Firefox enables deprecated Fido U2F Support for Google Accounts (opens in new tab)

(groups.google.com)

125 pointscoffee--7y ago41 comments

41 comments

snek7y ago

Damn shame to see the internet move backwards because Google refuses to use the standardized APIs.

Edit: Usually HN is so angry about Google not following web standards but everyone in this thread seems to be in favor of Google trampling the WebAuthn standard. Weird.

jrockway7y ago

What sites could you sign into with a cryptographic second factor before Google launched U2F? All that was out there were easily-phishable TOTP tokens. Now you can register a security key and use it as a second factor on desktops and phones. It's pretty impressive, though unfortunate that ultimately the industry picked a similar-but-different standard.

What sites currently let me authenticate with WebAuthn? (Github still uses U2F, it seems.)

phren0logy7y ago

Dropbox uses WebAuthn. They are, as far as I can tell, the most significant site using it currently.

1 more reply

agwa7y ago

> What sites currently let me authenticate with WebAuthn? (Github still uses U2F, it seems.)

https://login.gov

taeric7y ago

Can I, though? I asked https://news.ycombinator.com/item?id=19316509 to see if there was a way to build a habit out of my security token. Not only did I not get responses there, but I haven't actually found that many places that support using a u2f token. There are an some that support it ok, but all require me to use chrome and none seem to support using it at least once a day. (Or anything like that.)

1 more reply

will42747y ago

> What sites currently let me authenticate with WebAuthn?

Microsoft sites like Outlook and OneDrive.

alfalfasprout7y ago

Duo push works decently well and is far more secure than eg; TOTP.

cbhl7y ago

In my opinion, the root cause of this is that Linux made a conscious decision to not maintain binary ABI compatibility with device drivers.

Android is open source, and Linux-based. The licenses allow phone manufacturers to fork Android and integrate it with devices that only have closed-source binary blob drivers, without involving Google. The end result is a bunch of phones whose kernels (and thus OSes) are impossible to update. (I am told that Microsoft found this sufficiently frustrating and that it decided it would write its own drivers for the vast majority of hardware.)

Linux has a Very Good Reason to discourage binary driver compatibility -- it would rather see those drivers be open-sourced under GPL and moved in-tree. But the end result has seriously hurt the security of more than two-thirds of Android users -- users who otherwise should be inclined to choose open-source because they are paranoid about security.

I think the right answer is to require folks to have Android Q+ to continue to use security keys with an Android account, but I imagine that's not a viable choice because the optics would be that Google is doing a "money grab" in exchange for security.

admax88q7y ago

Are you seriously saying that the reason Google hasn't implemented a _web_ standard is because Linux doesn't provide good enough support for binary device drivers?

That's just ridiculous.

1 more reply

amluto7y ago

Huh?

Linux has had perfectly fine U2F 1 support for ages. All you need on a normal desktop box is u2f-hidraw-policy [0] and, optionally, the u2f CLI tools.

[0] https://github.com/amluto/u2f-hidraw-policy

sametmax7y ago

OpenOffice gained traction by supporting .doc files. VLC because it could read .wma and .mov files. Linux when it could read NTFS partitions.

"Be conservative in what you do, be liberal in what you accept from others" is good practice in software, espacially in open source. You can't be picky when you are the underdog anyway.

rstuart41337y ago

> Usually HN is so angry about Google not following web standards but everyone in this thread seems to be in favor of Google trampling the WebAuthn standard. Weird.

Maybe it's because according to the article "Google trampling WebAuthn standard" miss characterises what is actually going on:

> We’ve recently learned that Google Accounts has slipped their schedule for using Web Authentication to register new credentials.

maxerickson7y ago

How quickly would they have to deploy a new standard for it to not be trampling?

Do you think they planned legacy Android devices not being able to support the new standard?

apostacy7y ago

I'm more rustled to again see Firefox again try to emulate the worst of Chrome.

AdmiralAsshat7y ago

Would be nice. Even with the experimental settings turned on in about:config, I could only read input from my Yubikey, I couldn't add one. I had to install Chromium just so I could add my Yubikey to my Google account.

akerl_7y ago

This is mentioned as a side note in the first comment of the Firefox issue: they were explicitly whitelisting the “Sign” operation so that registration didn’t work.

ecesena7y ago

I think this is because of Google - they only allow registration via Chrome (to the best of my knowledge). But then you should be able to use your key from Firefox.

lurker2137y ago

if you are on linux and using the flatpak version of firefox it could be because of sandboxing and USB read permissions.

mediocrejoker7y ago

This is good. It's been working with FastMail for months so I'm not sure what the problem was.

lkbm7y ago

From what I understand:

* FastMail has implemented WebAuth, the newer standard, which Firefox supports

* Google hasn't implemented WebAuth because they have to(?) wait for the end-of-life of old Android devices.

* Firefox is going to put an override so that you can use the old standard on Google accounts, which Google does support.

It sounds like Google's slowness to enable WebAuth is a somewhat legitimate issue of backwards compatibility for old devices, though I haven't personally evaluated it.

chrismorgan7y ago

FastMail is still using the old FIDO U2F API; we’ve been planning on migrating to WebAuthn since it was finalised, but investigation revealed that the migration would not be entirely straightforward (especially if tokens registered with WebAuthn needed to still work with U2F, which at the time was important but could probably now be skipped), so we deferred it, since the U2F support is adequate for most users. I expect this is the experience with many small teams that support the FIDO U2F API. Documentation on migration is difficult to come by; I think https://www.imperialviolet.org/2018/03/27/webauthn.html is the main source I’ve encountered.

1 more reply

tgragnato7y ago

Android devices do not receive updates. This creates all sort of issues, including inconsistency and lack of features. Legitimate and sensible decision, but sad.

drewg1237y ago

Not a web dev. Is there a way to force U2F with firefox for google accounts? The lack of (obvious) U2F support in FF for Google accounts is one of the things holding me back from switching back to FF from Chrome.

ecesena7y ago

Note that if you enable 2fa with Chrome, then you can log in with Firefox. Just adding/removing keys (in Google) doesn't work.

chedabob7y ago

Yep, I've just been through this process on both personal and work Gsuite.

They've changed the message in Firefox to make it a little clearer this is how to do it.

web0077y ago

"We agreed then to implement a hard-coded permission for Google Accounts when utilizing FIDO U2F API credential support, whether that was via Web Authentication’s backward compatibility extension, or via Firefox’s FIDO U2F API support hidden behind the “security.webauth.u2f” preference."

Directly, https://support.yubico.com/support/solutions/articles/150000...

inetknght7y ago

Does this mean I can finally use my Yubikey in Firefox on Linux as my second factor authentication with my Google accounts?

ecesena7y ago

Pretty sure you can already use it. You can't register it currently.

taeric7y ago

I can confirm this.

I'm also curious if anyone in this topic has advice for how to make U2F a habit. I posted https://news.ycombinator.com/item?id=19316509, but didn't get anything. :(

1 more reply

bpye7y ago

I've found the Firefox U2F support on Windows, especially with Google, quite temperamental. It will prompt me to touch my Yubikey and I will, only to get some failure. I can't work out what causes it but replygging and retrying a few times normally gets me logged in. Very irritating.

inetknght7y ago

No problem: I already registered it using Chrome on a different computer. Nonetheless, I consistently have trouble using it on Firefox on Linux.

breakingcups7y ago

For all the hooks Google has into nearly every Android device through Google Play, I would've thought the one party burned in ROMs wouldn't be a problem for would be Google.

amluto7y ago

If you’re on Linux, you’ll want u2f-hideaway-policy installed to avoid permission issues.

https://github.com/amluto/u2f-hidraw-policy

taeric7y ago

Is this necessary for newer installs? Pretty sure the titan keys and the yubikey I have worked without any special setup on the latest ubuntu.

amluto7y ago

AFAICT Ubuntu uses a big hack that maintains a list of known U2F tokens rather than detecting whether the device speaks the U2F protocol. u2f-hidraw-policy does the latter, so it’s forward compatible.

I should get it into upstream systemd.

caprese7y ago

Does this make Ledger Nanos work on Firefox now?

j / k navigate · click thread line to collapse

41 comments

snek7y ago

Damn shame to see the internet move backwards because Google refuses to use the standardized APIs.

Edit: Usually HN is so angry about Google not following web standards but everyone in this thread seems to be in favor of Google trampling the WebAuthn standard. Weird.

jrockway7y ago

What sites currently let me authenticate with WebAuthn? (Github still uses U2F, it seems.)

phren0logy7y ago

Dropbox uses WebAuthn. They are, as far as I can tell, the most significant site using it currently.

1 more reply

agwa7y ago

> What sites currently let me authenticate with WebAuthn? (Github still uses U2F, it seems.)

https://login.gov

taeric7y ago

1 more reply

will42747y ago

> What sites currently let me authenticate with WebAuthn?

Microsoft sites like Outlook and OneDrive.

alfalfasprout7y ago

Duo push works decently well and is far more secure than eg; TOTP.

cbhl7y ago

In my opinion, the root cause of this is that Linux made a conscious decision to not maintain binary ABI compatibility with device drivers.

admax88q7y ago

Are you seriously saying that the reason Google hasn't implemented a _web_ standard is because Linux doesn't provide good enough support for binary device drivers?

That's just ridiculous.

1 more reply

amluto7y ago

Huh?

Linux has had perfectly fine U2F 1 support for ages. All you need on a normal desktop box is u2f-hidraw-policy [0] and, optionally, the u2f CLI tools.

[0] https://github.com/amluto/u2f-hidraw-policy

sametmax7y ago

OpenOffice gained traction by supporting .doc files. VLC because it could read .wma and .mov files. Linux when it could read NTFS partitions.

"Be conservative in what you do, be liberal in what you accept from others" is good practice in software, espacially in open source. You can't be picky when you are the underdog anyway.

rstuart41337y ago

> Usually HN is so angry about Google not following web standards but everyone in this thread seems to be in favor of Google trampling the WebAuthn standard. Weird.

Maybe it's because according to the article "Google trampling WebAuthn standard" miss characterises what is actually going on:

> We’ve recently learned that Google Accounts has slipped their schedule for using Web Authentication to register new credentials.

maxerickson7y ago

How quickly would they have to deploy a new standard for it to not be trampling?

Do you think they planned legacy Android devices not being able to support the new standard?

apostacy7y ago

I'm more rustled to again see Firefox again try to emulate the worst of Chrome.

AdmiralAsshat7y ago

akerl_7y ago

This is mentioned as a side note in the first comment of the Firefox issue: they were explicitly whitelisting the “Sign” operation so that registration didn’t work.

ecesena7y ago

I think this is because of Google - they only allow registration via Chrome (to the best of my knowledge). But then you should be able to use your key from Firefox.

lurker2137y ago

if you are on linux and using the flatpak version of firefox it could be because of sandboxing and USB read permissions.

mediocrejoker7y ago

This is good. It's been working with FastMail for months so I'm not sure what the problem was.

lkbm7y ago

From what I understand:

* FastMail has implemented WebAuth, the newer standard, which Firefox supports

* Google hasn't implemented WebAuth because they have to(?) wait for the end-of-life of old Android devices.

* Firefox is going to put an override so that you can use the old standard on Google accounts, which Google does support.

It sounds like Google's slowness to enable WebAuth is a somewhat legitimate issue of backwards compatibility for old devices, though I haven't personally evaluated it.

chrismorgan7y ago

1 more reply

tgragnato7y ago

Android devices do not receive updates. This creates all sort of issues, including inconsistency and lack of features. Legitimate and sensible decision, but sad.

drewg1237y ago

ecesena7y ago

Note that if you enable 2fa with Chrome, then you can log in with Firefox. Just adding/removing keys (in Google) doesn't work.

chedabob7y ago

Yep, I've just been through this process on both personal and work Gsuite.

They've changed the message in Firefox to make it a little clearer this is how to do it.

web0077y ago

Directly, https://support.yubico.com/support/solutions/articles/150000...

inetknght7y ago

Does this mean I can finally use my Yubikey in Firefox on Linux as my second factor authentication with my Google accounts?

ecesena7y ago

Pretty sure you can already use it. You can't register it currently.

taeric7y ago

I can confirm this.

I'm also curious if anyone in this topic has advice for how to make U2F a habit. I posted https://news.ycombinator.com/item?id=19316509, but didn't get anything. :(

1 more reply

bpye7y ago

inetknght7y ago

No problem: I already registered it using Chrome on a different computer. Nonetheless, I consistently have trouble using it on Firefox on Linux.

breakingcups7y ago

For all the hooks Google has into nearly every Android device through Google Play, I would've thought the one party burned in ROMs wouldn't be a problem for would be Google.

amluto7y ago

If you’re on Linux, you’ll want u2f-hideaway-policy installed to avoid permission issues.

https://github.com/amluto/u2f-hidraw-policy

taeric7y ago

Is this necessary for newer installs? Pretty sure the titan keys and the yubikey I have worked without any special setup on the latest ubuntu.

amluto7y ago

I should get it into upstream systemd.

caprese7y ago

Does this make Ledger Nanos work on Firefox now?

j / k navigate · click thread line to collapse