README.md: Firefox no longer needs an extension about twofactor_u2f HOT 24 CLOSED

This is now referred to in the ChangeLog of v1.5.0 😄
Perhaps we can reflect this in README.md?

With Firefox 57 and later, enable security.webauth.u2f in about:config to enjoy this feature

Note: Submitted using my Yubikey to login to GitHub 👿

from twofactor_u2f.

Can imagine the reservation on the topic. It'd probably work with the extension as well (for existing users), but the clear direction of the firefox project is to use native capability. I haven't dug into differences in the implementaiotn between extension and built-in but as of 57 buiilt-in should be preferred over the extension for new users.

from twofactor_u2f.

What a bummer! Let me know when it's enabled by default so that we can finally remove that warning!

from twofactor_u2f.

As soon as there is good documentation of webauthn and how developers can make use of it in their apps, I'll look into this. Last time I checked there were just a few high-level posts about the feature.

from twofactor_u2f.

Correct, I'm aware of that and even have been using it for two months without any issues. But it's still not available for everyone. As soon as it is, I'd be happy to remove the warning!

from twofactor_u2f.

@ChristophWurst
By everyone, do you mean pre-57 users?

from twofactor_u2f.

No, because they won't get an official U2F support in FF I suppose.

AFAIK U2F is included in FF57, but it's not enabled by default. It's just a beta feature. Is that correct?

from twofactor_u2f.

It's not enabled by default, but why does that make it a beta feature?

from twofactor_u2f.

I don't really care whether it's beta or not. As soon as it's enabled for all by default, the warning will be removed. Nothing is preventing you from using it already.

from twofactor_u2f.

@ChristophWurst
I also don't care whether it's beta or not.

Of what relevance is:-

Nothing is preventing you from using it already.

from twofactor_u2f.

Perhaps we can reflect this in README.md?

Good point. Wanna fix it and submit a pull request? That would be highly appreciated!

from twofactor_u2f.

As soon as it's enabled for all by default, the warning will be removed. Nothing is preventing you from using it already.
~@ChristophWurst

With the release of Firefox 60, U2F is enabled available by default. (But currently it must be activated manually beforehand.)
See here: https://blog.mozilla.org/press-de/2018/01/25/wie-hardware-token-basierte-zwei-faktor-authentifizierung-mit-der-webauthn-api-funktioniert/ (German)

from twofactor_u2f.

With the release of Firefox 60, U2F is enabled by default.
See here: https://blog.mozilla.org/press-de/2018/01/25/wie-hardware-token-basierte-zwei-faktor-authentifizierung-mit-der-webauthn-api-funktioniert/ (German)

I'm on FF60 and about:config tells me security.webauth.u2f is still set to false by default.

from twofactor_u2f.

@ChristophWurst You're right! I checked it and updated my earlier comment.

from twofactor_u2f.

Still disabled by default (FF61) 😢

from twofactor_u2f.

As far as I understand support for the U2F standard is only partially implemented in Firefox, and probably for that reason disabled by default. Now that the new Webauthn standard is fully supported by Firefox (and enabled by default) I do not expect further development of the legacy U2F standard and it will likely remain disabled forever.
So I guess the way forward is to support Webauthn in Nextcloud, either in this app or in a separate app.

from twofactor_u2f.

So I guess the way forward is to support Webauthn in Nextcloud, either in this app or in a separate app.

The last time I checked the information about webauthn wasn't 100% clear on how the technology works and how it would be implemented in a real-world application. If you happen to know more about it, please let me know.
I will have to look into this at some point.

from twofactor_u2f.

I did not yet have a look into the specifics of Webauthn. I understand it is an extension of U2F (which is 2 factor only) with specifications for passwordless as well as multifactor support. So the logical development seems to be to upgrade the current U2F to Webauthn 2-factor (which should be backwards compatible with U2F hardware).
Then a new app may extend the implementation to cover the full Webauthn protocol (including passwordless etc), perhaps including a user (and admin) interface for enabling/disabling specific protocols.

from twofactor_u2f.

I can confirm that my YubiKey U2F from 2015 works in firefox 62. Webauthn works by default without changes to about:config. You can check that by

• trying it on github -> they don't use webauthn yet, so there it will fail
• trying it on this demo page (same as in screenshot) or that demo page -> this works

Source code to both demo pages is linked from the MDN article about WebAuthn, which is how I found the two working demos.

I'd happily test this with the twofactor u2f app, but NC 13 won't even let me try (tells me that Chrome was the only browser supported) and NC 14 won't let me install the app, and I currently don't have enough time to go beyond "install from app directory".

from twofactor_u2f.

I can confirm that my YubiKey U2F from 2015 works in firefox 62. Webauthn works by default without changes to about:config. You can check that by

Yes, but does this app work out of the box? We still use the u2f lib/api.

NC 14 won't let me install the app, and I currently don't have enough time to go beyond "install from app directory".

That shouldn't be a problem, there are compatible releases: https://apps.nextcloud.com/apps/twofactor_u2f. You cannot use the latest one, though.

from twofactor_u2f.

I managed to install it to NC 14 now, and it currently does not work in unmodified Firefox. But as shown above it could be made to work already. Should I create a separate issue for that?

from twofactor_u2f.

https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
(there are some links to demos and their source code at the bottom of the page)

from twofactor_u2f.

Thanks!

from twofactor_u2f.

according to my about:config u2f is now enabled by default. Would anyone like to shoot a PR so this gets finally updated? :)

from twofactor_u2f.