The FIDO Alliance has been developing standards for hardware-based authentication of users by websites [1]. Their work is getting significant traction, so the Mozilla Foundation has decided to join the FIDO Alliance. Work has begun in the W3C to create open standards using FIDO as a starting point. We are proposing to implement the FIDO U2F API in Firefox in its current form and then track the evolving W3C standard.
Background: The FIDO Alliance has been developing a standard for hardware-based user authentication known as “Universal Two-Factor” or U2F [2]. This standard allows a website to verify that a user is in possession of a specific device by having the device sign a challenge with a private key that is held on the hardware device. The browser’s role is mainly (1) to route messages between the website and the token, and (2) to add the origin of the website to the message signed by the token (so that the signature is bound to the site). Several major websites now support U2F for authentication, including Google [3], Dropbox [4], and Github [5]. Axel Nennker has filed a Bugzilla bug for U2F support in Gecko [6]. The W3C has begun the process of forming a “WebAuthentication” working group that will work on a standard for enhanced authentication using FIDO as a starting point [7]. Proposed: To implement the high-level U2F API described in the FIDO JS API specification, with support for the USB HID token interface. Please send comments on this proposal to the list no later than Monday, December 14, 2015. ----- Personally, I have some reservations about implementing this, but I still think it’s worth doing, given the clear need for something to augment passwords. It’s unfortunate that the initial FIDO standards were developed in a closed group, but there is good momentum building toward making FIDO more open. I have some specific concerns about the U2F API itself, but they’re relatively minor. For example, the whole system is highly vertically integrated, so if we want to change any part of it (e.g., to use a curve other than P-256 for signatures), we’ll need to build a whole new API. But these are issues that can be addressed in the W3C process. We will continue to work on making standards for secure authentication more open. In the meantime, U2F is what’s here now, and there’s demonstrated developer interest, so it makes sense for us to work on implementing it. Thanks, --Richard [1] https://fidoalliance.org/ [2] https://fidoalliance.org/specifications/download/ [3] https://support.google.com/accounts/answer/6103523?hl=en [4] https://blogs.dropbox.com/dropbox/2015/08/u2f-security-keys/ [5] https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1065729 [7] http://w3c.github.io/websec/web-authentication-charter _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
