New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIDO U2F not currently planned #358

Closed
amnesia opened this Issue Feb 18, 2016 · 14 comments

Comments

Projects
None yet
@amnesia

amnesia commented Feb 18, 2016

As you've probably guessed from the title, I have a question regarding the FIDO U2F standard.

Link: https://dev.windows.com/en-us/microsoft-edge/platform/status/fido20webapis?filter=f3f0000bf&search=fido

Here's what's bothering me: "The implementation in Microsoft Edge is focused on enabling Microsoft Passport with a PIN or Windows Hello to securely authenticate to Microsoft properties and third-party web sites."

Does that mean that my FIDO U2F Yubikey isn't going to work? I've been using my FIDO key for a few months now and it's amazing. I'm sorry if this isn't the right place for my question, but I would love to switch from Chrome to Edge in the near future. Sadly, if you guys don't add the support for FIDO U2F keys, I won't be able to make the switch.

Cheers

@matthiasg

This comment has been minimized.

Show comment
Hide comment
@matthiasg

matthiasg Mar 14, 2016

ha .. i just came here to also comment on this. We will implement this with an additional text field to pop up, but of course its not really nice and not as secure as if the browser did this directly. for now we will continue using chrome for security sensitive customers (which are most of them).

matthiasg commented Mar 14, 2016

ha .. i just came here to also comment on this. We will implement this with an additional text field to pop up, but of course its not really nice and not as secure as if the browser did this directly. for now we will continue using chrome for security sensitive customers (which are most of them).

@jacobrossi

This comment has been minimized.

Show comment
Hide comment
@jacobrossi

jacobrossi Mar 14, 2016

Contributor

Support for U2F devices is something that we will continue to evaluate, but it is not planned for the immediate future. The long term goal for FIDO is to eliminate the need for passwords altogether and to encourage stronger credentials. U2F was an early proposal which helped shape the FIDO draft, but it still relies on the user supplying a (potentially weak) password as a part of their authentication. We will encourage hardware and security partners to embrace the full FIDO standard as the long term solution.

Contributor

jacobrossi commented Mar 14, 2016

Support for U2F devices is something that we will continue to evaluate, but it is not planned for the immediate future. The long term goal for FIDO is to eliminate the need for passwords altogether and to encourage stronger credentials. U2F was an early proposal which helped shape the FIDO draft, but it still relies on the user supplying a (potentially weak) password as a part of their authentication. We will encourage hardware and security partners to embrace the full FIDO standard as the long term solution.

@jacobrossi jacobrossi closed this Mar 14, 2016

@mikecmpbll

This comment has been minimized.

Show comment
Hide comment
@mikecmpbll

mikecmpbll Aug 26, 2016

so many enterprise grade web applications use U2F now as the only two-factor option they'll offer, for it's enhanced security against phishing attacks. this is a real blow to edge not to want to support this and far from encouraging stronger authentication models it will mean software will be strongarmed in to continuing to support less secure two-factor paradigms like (T)OTP.

i'd be interested to hear more detail about what the proposed alternative to the "early proposal" of U2F. the FIDO alliance has two specifications from what I can tell from their website, U2F and UAF?

mikecmpbll commented Aug 26, 2016

so many enterprise grade web applications use U2F now as the only two-factor option they'll offer, for it's enhanced security against phishing attacks. this is a real blow to edge not to want to support this and far from encouraging stronger authentication models it will mean software will be strongarmed in to continuing to support less secure two-factor paradigms like (T)OTP.

i'd be interested to hear more detail about what the proposed alternative to the "early proposal" of U2F. the FIDO alliance has two specifications from what I can tell from their website, U2F and UAF?

@jacobrossi

This comment has been minimized.

Show comment
Hide comment
@jacobrossi

jacobrossi Aug 26, 2016

Contributor

@mikecmpbll things have evolved here a bit since my last comment. The FIDO 2.0 spec evolved into the Web Auth spec. This is still a relatively new standard that's still evolving. So our initial experimental implementation uses a single authenticator -- Windows Hello (supports TPM PIN or biometric sensors as second factor). However, as the spec and our implementation mature, we intend to support additional authenticators, including those such as smart cards, phone, Bluetooth devices, and USB keys.

The browser APIs involved here are relatively simple and just expose the underlying authenticators available on the system. This approach makes it more versatile to support a variety of security levels and user experiences through a single set of APIs. While I'm certainly not a crypto expert, my understanding is that the expectation of the Working Group and our engineers implementing this is that these APIs will eventually support the scenarios and devices covered by U2F and also offer authentication mechanisms that are superior in security to U2F.

Contributor

jacobrossi commented Aug 26, 2016

@mikecmpbll things have evolved here a bit since my last comment. The FIDO 2.0 spec evolved into the Web Auth spec. This is still a relatively new standard that's still evolving. So our initial experimental implementation uses a single authenticator -- Windows Hello (supports TPM PIN or biometric sensors as second factor). However, as the spec and our implementation mature, we intend to support additional authenticators, including those such as smart cards, phone, Bluetooth devices, and USB keys.

The browser APIs involved here are relatively simple and just expose the underlying authenticators available on the system. This approach makes it more versatile to support a variety of security levels and user experiences through a single set of APIs. While I'm certainly not a crypto expert, my understanding is that the expectation of the Working Group and our engineers implementing this is that these APIs will eventually support the scenarios and devices covered by U2F and also offer authentication mechanisms that are superior in security to U2F.

@adrianba

This comment has been minimized.

Show comment
Hide comment
@adrianba

adrianba Aug 29, 2016

Contributor

The browser APIs involved here are relatively simple and just expose the underlying authenticators available on the system. This approach makes it more versatile to support a variety of security levels and user experiences through a single set of APIs. While I'm certainly not a crypto expert, my understanding is that the expectation of the Working Group and our engineers implementing this is that these APIs will eventually support the scenarios and devices covered by U2F and also offer authentication mechanisms that are superior in security to U2F.

Specifically, the Web Authentication API provides a superset of the U2F capabilities. It can handle the same scenarios as U2F to do two factor authentication after a password but it can also enable password-less scenarios using an authentication device. You can read more about this in our blog post describing the Windows Hello integration. You can write a Web Authentication polyfill for the 2FA scenarios using U2F in the underlying implementation. I think someone is working on this. This would allow implementations to use the modern API where available and to fall back to U2F where that is available.

Contributor

adrianba commented Aug 29, 2016

The browser APIs involved here are relatively simple and just expose the underlying authenticators available on the system. This approach makes it more versatile to support a variety of security levels and user experiences through a single set of APIs. While I'm certainly not a crypto expert, my understanding is that the expectation of the Working Group and our engineers implementing this is that these APIs will eventually support the scenarios and devices covered by U2F and also offer authentication mechanisms that are superior in security to U2F.

Specifically, the Web Authentication API provides a superset of the U2F capabilities. It can handle the same scenarios as U2F to do two factor authentication after a password but it can also enable password-less scenarios using an authentication device. You can read more about this in our blog post describing the Windows Hello integration. You can write a Web Authentication polyfill for the 2FA scenarios using U2F in the underlying implementation. I think someone is working on this. This would allow implementations to use the modern API where available and to fall back to U2F where that is available.

@mikecmpbll

This comment has been minimized.

Show comment
Hide comment
@mikecmpbll

mikecmpbll Aug 30, 2016

@adrianba @jacobrossi thank you both for the detailed explanations! I'll do some further research into the Web Authentication API

mikecmpbll commented Aug 30, 2016

@adrianba @jacobrossi thank you both for the detailed explanations! I'll do some further research into the Web Authentication API

@darconeous

This comment has been minimized.

Show comment
Hide comment
@darconeous

darconeous May 4, 2017

U2F was an early proposal

It is a fully fledged, deployed, and experience-tested standard that has been adopted by Google, Facebook, GitHub, Dropbox, etc... It is not an "early proposal".

which helped shape the FIDO draft, but it still relies on the user supplying a (potentially weak) password as a part of their authentication.

That's a feature, not a bug. With a U2F token, the user can use a much more weak password (like a PIN) while still remaining much more secure than they would be otherwise.

There is nothing preventing people from implementing biometrics into U2F keys (in fact, they already exist). There is also nothing preventing a U2F token from being implemented in hardware on a computer (perhaps as a part of the keyboard).

I'm convinced that the people who advocate skipping U2F and waiting for UAF are missing the point entirely. The technologies are complementary: they are not substitutes for each other or replacements for each other. Additionally, UAF is nowhere near deployment, and likely never will be.

Skipping U2F is a disservice to your users.

darconeous commented May 4, 2017

U2F was an early proposal

It is a fully fledged, deployed, and experience-tested standard that has been adopted by Google, Facebook, GitHub, Dropbox, etc... It is not an "early proposal".

which helped shape the FIDO draft, but it still relies on the user supplying a (potentially weak) password as a part of their authentication.

That's a feature, not a bug. With a U2F token, the user can use a much more weak password (like a PIN) while still remaining much more secure than they would be otherwise.

There is nothing preventing people from implementing biometrics into U2F keys (in fact, they already exist). There is also nothing preventing a U2F token from being implemented in hardware on a computer (perhaps as a part of the keyboard).

I'm convinced that the people who advocate skipping U2F and waiting for UAF are missing the point entirely. The technologies are complementary: they are not substitutes for each other or replacements for each other. Additionally, UAF is nowhere near deployment, and likely never will be.

Skipping U2F is a disservice to your users.

@amnesia

This comment has been minimized.

Show comment
Hide comment
@amnesia

amnesia May 5, 2017

Instead of implementing the "basic" U2F as fast as possible, 14 months have passed (since my original post) and we still have nothing. Typical Microsoft.

amnesia commented May 5, 2017

Instead of implementing the "basic" U2F as fast as possible, 14 months have passed (since my original post) and we still have nothing. Typical Microsoft.

@darconeous

This comment has been minimized.

Show comment
Hide comment
@darconeous

darconeous May 5, 2017

Reading more into this, it seems like the Web Authentication API provides a standardized API for the use of U2F tokens (among other things). Microsoft has apparently committed to implementing this API in Edge. What Microsoft has not committed to doing is adding support for U2F tokens to be used with this API (once implemented) on Edge browsers.

So the protocol might support U2F, but if Edge only supports TPM authenticators then it's no good.

It seems obvious to me that you would want to support an external authentication token—something you can put in a safe deposit box or hide in your home in case you lose access to your machines. U2F works great for that.

darconeous commented May 5, 2017

Reading more into this, it seems like the Web Authentication API provides a standardized API for the use of U2F tokens (among other things). Microsoft has apparently committed to implementing this API in Edge. What Microsoft has not committed to doing is adding support for U2F tokens to be used with this API (once implemented) on Edge browsers.

So the protocol might support U2F, but if Edge only supports TPM authenticators then it's no good.

It seems obvious to me that you would want to support an external authentication token—something you can put in a safe deposit box or hide in your home in case you lose access to your machines. U2F works great for that.

@Brianetta

This comment has been minimized.

Show comment
Hide comment
@Brianetta

Brianetta May 12, 2017

U2F is part of my daily life. I use it to authenticate myself to several services, including social networks and some private systems. My choice of browser is predicated on U2F support. Needless to say, I'm not currently using a Microsoft browser.

Brianetta commented May 12, 2017

U2F is part of my daily life. I use it to authenticate myself to several services, including social networks and some private systems. My choice of browser is predicated on U2F support. Needless to say, I'm not currently using a Microsoft browser.

@AllieUhde

This comment has been minimized.

Show comment
Hide comment
@AllieUhde

AllieUhde Aug 25, 2017

Just another 'me too' - I rely on FIDO U2F and this is one of the deal-breakers keeping me from moving to Microsoft Edge.

AllieUhde commented Aug 25, 2017

Just another 'me too' - I rely on FIDO U2F and this is one of the deal-breakers keeping me from moving to Microsoft Edge.

@denisenkom

This comment has been minimized.

Show comment
Hide comment
@denisenkom

denisenkom Jan 24, 2018

I am using U2F to login to GitHub, please add support.

denisenkom commented Jan 24, 2018

I am using U2F to login to GitHub, please add support.

@molant

This comment has been minimized.

Show comment
Hide comment
@molant

molant Jan 24, 2018

Member

The right place to request features is Microsoft's Edge uservoice

Member

molant commented Jan 24, 2018

The right place to request features is Microsoft's Edge uservoice

@MicrosoftEdge MicrosoftEdge locked as resolved and limited conversation to collaborators Jan 24, 2018

@alrra

This comment has been minimized.

Show comment
Hide comment
@alrra

alrra Jan 24, 2018

Member

I am using U2F to login to GitHub, please add support.

The right place to request features is Microsoft's Edge uservoice

@denisenkom See: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/6830216-u2f-support-2-factor.

Member

alrra commented Jan 24, 2018

I am using U2F to login to GitHub, please add support.

The right place to request features is Microsoft's Edge uservoice

@denisenkom See: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/6830216-u2f-support-2-factor.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.