It's my understanding that U2F qua U2F is considered pretty much baked by the developer community, and there's already code written to it. But these concerns will be great for the W3C group and the successor API. I've got a similar list started related to crypto and future-proofing.
On Tue, Dec 1, 2015 at 8:29 PM, Jonas Sicking <jo...@sicking.cc> wrote: > Any chance that the API can be made a little more JS friendly? First > thing that stands out is the use of success/error callbacks rather > than the use of Promises. > > Also the use of numeric codes, rather than string values, is a pattern > that the web has generally moved away from. > > / Jonas > > On Tue, Dec 1, 2015 at 5:23 PM, Richard Barnes <rbar...@mozilla.com> > wrote: > > The FIDO Alliance has been developing standards for hardware-based > > authentication of users by websites [1]. Their work is getting > significant > > traction, so the Mozilla Foundation has decided to join the FIDO > Alliance. > > Work has begun in the W3C to create open standards using FIDO as a > starting > > point. We are proposing to implement the FIDO U2F API in Firefox in its > > current form and then track the evolving W3C standard. > > > > Background: The FIDO Alliance has been developing a standard for > > hardware-based user authentication known as “Universal Two-Factor” or U2F > > [2]. This standard allows a website to verify that a user is in > possession > > of a specific device by having the device sign a challenge with a private > > key that is held on the hardware device. The browser’s role is mainly > (1) > > to route messages between the website and the token, and (2) to add the > > origin of the website to the message signed by the token (so that the > > signature is bound to the site). > > > > Several major websites now support U2F for authentication, including > Google > > [3], Dropbox [4], and Github [5]. Axel Nennker has filed a Bugzilla bug > > for U2F support in Gecko [6]. The W3C has begun the process of forming > a > > “WebAuthentication” working group that will work on a standard for > enhanced > > authentication using FIDO as a starting point [7]. > > > > Proposed: To implement the high-level U2F API described in the FIDO JS > API > > specification, with support for the USB HID token interface. > > > > Please send comments on this proposal to the list no later than Monday, > > December 14, 2015. > > > > ----- > > > > Personally, I have some reservations about implementing this, but I still > > think it’s worth doing, given the clear need for something to augment > > passwords. > > > > It’s unfortunate that the initial FIDO standards were developed in a > closed > > group, but there is good momentum building toward making FIDO more > open. I > > have some specific concerns about the U2F API itself, but they’re > > relatively minor. For example, the whole system is highly vertically > > integrated, so if we want to change any part of it (e.g., to use a curve > > other than P-256 for signatures), we’ll need to build a whole new API. > But > > these are issues that can be addressed in the W3C process. > > > > We will continue to work on making standards for secure authentication > more > > open. In the meantime, U2F is what’s here now, and there’s demonstrated > > developer interest, so it makes sense for us to work on implementing it. > > > > Thanks, > > --Richard > > > > [1] https://fidoalliance.org/ > > [2] https://fidoalliance.org/specifications/download/ > > [3] https://support.google.com/accounts/answer/6103523?hl=en > > [4] https://blogs.dropbox.com/dropbox/2015/08/u2f-security-keys/ > > [5] > > > https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication > > [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1065729 > > [7] http://w3c.github.io/websec/web-authentication-charter > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
