[agl]

> However, I've heard that Google is kind of going on a tangent with its own U2F implementations, emphasizing an old-school implementation instead of the Web Authentication Standard that's pushed by the W3C.

Chrome has supported "U2F" (the first FIDO spec) for a while and all support for Security Keys in the last few years has been via this protocol.

But we're implementing the W3C Web Authentication (webauthn) spec and you can already use it in Chrome in place of U2F. All effort is going into webauthn now and the U2F code is frozen. At some point I'll announce a sunset date for U2F support in Chrome and happily delete that code. (Just the API, U2F keys will continue to work via webauthn.)

[arnarbi]

> At some point I'll announce a sunset date for U2F support in Chrome and happily delete that code.

Just to clarify for folks who might not know: WebAuthn and the new FIDO specs are backwards compatible with U2F hardware. So existing keys will continue to work.

[puzzle]

Can you use local storage and upload local applets to these new keys?

The main use case is authenticating under Secure Shell on a Chromebook without having to configure the key on e.g. Linux first:

https://groups.google.com/a/chromium.org/forum/#!topic/chrom...

https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/...

[scott00]

Don't know anything about the Google Titan keys, but they are most likely Feitian hardware with custom firmware, and you can buy unlocked versions of Feitian security keys by contacting them. On unlocked keys you can install your own javacard applets.

[mtgx]

But U2F is used as a 2nd factor, because you still need the password.

Are you saying we should give up both passwords and U2F keys when WebAuthn is mainstream? Would that really provide just as good security, or do you think it's 90% of the way there, so might as well keep it single-factor?

[agl]

Sorry, I worded that poorly. U2F keys will continue to work fine, it's just the Javascript API that sites use that'll change. As a user, everything will keep working.

Webauthn allows (but does not require) a mode where the key is a single-factor (i.e. acts as both username and authenticator). You need FIDO2 keys for that and we plan to support it in Chrome. Sites will decide whether that makes sense for them.

[danjoc]

>But we're implementing the W3C Web Authentication (webauthn) spec and you can already use it in Chrome in place of U2F.

How are users going to differentiate between a webauthn permission request and a webusb permission request? The later can be used for phishing attacks, which appears to defeat the entire purpose of having a U2F key.

https://www.wired.com/story/chrome-yubikey-phishing-webusb/

[agl]

Webauthn and WebUSB UIs are very different. Additionally, Chrome has banned WebUSB from claiming Security Keys.

However, it remains the case that if the user downloads and runs exes, or otherwise grants the attacker direct access to the Security Key, then they can ask it to sign an authentication request for a given website. Such an attacker could also compromise the browser and wait for the user to login themselves etc.

[danjoc]

>Chrome has banned WebUSB from claiming Security Keys

Since when? Is this extension now broken?

https://chrome.google.com/webstore/detail/smart-card-connect...

[agl]

I don't know about the specific extension, but see https://groups.google.com/a/chromium.org/d/msg/blink-dev/LZX...

[wolf550e]

Since webusb broke u2f: https://pwnaccelerator.github.io/2018/webusb-yubico-disclosu...

[mfer]

> Chrome has supported "U2F" (the first FIDO spec) for a while and all support for Security Keys in the last few years has been via this protocol.

Google U2F to their sites only works in Chrome. You can't use a Yubikey in say Firefox (FF supports it). They way they are making this all work isn't using open common cross browser standards.

[gleenn]

I'm not sure if we're talking about the same exact service, but I'm definitely using a Yubikey with Firefox for Gmail. Not sure if it's enabled by default yet, iirc I had to go into Firefox about:config and twiddle a bit somewhere. What service(s) don't work?

[mrrsm]

I know there used to be a bug where Google services, as well as some others, used some different code to handle u2f which broke on Firefox. This has been fixed for a while now it seems so I am not sure if this issues still exists.

[jlgaddis]

Support was included starting with FF57, IIRC, although it was disabled by default -- I also enabled it at that time.

Now, in current versions of Firefox, I believe it is enabled by default (starting with FF59?).