Closed Bug 1844449 Opened 2 years ago Closed 3 months ago

Support WebAuthn credProtect extension

Tracking

()

Status:

RESOLVED FIXED

Milestone:

139 Branch

Tracking Flags:

Tracking

Status

firefox139

---

fixed

People

(Reporter: jschanck, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete)

Attachments

(1 file)

Bug 1844449 - support the WebAuthn credProtect extension. r=keeler 3 months ago John Schanck [:jschanck] 48 bytes, text/x-phabricator-request		Details \| Review

John Schanck [:jschanck]

Assignee

Description

•

2 years ago

See: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#sctn-credProtect-extension

Auth0

Comment 1

•

6 months ago

The credProtect extension is URGENTLY needed to help address the security issues outlined in Yubico's Security Advisory YSA-2024-03. That advisory details a vulnerability in Infineon's cryptographic library used in all Yubico devices prior to firmware 5.7.0 along with other security keys with leverage Infineon's cryptographic library.

The credProtect extension would allow web applications to set a protection policy for credentials stored on Yubico devices, such as requiring user verification before allowing the credential to be used. This would help mitigate the potential risks from the vulnerability described in YSA-2024-03.

Please prioritize implementation of the credProtect extension to give web applications this important security control. It is a critical feature needed to fully protect users in light of the Infineon security advisory.

Flags: needinfo?(jschanck)

John Schanck [:jschanck]

Assignee

Updated

•

3 months ago

Assignee: nobody → jschanck

Severity: -- → N/A

Status: NEW → ASSIGNED

Flags: needinfo?(jschanck)

Priority: P3 → P2

John Schanck [:jschanck]

Assignee

Comment 2

•

3 months ago

Attached file Bug 1844449 - support the WebAuthn credProtect extension. r=keeler — Details

Phabricator Automation

Updated

•

3 months ago

Attachment #9479232 - Attachment description: WIP: Bug 1844449 - support the WebAuthn credProtect extension. r=keeler → Bug 1844449 - support the WebAuthn credProtect extension. r=keeler

Tom Schuster (MoCo)

Updated

•

3 months ago

Keywords: dev-doc-needed

Pulsebot

Comment 3

•

3 months ago

Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bd14f4819fcf support the WebAuthn credProtect extension. r=keeler,webidl,saschanaz

Iulian Moraru

Comment 4

•

3 months ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/bd14f4819fcf

Status: ASSIGNED → RESOLVED

Closed: 3 months ago

status-firefox139: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 139 Branch

Camelia Badau [:cbadau], Desktop Test Engineering

Updated

•

2 months ago

QA Whiteboard: [qa-triage-done-c140/b139]

Hamish Willee

Comment 5

•

2 months ago

FF139 MDN docs work for this done as part of https://github.com/mdn/content/issues/39302

Keywords: dev-doc-needed → dev-doc-complete

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Support WebAuthn credProtect extension

Categories

(Core :: DOM: Web Authentication, enhancement, P2)

Tracking

()

People

(Reporter: jschanck, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Updated

Updated

Comment 3

Comment 4

Updated

Comment 5

Attachment

General

Description

File Name

Content Type