[village-idiot]

U2f support is badly hampered by half-assed browser support. Only chrome enables it by default, Firefox disables it by default, and no love from safari. Even LastPass in the browser uses yubico’s proprietary otp algorithm rather than u2f.

[microtonal]

It seems that Apple is working to add support for hardware tokens. It is all a bit vague, but the latest Safari Preview notes state [1]:

Added support for CTAP HID authenticators on macOS

It also gives me "Web Authentication" under "Experimental features" in the Develop menu.

https://developer.apple.com/safari/technology-preview/releas...

[sebazzz]

Isn't that WebAuthn suppport? That is different from U2F.

[tialaramex]

Yes and no. U2F is basically the MVP of WebAuthn. If you're doing this today you should ignore U2F and just implement WebAuthn.

Firefox has WebAuthn out of the box, and there's a hack behind a pref to half-arse U2F if you still need that.

[StavrosK]

It doesn't, though. I've been trying to implement WebAuthn and, as far as I know, CTAP 2 doesn't work on any browser yet.

[dbrgn]

U2F support in Firefox should work out of the box if the developers use the WebAuthn API and not the old JS library: https://hacks.mozilla.org/2018/01/using-hardware-token-based...

[village-idiot]

That was not my experience on google and github.

[jik]

Google and Github both built their U2F support for Firefox before WebAuthn was released, and as you've pointed out, the U2F support in Firefox is gated out by default. Presumably Google, Github, and other companies that coded to U2F will migrate to WebAuthn eventually.