firefox 57 +

[NodokaMurmevent]

Hello, did you have any plan for your addon working with webextension ? with firefox 57 your addon will stop to work.

[prefiks]

There is big chance that firefox will have native support for u2f soon, so i don't want to spend much time in rewriting that extension.

[Essjayess]

This addon also broke in Firefox Developer Edition 56.0b2.

[yfdyh000]

https://bugzilla.mozilla.org/show_bug.cgi?id=1065729

[bunnybooboo]

There are several sweating pretty hard on this rn: https://bugzilla.mozilla.org/show_bug.cgi?id=1380270 (P2) https://bugzilla.mozilla.org/show_bug.cgi?id=1388843 (P1) https://bugzilla.mozilla.org/show_bug.cgi?id=1388851 (P1)

[NodokaMurmevent]

on nightly 57 we can find u2f paramerters typing on adress bar :

about:config

and seach for u2f you can enable the U2F login but it's broken when i wrote this.

[bunnybooboo]

it's also in 55 @NodokaMurmevent

Check this tool https://u2f.bin.coffee/

[prefiks]

So i did preliminary conversion to webextension (it's here: https://github.com/prefiks/u2f4moz/tree/webextension/webextension), but to make it work it will require installing external program (this is only method that would allow to communicate with physical device). It is not 100% conversion yet, it can't handle cases where it need to fetch external facets, but that theoretically could be added (i am missing access to https://developer.mozilla.org/en-US/Add-ons/SDK/High-Level_APIs/url#getTLD(url) to make it work).

[jcjones]

Hi, all - I'm one of the folks building U2F support natively into Firefox. It looks like it won't make it in for 57, I'm afraid, but we'll almost certainly make it into Firefox 58.

If you're on Windows or OSX, I actually have some partially-working unstable builds available with U2F support. There's a problem using it on some sites - like Github - that I'm still tracking down. (EDIT: Found the bug, and added tests to u2f.bin.coffee, now just gotta fix it.)

This bug 1245527 will hook our U2F code up into our USB HID code, which is in a large set of patches that are further away from review. The actual hardware interaction code is this rust library, u2f-hid-rs which is landing in bug 1388843.

Unfortunately, getting this kind of hardware interaction into Gecko has required a lot more work than the way addons worked. :) But it does open up all the more advanced browser-interaction parts of web authentication.

[NodokaMurmevent]

thanks for the information, i will continue to use nightly for a little moment its seem.

[jcjones]

@prefiks: How common are external facets, by the way? Firefox Bug 1244959 is about adding support for them, but I don't know where they're used in the wild. Any pointers you can give me here or on there would be helpful!

[prefiks]

There is this: https://github.com/prefiks/u2f4moz/issues/55, but except that i never seen one in wild.

[NodokaMurmevent]

official integration work in firefox 58 i have juste enable in about:config, i login on my nextcloud without any problem

security.webauth.u2f        true
security.webauth.webauthn        true
security.webauth.webauthn_enable_softtoken        true
security.webauth.webauthn_enable_usbtoken        true

[jcjones]

Indeed, @NodokaMurmevent: Experimental support landed in Firefox 57 ("Firefox Quantum"), where this extension (unfortunately) stops working.

Tweet: https://twitter.com/jamespugjones/status/912314952232267777

There is no external FacetID support in the experimental code in Firefox, so this isn't a solution for Facebook and probably won't work for Google Accounts either, but it's intended as a stop-gap for W3C Web Authentication

I suppose it might be good to point people to how to flip on the internal support though maybe in the u2f4moz README?

[offlinehoster]

FireFox57 is now available and U2F is not working. Any Updates for the awesome u2f4moz project? ;)

[offlinehoster]

Sorry for the noise!

U2F is working after you activated this option inside FireFox. For me is the following setting working "security.webauth.u2f true"

[fbender]

Yeah, this is intentionally off by default, because the API is a horrible mess and is going to burn in the fires of Mordor sooner than later. Mozilla was forced to implement this badly specified API as a stopgap after Google's move to implement it. There's another API in the works that will be the long-term and cross-Browser solution and will replace the existing API, at which point the old (this) API will be removed from all browsers.

TL;DR: You have to enable the hidden setting for the meantime if you want to use U2F, but the API will be replaced by better solution some time soon(TM).

[phillipberndt]

Just wanted to leave some feedback: Your code from the experimental webextension branch works flawlessly on FF 57.0.1 / Ubuntu 16.04 / Yubikey Nano. Thanks a lot for porting it 👍

[Ulrar]

So is there any chance to have U2F working with Google in FF >= 57 ? Since that extension doesn't work anymore, and apparently FF's implementation isn't complete, I'm guessing not ?

[phw]

So is there any chance to have U2F working with Google in FF >= 57 ? Since that extension doesn't work anymore, and apparently FF's implementation isn't complete, I'm guessing not ?

Today I discovered that U2F actually works for me in Firefox 57.0.4 after enabling security.webauth.u2f in about:config. Also security.webauth.webauthn_enable_usbtoken needs to be true, but that's actually the default now. I could register my key and authenticate with it on all services I tested.

I know this did not work for me with the initial 57 release, so there likely have been some fixes. @Ulrar, I would suggest you just test if this works for you now.

[Ulrar]

U2F works fine in 57, just not with Google. It's known, apparently Firefox doesn't implement part of the API, and unfortunately Google uses the missing part.

Le 15 janv. 2018 10:23, "Philipp Wolfer" notifications@github.com a écrit :

So is there any chance to have U2F working with Google in FF >= 57 ? Since that extension doesn't work anymore, and apparently FF's implementation isn't complete, I'm guessing not ?

Today I discovered the U2F actually works for me in Firefox 57.0.4 after enabling security.webauth.u2f in about:config. Also security.webauth.webauthn_enable_usbtoken needs to be true, but that's actually the default now. I could register my key and authenticate with it on all services I tested.

I know this did not work for me with the initial 57 release, so there likely have been some fixes. @Ulrar https://github.com/ulrar, I would suggest you just test if this works for you now.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/prefiks/u2f4moz/issues/59#issuecomment-357641456, or mute the thread https://github.com/notifications/unsubscribe-auth/AA1Tz7WtU2DShY_bpBQ1IQ2xVoe8zfjiks5tKyc9gaJpZM4O2K01 .

[offlinehoster]

After i got Firefox 59.0.1 it just stopped working for google services.

Something went wrong. Remove your Security Key and try again

Any Ideas?

[ghost]

Using 59.0.2 - same results as offlinehoster when trying to use google. "security.webauth.u2f" is activated.

[Perflyst]

Since the release of Firefox 60 u2f is now fully supported.

See https://blog.mozilla.org/blog/2018/05/09/firefox-gets-down-to-business-and-its-personal/ https://blog.mozilla.org/press-de/2018/01/25/wie-hardware-token-basierte-zwei-faktor-authentifizierung-mit-der-webauthn-api-funktioniert/

[davidstrauss]

Since the release of Firefox 60 u2f is now fully supported.

This is not correct. Firefox 60 continues to ship with U2F disabled by default, which I wouldn't consider "fully supported" even if it supported Google's login system (which it still does not).

Firefox 60 defaults to enabling WebAuthn, not U2F. This is a newer generation of FIDO token.

[jcjones]

However, one good piece of news is Firefox 60 shipped with hardcoded support for Google Accounts, and I am aware that the Accounts team is working to make it function with Firefox's U2F support. Also, Thunderbird 60 is shipping with U2F enabled by default, also for Google Accounts' Advanced Protection Program.

[Ulrar]

I was about to comment on this, I just finished compiling FF 60 and indeed it does not work. But I suppose it's just a matter of time then, great news ! :)

[seefood]

I don't know what Google are doing different/wrong, but Github U2F logins are working as expected and Google is still broken in FF60. Also, Github allows you to enter TOTP in that same screen, Google needs two more clicks to get there. What I see is that Google are using enough API to detect that U2F is available in the browser and offer you to use it, but it quickly fails, while the Github login page pops up a notice ("A page is requesting access to your security token/finger scanner" etc).

Donno if it's Google's fault or FF60 not implementing the full standard Chrome does, but either way a solution has to be around the corner...

[jcjones]

For U2F tokens that are already registered, Google Accounts will work with Firefox 60 and later pretty soon. (I just helped test it last week using Firefox 60 and a specially-whitelisted account). You won't be able to register new U2F tokens via Firefox, however, since we deliberately chose to limit the scope of the hardcoded override to sign operations for safety's sake. But that decision will also be short-lived pain, since Google Accounts should have WebAuthn support shortly after Chrome ships it, which is coming up in the next two weeks or so.

[jcjones]

This appears to have rolled out. All of my Google Accounts which have U2F tokens registered seem to let me use my U2F token with Firefox 60+.

[Ulrar]

If I'm not mistaken that version of chrome is out, any ideas when we'll be able to add new tokens from firefox ?

[davidstrauss]

If I'm not mistaken that version of chrome is out, any ideas when we'll be able to add new tokens from firefox ?

There is no intention to support enrolling new U2F tokens for Google accounts in Firefox. You should use another browser (like Chrome) if you need to do that. You can now use Firefox with the accounts after the enrollment, though.

The future is WebAuthN, which should eventually be fully supported for Google accounts in Firefox, including enrollment. Google Chrome just shipped WebAuthN support, so I suspect "eventually" will be "soon." The U2F support here is a stopgap to support existing tokens.

[Ulrar]

That was my question, I understand firefox is never going to add the missing bits of U2F. I'm just waiting, like most people here I assume, for some way to use U2F tokens with firefox, the how doesn't really matter (at least to me) so if that's through WebAuthN, great.

I understand we're waiting for google to add it, but since jcjones seemed to have infos about it earlier I was just wondering if there were any news on that.

[davidstrauss]

I'm just waiting, like most people here I assume, for some way to use U2F tokens with firefox

Once you've enabled security.webauth.u2f in about:config, U2F works fine almost everywhere, including for enrollment. The exception is for Google accounts; to enroll a U2F token for a Google account, use Chrome. You can use Firefox afterward.

the how doesn't really matter (at least to me) so if that's through WebAuthN, great.

WebAuthN is a different, newer specification. Firefox fully supports it, but the rest of the rollout depends on website owners/operators like Google. This issue isn't a good place to get more information on that.

[jcjones]

@Ulrar: I'm afraid for all my general WebAuthn/Mozilla info, I'm also in-the-dark as to when exactly Google Accounts will have WebAuthn support. We're both hoping 'soon' together. :)