New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

README.md: Firefox no longer needs an extension #69

Open
Sp1l opened this Issue Nov 24, 2017 · 23 comments

Comments

Projects
None yet
6 participants
@Sp1l
Copy link

Sp1l commented Nov 24, 2017

As of Firefox 57, U2F support is built-in.
Some users may need to use about:config and enable security.webauth.u2f

@ChristophWurst

This comment has been minimized.

Copy link
Member

ChristophWurst commented Nov 24, 2017

Correct, I'm aware of that and even have been using it for two months without any issues. But it's still not available for everyone. As soon as it is, I'd be happy to remove the warning!

@ChristophWurst ChristophWurst added this to SELECTED in Christoph's Tasks via automation Nov 24, 2017

@Hillside502

This comment has been minimized.

Copy link

Hillside502 commented Nov 24, 2017

@ChristophWurst
By everyone, do you mean pre-57 users?

@ChristophWurst

This comment has been minimized.

Copy link
Member

ChristophWurst commented Nov 24, 2017

No, because they won't get an official U2F support in FF I suppose.

AFAIK U2F is included in FF57, but it's not enabled by default. It's just a beta feature. Is that correct?

@Hillside502

This comment has been minimized.

Copy link

Hillside502 commented Nov 24, 2017

It's not enabled by default, but why does that make it a beta feature?

@ChristophWurst

This comment has been minimized.

Copy link
Member

ChristophWurst commented Nov 24, 2017

I don't really care whether it's beta or not. As soon as it's enabled for all by default, the warning will be removed. Nothing is preventing you from using it already.

@Hillside502

This comment has been minimized.

Copy link

Hillside502 commented Nov 24, 2017

@ChristophWurst
I also don't care whether it's beta or not.

Of what relevance is:-

Nothing is preventing you from using it already.

@Sp1l

This comment has been minimized.

Copy link

Sp1l commented Nov 24, 2017

Can imagine the reservation on the topic. It'd probably work with the extension as well (for existing users), but the clear direction of the firefox project is to use native capability. I haven't dug into differences in the implementaiotn between extension and built-in but as of 57 buiilt-in should be preferred over the extension for new users.

@ChristophWurst ChristophWurst moved this from SELECTED to BACKLOG in Christoph's Tasks Nov 27, 2017

@Sp1l

This comment has been minimized.

Copy link

Sp1l commented Dec 15, 2017

This is now referred to in the ChangeLog of v1.5.0 😄
Perhaps we can reflect this in README.md?

With Firefox 57 and later, enable security.webauth.u2f in about:config to enjoy this feature

Note: Submitted using my Yubikey to login to GitHub 👿

@ChristophWurst

This comment has been minimized.

Copy link
Member

ChristophWurst commented Mar 28, 2018

Perhaps we can reflect this in README.md?

Good point. Wanna fix it and submit a pull request? That would be highly appreciated!

@strobeltobias

This comment has been minimized.

Copy link

strobeltobias commented May 15, 2018

As soon as it's enabled for all by default, the warning will be removed. Nothing is preventing you from using it already.
~@ChristophWurst

With the release of Firefox 60, U2F is enabled available by default. (But currently it must be activated manually beforehand.)
See here: https://blog.mozilla.org/press-de/2018/01/25/wie-hardware-token-basierte-zwei-faktor-authentifizierung-mit-der-webauthn-api-funktioniert/ (German)

@ChristophWurst

This comment has been minimized.

Copy link
Member

ChristophWurst commented Jun 18, 2018

With the release of Firefox 60, U2F is enabled by default.
See here: https://blog.mozilla.org/press-de/2018/01/25/wie-hardware-token-basierte-zwei-faktor-authentifizierung-mit-der-webauthn-api-funktioniert/ (German)

I'm on FF60 and about:config tells me security.webauth.u2f is still set to false by default.

@strobeltobias

This comment has been minimized.

Copy link

strobeltobias commented Jun 19, 2018

@ChristophWurst You're right! I checked it and updated my earlier comment.

@ChristophWurst

This comment has been minimized.

Copy link
Member

ChristophWurst commented Jun 20, 2018

What a bummer! Let me know when it's enabled by default so that we can finally remove that warning!

@ChristophWurst

This comment has been minimized.

Copy link
Member

ChristophWurst commented Aug 16, 2018

Still disabled by default (FF61) 😢

@ChristophWurst ChristophWurst moved this from BACKLOG to BLOCKED in Christoph's Tasks Aug 20, 2018

@jknockaert

This comment has been minimized.

Copy link

jknockaert commented Aug 20, 2018

As far as I understand support for the U2F standard is only partially implemented in Firefox, and probably for that reason disabled by default. Now that the new Webauthn standard is fully supported by Firefox (and enabled by default) I do not expect further development of the legacy U2F standard and it will likely remain disabled forever.
So I guess the way forward is to support Webauthn in Nextcloud, either in this app or in a separate app.

@ChristophWurst

This comment has been minimized.

Copy link
Member

ChristophWurst commented Aug 20, 2018

So I guess the way forward is to support Webauthn in Nextcloud, either in this app or in a separate app.

The last time I checked the information about webauthn wasn't 100% clear on how the technology works and how it would be implemented in a real-world application. If you happen to know more about it, please let me know.
I will have to look into this at some point.

@jknockaert

This comment has been minimized.

Copy link

jknockaert commented Aug 20, 2018

I did not yet have a look into the specifics of Webauthn. I understand it is an extension of U2F (which is 2 factor only) with specifications for passwordless as well as multifactor support. So the logical development seems to be to upgrade the current U2F to Webauthn 2-factor (which should be backwards compatible with U2F hardware).
Then a new app may extend the implementation to cover the full Webauthn protocol (including passwordless etc), perhaps including a user (and admin) interface for enabling/disabling specific protocols.

@ChristophWurst ChristophWurst removed this from BLOCKED in Christoph's Tasks Sep 19, 2018

@ccoenen

This comment has been minimized.

Copy link

ccoenen commented Oct 6, 2018

I can confirm that my YubiKey U2F from 2015 works in firefox 62. Webauthn works by default without changes to about:config. You can check that by

grafik

Source code to both demo pages is linked from the MDN article about WebAuthn, which is how I found the two working demos.

I'd happily test this with the twofactor u2f app, but NC 13 won't even let me try (tells me that Chrome was the only browser supported) and NC 14 won't let me install the app, and I currently don't have enough time to go beyond "install from app directory".

@ChristophWurst

This comment has been minimized.

Copy link
Member

ChristophWurst commented Oct 8, 2018

I can confirm that my YubiKey U2F from 2015 works in firefox 62. Webauthn works by default without changes to about:config. You can check that by

Yes, but does this app work out of the box? We still use the u2f lib/api.

NC 14 won't let me install the app, and I currently don't have enough time to go beyond "install from app directory".

That shouldn't be a problem, there are compatible releases: https://apps.nextcloud.com/apps/twofactor_u2f. You cannot use the latest one, though.

@ccoenen

This comment has been minimized.

Copy link

ccoenen commented Oct 8, 2018

I managed to install it to NC 14 now, and it currently does not work in unmodified Firefox. But as shown above it could be made to work already. Should I create a separate issue for that?

@ChristophWurst

This comment has been minimized.

Copy link
Member

ChristophWurst commented Oct 9, 2018

As soon as there is good documentation of webauthn and how developers can make use of it in their apps, I'll look into this. Last time I checked there were just a few high-level posts about the feature.

@jknockaert

This comment has been minimized.

Copy link

jknockaert commented Oct 9, 2018

https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
(there are some links to demos and their source code at the bottom of the page)

@ChristophWurst

This comment has been minimized.

Copy link
Member

ChristophWurst commented Oct 9, 2018

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment