Hacker News new | past | comments | ask | show | jobs | submit login

It looks like Firefox might be finally taking this seriously -- I've been tracking the open item for touch ID support which is also lacking and they upgraded the priority a few days ago.

https://bugzilla.mozilla.org/show_bug.cgi?id=1536482




Oh wow I was literally just looking at that ticket a few days ago when I was trying to figure out if there was a way to get Firefox to use Touch ID. I must have missed seeing them up the priority by just a few hours!

I'm very glad to see there's interest in getting that working because I was strongly considering switching browsers to get that feature


It also misses support for user presence verification on U2F tokens.

https://bugzilla.mozilla.org/show_bug.cgi?id=1757583


The user presence button my Yubikey works just fine.

Do you mean they're missing support for user PIN entry?


So, User Presence and User Verification are distinct things in FIDO and thus WebAuthn.

User Presence refers to determining that a human wants the authentication, often through some simple button or contact switch. This defuses a remarkable array of potential attacks, but obviously it isn't actually authenticating very much since a two year old and your grandmother can both press a button.

User Verification refers to confirming this is the same human who owns the device. For a cheap FIDO device this might involve a PIN (not actually numeric, the difference from a password is that it's local, the PIN is not going to a remote web site, it's just proving to the device "I'm really your owner") while Yubico also makes devices that use a fingerprint, and I believe Apple sells products which use facial ID.

The UV flow is significantly extra work for the browser, especially for PIN where now the browser needs to pop up a PIN entry window securely. In contrast UP is not work for the browser, in fact, many cheaper FIDO devices UP isn't even optional, if you say "I don't want UP" the device ignores you and just demands somebody press the button anyway.

The authentication credentials you use to log in somewhere actually include signed bitflags from the FIDO device saying whether UP or UV occurred. So there is no way to fake this, if I didn't provide the PIN, my Yubico Security Key 2 will not sign the UV bitflag, and so a remote site knows it might just be a toddler pushing the button. Which is still fine as a second factor of course.


https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Gu... has a nice breakdown of presence vs verification. In fact the whole guide is worth reading, much more accessible than the spec.


I do mean the user PIN entry, yes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: