompts, I imagine?

(In reply to Jonathan Almeida [:jonalmeida] from comment #2)

This is something we can do Android Components/Fenix if we can figure out the UX of how we want this to work. Similar to the other permission prompts, I imagine?

Permissions have moved to be internal to GeckoView, so maybe we can better handle this from there?

Component: DOM: Web Authentication → General
Product: Core → GeckoView
Severity: normal → S3
Duplicate of this bug: 1807264
Component: General → WebAuthn
Product: GeckoView → Fenix
Version: 68 Branch → unspecified

Tasks and enhancements should have severity N/A.

Severity: S3 → N/A

Hi, I work in a company that provides an e-id product using webauthn, but because of regulatory requirements we require a direct attestation upon credential creation, meaning we will error for our glorious Fenix users, and have to ask them politely to install Chrome instead. As an life-long Firefox supporter this pains me to have to do. The product has over 20% adoption in Norway, and this is likely to keep increasing. Please consider re-prioritizing supporting direct attestations.

I'm not sure why this is labeled as an "enhancement" when the missing implementation in question (for the self-imposed privacy requirement) effectively breaks the webauthn spec by not providing the aaguid for direct attestations. I understand wanting to provide the best privacy for users, but meanwhile I'm over here having to explain to our Fenix users that they have to install Chrome Android, which I'd argue is a net negative in terms of privacy.

Imo., all the while Fenix breaks the spec due to the missing UI implementation, this is a bug and I've created a PR with mdn/browser-compat-data to reflect the current state of things, linking back here.

Ref. my previous post, we're now reached >60% adoption in Norway and FIDO2 credentials are becoming more and more common, meaning there will be more and more sites where users will have to change away from Fenix it to work for them.

Blocks: 1954760
Blocks: 1954787
You need to log in before you can comment on or make changes to this bug.