Re: Fido U2F, two-factor authentication support

[Frederic Martin]

Le lundi 9 novembre 2015 18:29:20 UTC+1, Michael Schwartz (m...@gluu.org) a 
écrit :
> Hi guys... if you need a FIDO U2F server to test against, the Gluu Server has 
> endpoints built in. Its really easy to deploy on Ubuntu / Centos: 
> http://www.gluu.org/docs/admin-guide/deployment/
> 
> Also, I recorded a geeky video on how to test FIDO U2F: 
> http://gluu.co/fido-u2f
> 
> Basically, check enable, change the default authn mechanism... and you're 
> done. Its really easy.
> 
> - Mike

Hi, you did an amazing work with Gluu (insert bowing smiley here).

FIDO U2F kind of recommends to use TLS Channel binding as a protection against 
SSL proxy and other MITM attacks. Chrome FIDO U2F client part is compatible 
with this but it can only be used if the server side is implemented, do Gluu 
support that ?

Search "Channel Binding" inside 
https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-glossary.html
 
and again here 
https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-security-ref.html
 

That's a great -nearly perfect- existing solution, and IMHO Firefox should 
probably implement this feature too for better security and for better 
compatibility with servers that are implementing the server side (like google 
servers). 

http://tools.ietf.org/html/draft-balfanz-tls-channelid-01 
http://www.ietf.org/rfc/rfc5056.txt 
http://www.ietf.org/rfc/rfc5929.txt
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Fido U2F, two-factor authentication support

[Ian Young]

FIDO has now submitted the U2F Web API to the W3C[1]. I know this only
makes it a *proposed* standard, but I would hope having it on this track
would be enough to bump it up a bit in Mozilla's priorities. Maybe a
Mozillian could drop in and give us an explanation of how the W3C
process influences what gets implemented and when?


Links:

  1. 
https://fidoalliance.org/fido-alliance-announces-FIDO-authentication-poised-for-continued-growth-as-alliance-submits-FIDO-2.0-web-API-to-W3C/
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Fido U2F, two-factor authentication support

[Anne van Kesteren]

On Sat, Nov 28, 2015 at 9:09 AM, Ian Young  wrote:
> Maybe a
> Mozillian could drop in and give us an explanation of how the W3C
> process influences what gets implemented and when?

Well, it doesn't really, many things are standardized by the W3C that
are a poor fit for browsers. What gets implemented depends on what we
think is good for the web, competitive pressure, and available
resources. Having said that, many Mozillians believe this particular
technology is good for the web and there is some competitive pressure,
so it's mostly a question of resources. If you have funds or browser
engineering chops, patches welcome.


-- 
https://annevankesteren.nl/
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Fido U2F, two-factor authentication support

[smaug]

On 11/28/2015 11:36 AM, Anne van Kesteren wrote:

On Sat, Nov 28, 2015 at 9:09 AM, Ian Young  wrote:

Maybe a
Mozillian could drop in and give us an explanation of how the W3C
process influences what gets implemented and when?


Well, it doesn't really, many things are standardized by the W3C that
are a poor fit for browsers. What gets implemented depends on what we
think is good for the web, competitive pressure, and available
resources. Having said that, many Mozillians believe this particular
technology is good for the web and there is some competitive pressure,
so it's mostly a question of resources. If you have funds or browser
engineering chops, patches welcome.





It is also about having a good spec to implement. As far as I see, the current 
spec is more like a
initial draft.
Stuff like
"obtain U2F MessagePort in a browser specific manner" don't sound good.
So far I haven't found a spec which defines how to get access to U2F 
MessagePort or some
u2f object which has register() etc methods.

But perhaps I'm not looking at the right specs.




___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Fido U2F, two-factor authentication support

[smaug]

On 11/28/2015 11:36 AM, Anne van Kesteren wrote:

On Sat, Nov 28, 2015 at 9:09 AM, Ian Young  wrote:

Maybe a
Mozillian could drop in and give us an explanation of how the W3C
process influences what gets implemented and when?


Well, it doesn't really, many things are standardized by the W3C that
are a poor fit for browsers. What gets implemented depends on what we
think is good for the web, competitive pressure, and available
resources. Having said that, many Mozillians believe this particular
technology is good for the web and there is some competitive pressure,
so it's mostly a question of resources. If you have funds or browser
engineering chops, patches welcome.





It is also about having a good spec to implement. As far as I see, the current 
spec is more like a
initial draft.
Stuff like
"obtain U2F MessagePort in a browser specific manner" don't sound good.
So far I haven't found a spec which defines how to get access to U2F 
MessagePort or some
u2f object which has register() etc methods.

But perhaps I'm not looking at the right specs.




___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Fido U2F, two-factor authentication support

[Gervase Markham]

On 18/11/15 19:26, phow...@ccvschools.com wrote:
> This is definitely an important feature, but I'm not holding my
> breath.  I have had a lot of experience with Mozilla over the years
> and I really doubt anything will materialize in the near future.

Feeling particularly entitled today, are we?

>From the look of the bug, it seems like patches are certainly being
accepted.

Gerv


___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Fido U2F, two-factor authentication support

[Michael Schwartz (m...@gluu.org)]

Hi guys... if you need a FIDO U2F server to test against, the Gluu Server has 
endpoints built in. Its really easy to deploy on Ubuntu / Centos: 
http://www.gluu.org/docs/admin-guide/deployment/

Also, I recorded a geeky video on how to test FIDO U2F: http://gluu.co/fido-u2f

Basically, check enable, change the default authn mechanism... and you're done. 
Its really easy.

- Mike
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Fido U2F, two-factor authentication support

[Frederik Braun]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

There is an experimental add-on being worked on that tries bring U2F
support to Firefox. The source code is at
, but it has not yet gone through
the Add-on review process.



Btw, the most important thing about the bug is comment 62
(https://bugzilla.mozilla.org/show_bug.cgi?id=1065729#c62).

To quickly summarize what Richard said:

Yes, nobody within the Mozilla corporation is officially assigned to
work on this.
The abstraction level of the API is not very interoperable with all
kinds of second factors that are not compliant with FIDO U2F, which is
a bit unfortunate.
We will allow third-party contributions and would suggest implementing
an USB HID API, which would be arguably more useful for any kind of
second factor implementation to sit on top.
Part of this is being worked on in
https://bugzilla.mozilla.org/show_bug.cgi?id=1198330, it seems?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWOxnyAAoJEOwSh5wL+fW4+UsIAMrSDpMgHZn7I0bBM1p6CmA/
+KU6rkyydV2FV3/cdDql/Z9xJLL2SJrclnIGuPfUIVbGdm+cO0zxVW/9ZUbk3u/E
7XfHV34ZvizPrNbsMpMu3z8O2a+M0UNH3PxbT8huvU1V2eCxlduPkpieO7uegbmE
kH9GX31wk+mCMGItkCdu4NIaBjLKv2xNeXyzZjMmOxRSgH3clKGyumiz+K6tj1FJ
yTjRLkCSP2mADopDQTQPxF6/DAV/INj/2uHNOA1jhd6gBiv46j3PaYf23iUGoPQt
y1OwQClwCsOvXHhxYotLLlHfb1dDgFO33b4bQGGqgwfIMYiWDvDTucFzezSesRQ=
=3zWK
-END PGP SIGNATURE-
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Fido U2F, two-factor authentication support

[Joseph Lorenzo Hall]

+1

I would love love love to have U2F in Firefox.

(Also, Dropbox supports it too, just as a data point:
http://blogs.dropbox.com/dropbox/2015/08/u2f-security-keys/ )

On Thu, Nov 5, 2015 at 5:18 PM, Jeroen Hoek  wrote:
> In December 2014 the first public release of the Fido alliance's
> Universal 2nd Factor (U2F) specification was published. The idea behind
> this open specification is to provide a secure two-factor authentication
> method with affordable hardware keys and a friendly UX.
>
> If I buy a hardware key that implements Fido U2F today, I can use it to
> log on to Google's GMail and Github. It is possible to use the same
> hardware key with any web service offering Fido U2F support, by design.
> The specification allows for three methods of communication: USB, NFC,
> and Bluetooth Low Energy (BLE).
>
> For Fido U2F to work, a browser implementing this technology is required.
>
>
> There is an issue about Fido U2F support in Firefox:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1065729
>
> Unfortunately, this issue appears to receive no priority from Mozilla.
> Reading the comments in this issue, it appears that despite the
> attractiveness of the Fido U2F specification, developers see support in
> Firefox as a deal-breaker. Personally, I feel that a security technology
> such as this needs at least one free software browser to support it to
> provide a viable alternative.
>
> Judging from the bounty placed on this Firefox issue (currently
> exceeding 1000 USD), there appears to be a fairly strong community
> desire to see this feature implemented. Commenters on the issue are,
> however, worried about the (perceived lack of) priority afforded to this
> issue.
>
> Developers participating in the issue recommended we post questions
> about the prioritizing of this issue to the mozilla.dev.platform mailing
> list. My apologies if this is not the place to discuss this issue.
>
> --
>
> Is Fido U2F a technology that Mozilla can endorse and support?
>
> Could this technology be considered for inclusion in Firefox?
>
> --
>
> Some background on this technology for those who are unfamiliar with it:
>
> The full Fido U2F specifications are available for download here:
>
> https://fidoalliance.org/specifications/overview/
> https://fidoalliance.org/specifications/download/
>
> Specifically, the U2F overview may be interesting if you want a more
> in-depth architectural overiew:
>
> https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-overview.html
>
>
> Google announced support for Fido U2F a year ago, in October 2014, and
> Chrome currently implements the Fido U2F standard:
>
> https://googleonlinesecurity.blogspot.nl/2014/10/strengthening-2-step-verification-with.html
>
>
> Microsoft is backing this standard as well:
>
> https://blogs.windows.com/business/2015/02/13/microsoft-announces-fido-support-coming-to-windows-10/
>
>
> Yubico is one of the driving forces behind the Fido specifications from
> the manufacturers side. They produce USB and NFC hardware tokens that
> can be used with open security standards such as OATH-HOTP and
> OATH-TOTP. Their recent line-up includes Fido U2F support as well:
>
> https://www.yubico.com/products/yubikey-hardware/
>
> Yubico on Fido U2F:
>
> https://www.yubico.com/applications/fido/
>
> Yubico is not the only manufacturer — other Fido-certified keys can be
> found on Amazon — but they do appear to have a leading edge.
>
>
> I am personally interested in Fido U2F from a professional standpoint.
> The possibility to provide affordable two-factor authentication either
> through USB, NFC, or BLE is appealing, and my employer is considering
> opting for this standard to secure the health care software services we
> provide — cross-browser support is, however, a requirement.
>
> I am not affiliated with the Fido alliance or its backers.
>
> --
> Kind regards,
>
> Jeroen Hoek
>
> Lable
> ✉ jeroen.h...@lable.nl
> GPG: 44D4 1D39 535A 1F9A 9509  92C5 A7A8 B913 D40D D022
>
> http://lable.nl — KvK № 55984037 — BTW № NL8519.32.411.B.01
>
>
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>



-- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
j...@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Fido U2F, two-factor authentication support

[Jeroen Hoek]

In December 2014 the first public release of the Fido alliance's
Universal 2nd Factor (U2F) specification was published. The idea behind
this open specification is to provide a secure two-factor authentication
method with affordable hardware keys and a friendly UX.

If I buy a hardware key that implements Fido U2F today, I can use it to
log on to Google's GMail and Github. It is possible to use the same
hardware key with any web service offering Fido U2F support, by design.
The specification allows for three methods of communication: USB, NFC,
and Bluetooth Low Energy (BLE).

For Fido U2F to work, a browser implementing this technology is required.


There is an issue about Fido U2F support in Firefox:

https://bugzilla.mozilla.org/show_bug.cgi?id=1065729

Unfortunately, this issue appears to receive no priority from Mozilla.
Reading the comments in this issue, it appears that despite the
attractiveness of the Fido U2F specification, developers see support in
Firefox as a deal-breaker. Personally, I feel that a security technology
such as this needs at least one free software browser to support it to
provide a viable alternative.

Judging from the bounty placed on this Firefox issue (currently
exceeding 1000 USD), there appears to be a fairly strong community
desire to see this feature implemented. Commenters on the issue are,
however, worried about the (perceived lack of) priority afforded to this
issue.

Developers participating in the issue recommended we post questions
about the prioritizing of this issue to the mozilla.dev.platform mailing
list. My apologies if this is not the place to discuss this issue.

--

Is Fido U2F a technology that Mozilla can endorse and support?

Could this technology be considered for inclusion in Firefox?

--

Some background on this technology for those who are unfamiliar with it:

The full Fido U2F specifications are available for download here:

https://fidoalliance.org/specifications/overview/
https://fidoalliance.org/specifications/download/

Specifically, the U2F overview may be interesting if you want a more
in-depth architectural overiew:

https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-overview.html


Google announced support for Fido U2F a year ago, in October 2014, and
Chrome currently implements the Fido U2F standard:

https://googleonlinesecurity.blogspot.nl/2014/10/strengthening-2-step-verification-with.html


Microsoft is backing this standard as well:

https://blogs.windows.com/business/2015/02/13/microsoft-announces-fido-support-coming-to-windows-10/


Yubico is one of the driving forces behind the Fido specifications from
the manufacturers side. They produce USB and NFC hardware tokens that
can be used with open security standards such as OATH-HOTP and
OATH-TOTP. Their recent line-up includes Fido U2F support as well:

https://www.yubico.com/products/yubikey-hardware/

Yubico on Fido U2F:

https://www.yubico.com/applications/fido/

Yubico is not the only manufacturer — other Fido-certified keys can be
found on Amazon — but they do appear to have a leading edge.


I am personally interested in Fido U2F from a professional standpoint.
The possibility to provide affordable two-factor authentication either
through USB, NFC, or BLE is appealing, and my employer is considering
opting for this standard to secure the health care software services we
provide — cross-browser support is, however, a requirement.

I am not affiliated with the Fido alliance or its backers.

--
Kind regards,

Jeroen Hoek

Lable
✉ jeroen.h...@lable.nl
GPG: 44D4 1D39 535A 1F9A 9509  92C5 A7A8 B913 D40D D022

http://lable.nl — KvK № 55984037 — BTW № NL8519.32.411.B.01



signature.asc
Description: OpenPGP digital signature
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform