Any chance that the API can be made a little more JS friendly? First thing that stands out is the use of success/error callbacks rather than the use of Promises.
Also the use of numeric codes, rather than string values, is a pattern that the web has generally moved away from. / Jonas On Tue, Dec 1, 2015 at 5:23 PM, Richard Barnes <rbar...@mozilla.com> wrote: > The FIDO Alliance has been developing standards for hardware-based > authentication of users by websites [1]. Their work is getting significant > traction, so the Mozilla Foundation has decided to join the FIDO Alliance. > Work has begun in the W3C to create open standards using FIDO as a starting > point. We are proposing to implement the FIDO U2F API in Firefox in its > current form and then track the evolving W3C standard. > > Background: The FIDO Alliance has been developing a standard for > hardware-based user authentication known as “Universal Two-Factor” or U2F > [2]. This standard allows a website to verify that a user is in possession > of a specific device by having the device sign a challenge with a private > key that is held on the hardware device. The browser’s role is mainly (1) > to route messages between the website and the token, and (2) to add the > origin of the website to the message signed by the token (so that the > signature is bound to the site). > > Several major websites now support U2F for authentication, including Google > [3], Dropbox [4], and Github [5]. Axel Nennker has filed a Bugzilla bug > for U2F support in Gecko [6]. The W3C has begun the process of forming a > “WebAuthentication” working group that will work on a standard for enhanced > authentication using FIDO as a starting point [7]. > > Proposed: To implement the high-level U2F API described in the FIDO JS API > specification, with support for the USB HID token interface. > > Please send comments on this proposal to the list no later than Monday, > December 14, 2015. > > ----- > > Personally, I have some reservations about implementing this, but I still > think it’s worth doing, given the clear need for something to augment > passwords. > > It’s unfortunate that the initial FIDO standards were developed in a closed > group, but there is good momentum building toward making FIDO more open. I > have some specific concerns about the U2F API itself, but they’re > relatively minor. For example, the whole system is highly vertically > integrated, so if we want to change any part of it (e.g., to use a curve > other than P-256 for signatures), we’ll need to build a whole new API. But > these are issues that can be addressed in the W3C process. > > We will continue to work on making standards for secure authentication more > open. In the meantime, U2F is what’s here now, and there’s demonstrated > developer interest, so it makes sense for us to work on implementing it. > > Thanks, > --Richard > > [1] https://fidoalliance.org/ > [2] https://fidoalliance.org/specifications/download/ > [3] https://support.google.com/accounts/answer/6103523?hl=en > [4] https://blogs.dropbox.com/dropbox/2015/08/u2f-security-keys/ > [5] > https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication > [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1065729 > [7] http://w3c.github.io/websec/web-authentication-charter > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
