top | item 17610895

(no title)

agl | 7 years ago

> However, I've heard that Google is kind of going on a tangent with its own U2F implementations, emphasizing an old-school implementation instead of the Web Authentication Standard that's pushed by the W3C.

Chrome has supported "U2F" (the first FIDO spec) for a while and all support for Security Keys in the last few years has been via this protocol.

But we're implementing the W3C Web Authentication (webauthn) spec and you can already use it in Chrome in place of U2F. All effort is going into webauthn now and the U2F code is frozen. At some point I'll announce a sunset date for U2F support in Chrome and happily delete that code. (Just the API, U2F keys will continue to work via webauthn.)

discuss

arnarbi|7 years ago

> At some point I'll announce a sunset date for U2F support in Chrome and happily delete that code.

Just to clarify for folks who might not know: WebAuthn and the new FIDO specs are backwards compatible with U2F hardware. So existing keys will continue to work.

puzzle|7 years ago

Can you use local storage and upload local applets to these new keys?

The main use case is authenticating under Secure Shell on a Chromebook without having to configure the key on e.g. Linux first:

https://groups.google.com/a/chromium.org/forum/#!topic/chrom...

https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/...

scott00|7 years ago

Don't know anything about the Google Titan keys, but they are most likely Feitian hardware with custom firmware, and you can buy unlocked versions of Feitian security keys by contacting them. On unlocked keys you can install your own javacard applets.

mtgx|7 years ago

But U2F is used as a 2nd factor, because you still need the password.

Are you saying we should give up both passwords and U2F keys when WebAuthn is mainstream? Would that really provide just as good security, or do you think it's 90% of the way there, so might as well keep it single-factor?

agl|7 years ago

Sorry, I worded that poorly. U2F keys will continue to work fine, it's just the Javascript API that sites use that'll change. As a user, everything will keep working.

Webauthn allows (but does not require) a mode where the key is a single-factor (i.e. acts as both username and authenticator). You need FIDO2 keys for that and we plan to support it in Chrome. Sites will decide whether that makes sense for them.

danjoc|7 years ago

>But we're implementing the W3C Web Authentication (webauthn) spec and you can already use it in Chrome in place of U2F.

How are users going to differentiate between a webauthn permission request and a webusb permission request? The later can be used for phishing attacks, which appears to defeat the entire purpose of having a U2F key.

https://www.wired.com/story/chrome-yubikey-phishing-webusb/

agl|7 years ago

Webauthn and WebUSB UIs are very different. Additionally, Chrome has banned WebUSB from claiming Security Keys.

However, it remains the case that if the user downloads and runs exes, or otherwise grants the attacker direct access to the Security Key, then they can ask it to sign an authentication request for a given website. Such an attacker could also compromise the browser and wait for the user to login themselves etc.

mfer|7 years ago

> Chrome has supported "U2F" (the first FIDO spec) for a while and all support for Security Keys in the last few years has been via this protocol.

Google U2F to their sites only works in Chrome. You can't use a Yubikey in say Firefox (FF supports it). They way they are making this all work isn't using open common cross browser standards.

gleenn|7 years ago

I'm not sure if we're talking about the same exact service, but I'm definitely using a Yubikey with Firefox for Gmail. Not sure if it's enabled by default yet, iirc I had to go into Firefox about:config and twiddle a bit somewhere. What service(s) don't work?