Closed Bug 1550625 Opened 4 months ago Closed 3 months ago

Enable FIDO U2F API for Android

Categories

(Core :: DOM: Web Authentication, enhancement, P1)

68 Branch
Unspecified
Android
enhancement

Tracking

()

RESOLVED INVALID
Tracking Status
firefox68 --- affected

People

(Reporter: jcj, Assigned: jcj)

References

()

Details

Attachments

(2 obsolete files)

The FIDO U2F API uses a different entry point than the FIDO2 API, but otherwise is
similar, and behaves similarly. It's almost ready to wire-up, so let's wire it up.

Depends on D31636

Depends on: 1552539

Comment on attachment 9065718 [details]
Bug 1550625 - Refactor Android WebAuthn methods to use more GeckoBundles r?keeler

Revision D31636 was moved to bug 1552539. Setting attachment 9065718 [details] to obsolete.

Attachment #9065718 - Attachment is obsolete: true
Attachment #9065719 - Attachment is obsolete: true

Apparently the mechanism to do this is via the FIDO2 APIs in a fallback mode. I have not determined how that's achieved, yet.

After clarifying with Google, there's no API mechanism for Firefox to perform FIDO U2F JS API operations on Android. I'll need to disable the pref for Android so feature detection works properly.

See Also: → 1552602

Disabling in Bug 1552602.

To continue from Comment 5, the URL linked in this bug [0] provides an API for performing FIDO U2F, but has no mechanism to accept a web browser origin. Instead, origin is always set to something of the form android:apk-key-hash:<string>. This is similar to the not-privileged FIDO2 API (which we use for testing). Without being able to set the origin to an actual web origin, it's not suitable for websites generally. A website has to explicitly whitelist a given application, which wasn't meant for the general case, rather for in-house apps: https://developers.google.com/identity/fido/android/native-apps#interoperability_with_your_website

Going back-and-forth with Google, they pointed out that WebAuthn has the AppIdExtension for backward compatibility with U2F sign, but there is no compatibility for the first step, register, which would make for a difficult-to-use implementation.

[0] https://developers.google.com/android/reference/com/google/android/gms/fido/u2f/api/common/RegisterRequestParams

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.