>As I said in the other email, >I don't understand how this could be implemented when the spec has left the >>key piece undefined, as far as I see.
You are completely right ! For now, FIDO 2 is currently being written (far far far from finished) and can't be implemented, so let's focus on existing solutions with existing specifications and existing products (the ones that work with google/gmail, github, dropbox and many federated identity portals. FIDO U2F specifications are complete for USB/HID devices & desktop browsers. Additional information (copy/paste from a previous post of mine above with small updates): - FIDO 2.0 will not replace FIDO U2F - There will probably not be any kind of FIDO U2F 2.0 inside FIDO 2.0 - FIDO 2.0 has no goal to be compatible with FIDO U2F (and won't be) - FIDO U2F is already here and here to stay. It is a great WORKING solution: a secure second factor for strong web authentication through a simple HID based API. - There is already plenty of FIDO U2F related source code available to help people building great solutions (Chromium client source code, Google JS library source code and different Java/PHP/Go/etc. server code) - Nearly all FIDO U2F products have really secure architectures (i.e. nearly every products are using secure elements / smart cards components, even if not mandatory, that's great) - FIDO U2F over NFC and BLE specifications are currently being finalized, so there will be flexibility to cover mobile platforms. - FIDO 2.0 W3c submission have no real details regarding technical implementation because FIDO 2 is only for now a very confusing draft with strange (*cough*) directions, so do not put too many hopes into FIDO 2.0 (that's really not important for now) => So let's focus on U2F :) _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform