use new firefox api for webauthn(FIDO2) ctap2 instead old U2F (fido1)

[rdslw]

Currently, if using web access, and usb authenticator, and newest chromium (e.g. 108) you can use yubikeys configured with ONLY FIDO2 protocol. The very same key, with the same configuration (being U2F disabled, while FIDO2 enabled), will no work with firefox (tested 108), because web vault is using only U2F firefox api, hence older.

New firefox do have ctap2 protocol visible under setting security.webauthn.ctap2

Yubikey configuration:

$ ykman info                                                                                                                         ~
Device type: YubiKey 5C NFC
Firmware version: 5.4.3
Form factor: Keychain (USB-C)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.

Applications	USB     	NFC     
FIDO2       	Enabled 	Enabled (!)
OTP         	Enabled 	Enabled 	
FIDO U2F    	Disabled	Disabled (!)
OATH        	Enabled 	Enabled 	
YubiHSM Auth	Enabled 	Enabled 	
OpenPGP     	Enabled 	Enabled 	
PIV         	Enabled 	Enabled 

[rdslw]

If I understand correctly, web component is direct fork/code from bitwarden repos, and not part developed under vaultwarden. If true, this (CTAP2 in firefox) shall be implemented in web/client code by bitwarden itself and synced back into vaultwarden later.

I filled also separate bug regarding CTAP2 and bug during key enrollement there: bitwarden/clients#4409

[BlackDex]

You are correct. And it actually isn't even a fork. But more a patched version of the self hosted web-vault. Mostly css stuff, and some boolean flags changed.

[rdslw]

in such case:

1. my original issue about CTAP2 support in firefox (converted into this discussion) is purely part of bitwarden/web client, and shall wait for their implementation
2. the same with 4409 mistake during key enrollment resulting in not fully using all security mechanism offered by FIDO2