Hacker News new | past | comments | ask | show | jobs | submit login

I'm glad that they have released support for the Web Authentication API. Hopefully I won't need to use Chrome for websites I choose to be more secure with.

Although, with a quick look it seems like I still can't use U2F with Google on Firefox.




Me neither (FastMail and Gmail). sigh

But just yesterday people tried to "educate" me that it works with 60 and for 59 I had to toggle an about:config switch.

It's great that they support the proper web standard. It would be useful if all those web sites supported it. This is a long-known issue, and nobody cares about non-Chrome browsers.


I’m probably the one that will implement the Web Authentication API for FastMail and Topicbox, though it’s a some way down my list of things to do at present. I looked into it a couple of months back (I would have liked us to get it out before browsers enabled it by default), but documentation was very scarce, and so it wasn’t particularly clear what we’d need to do to migrate from u2f.js to webauthn (especially while still supporting both), and then other things came up. Since then, https://www.imperialviolet.org/2018/03/27/webauthn.html has been written, which will help, but it’d still be nice to have a concise “here’s what to do, backend and frontend, to migrate from u2f.js to webauthn” guide. If no one has by the time we support webauthn, I’ll probably write such a guide.

For now, it’s not as high a priority as it could be, because the functionality it provides is already available in Chrome (for that matter, I don’t believe Chrome’s webauthn implementation hits stable until the next release), Firefox can get it by enabling security.webauth.u2f which is good enough as a short-term measure when it’s always been required in the past anyway, and Edge doesn’t have many users (and few of them currently do 2FA). It’s pragmatism, sadly.


Alas, I'm completely unable to get the soft token to work (after enabling it in config:about). It even fail on https://u2f.bin.coffee/ which seems to claim it should work.

It's a usability trade off; I have a physical key, but I'm asked to authenticate 20+ times a day which make it a pain on my port-limited MacBook Pro.


It's also good because this version will be supported in FF ESR for enterprise for another 11 months or so.


I believe that Google specifically will only work with Chrome. I just tried with FF 61 with Yubikey and still doesn't work.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: