Bug 143491 - [WebAuthN] Implement FIDO U2F extension
Summary: [WebAuthN] Implement FIDO U2F extension
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Platform (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 181943
  Show dependency treegraph
 
Reported: 2015-04-07 11:39 PDT by ryan
Modified: 2018-10-29 11:09 PDT (History)
7 users (show)

See Also:


Attachments
U2F request flow diagram. (12.70 KB, image/png)
2016-05-19 11:49 PDT, Alice Bevan-McGregor
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description ryan 2015-04-07 11:39:36 PDT
The FIDO Universal Second Factor (U2F) protocol is an open specification that was recently finalized.  The FINAL spec can be downloaded here: https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009.zip
Comment 1 Alice Bevan-McGregor 2016-05-19 11:49:02 PDT
Created attachment 279408 [details]
U2F request flow diagram.

U2F is beginning to see more wide-spread deployment, with Github being one notable example site that utilizes it.  Currently, Chrome integrates support, but lower-level integration in WebKit would broadly increase the potential user base.

There exists a cross-platform (Windows, Linux, Mac OS X) C reference implementation, https://developers.yubico.com/libu2f-host/, supported by a manufacturer (Yubico) of U2F-compliant tokens. They also provide a test server for interactive experimentation (https://demo.yubico.com/u2f), reference server integration implementation, and cURL-able test endpoints.

This client (device host) reference implementation depends on: pkg-config, JSON-C, and HIDAPI for USB communication.

I very strongly desire U2F support both for my own site use, as well as for token-secured access to Github.
Comment 2 Yusuke Suzuki 2017-02-16 21:23:32 PST
What is the difference from the Web Authentication[1,2]?

[1]: https://github.com/w3c/webauthn
[2]: https://w3c.github.io/webauthn/
Comment 3 Jiewen Tan 2018-01-22 13:28:13 PST
(In reply to Yusuke Suzuki from comment #2)
> What is the difference from the Web Authentication[1,2]?
> 
> [1]: https://github.com/w3c/webauthn
> [2]: https://w3c.github.io/webauthn/

WebAuthN is effectively FIDO 2.0. See Bug 181943 for status update regarding to WebAuthN.
Comment 4 john+webkit 2018-05-26 12:28:37 PDT
Does the work on WebAuthN contain FIDO 1.0 support as well? If not, this ticket is probably still valid on it's own.
Comment 5 David Waite 2018-10-29 00:20:48 PDT
FWIW, Edge has no intention to support U2F and only support WebAuthn.

The U2F JavaScript API unfortunately doesn't fully document how to get access to the objects needed to use the MessagePort and u2f interface API.

U2F supports CTAP1 devices, while WebAuthn supports CTAP1 and CTAP2 devices.

There is an extension for WebAuthn to work with existing U2F registrations (such as those created via another browser, or the Safari App Extension) with the new API, so that users can still authenticate when a site upgrades from using the U2F to WebAuthn javascript interfaces.
Comment 6 Jiewen Tan 2018-10-29 11:06:14 PDT
(In reply to john+webkit from comment #4)
> Does the work on WebAuthN contain FIDO 1.0 support as well? If not, this
> ticket is probably still valid on it's own.

WebAuthN will support CTAP1/U2F devices.
Comment 7 Jiewen Tan 2018-10-29 11:08:50 PDT
(In reply to David Waite from comment #5)
> FWIW, Edge has no intention to support U2F and only support WebAuthn.
> 
> The U2F JavaScript API unfortunately doesn't fully document how to get
> access to the objects needed to use the MessagePort and u2f interface API.
> 
> U2F supports CTAP1 devices, while WebAuthn supports CTAP1 and CTAP2 devices.
> 
> There is an extension for WebAuthn to work with existing U2F registrations
> (such as those created via another browser, or the Safari App Extension)
> with the new API, so that users can still authenticate when a site upgrades
> from using the U2F to WebAuthn javascript interfaces.

Same as WebKit. I will leave this bug alone and re-scope it as [WebAuthN] Implement FIDO U2F extension.