[akavel]

> "Enable FIDO U2F API, and permit registrations for Google Accounts"

Oh! Didn't expect that! Does this mean YubiKeys will now be working in GMail on Firefox?

Together with all the other stuff, this starts to look like a really important and major release of Firefox.

[lholden]

Yep, though technically one could enable this before now by tweaking the about:config security.webauth.u2f setting. (Which is something I've been having to do for a while now).

As a side note... the way Google handles U2F is somewhat out of spec. For example, you haven't been able to register a u2f device with Firefox on google. I wonder if that's been worked around with this release? That would be great!

Otherwise, u2f has worked perfect with sites like GitLab and GitHub for example.

[amluto]

> the way Google handles U2F is somewhat out of spec.

Somewhat? As I understand it, it doesn’t even pretend to be fully specified. Chrome shipped it without going through the normal intent to ship process.

[phillc73]

> about:config security.webauth.u2f

I still have this set to Value: "false" in Firefox 66.0.5 and it's working fine for Google Accounts.

Edit: I'm pretty sure I registered by Nitrokeys with Google back in 2017 using Chrome, so I'm just referring to signing in with them.

[judge2020]

You could always sign in with any key, you just could only register keys via Chrome.

[phillc73]

I seem to recall U2F sign-in always failing with Firefox for a long time. I remember having to switch to Chrome for U2F and frankly ended up using a different 2FA method for a couple of years because of that.

[geofft]

Yes, that's what they worked around in this release and you can now register a U2F device with Firefox for Google Accounts. See their announcement blog post https://blog.mozilla.org/security/2019/04/04/shipping-fido-u... and the mozilla.dev.platform Intent-to-Ship post: https://groups.google.com/forum/#!msg/mozilla.dev.platform/q...

tl;dr (as I understand it): existing Android phones using NFC/Bluetooth U2F devices only speak the old U2F protocol, not WebAuthn, so if Google switched to WebAuthn registration, then you wouldn't be able to log into your account on Android, and they want to wait until all those Android devices die off. (Apparently it's in the part of Android that needs vendor updates, not in Google Play Services, so this reduces to the previously unsolved problem of Android OS updates on old devices.)

[will4274]

This is an anti-feature. Firefox enabled a deprecated standard because Google couldn't be bothered to move to the current standard. Classic catering to the big players.

[geofft]

They held off for a very long time, and I'm glad they did that. I'm also glad they switched, because the alternative is that either you don't use the most effective security option available or you stop using Firefox, both of which seem like even bigger long-term problems.

[CaptainMarvel]

A case of “Too big to fail”? Stop using Google wasn’t even mentioned as an alternative!

[geofft]

The goal of a web browser is to browse the web, not to browse most of the web. Principled objection to a site doing something nonstandard is great when the goal is to get the site to fix it, so the browser's users can visit that site. Once it became clear Google wasn't going to fix it, refusing to ship support (that was already implemented!) only has the effect of hurting Firefox's users (slash telling some fraction of Firefox users to stop being Firefox users anymore) and not improving the web or maintaining internal engineering standards.

[judge2020]

I can't find the source, but I believe they didn't upgrade to the newer standard due to some combination of existing keys and ChromeOS.

[callahad]

More Android than ChromeOS, but the source is https://groups.google.com/forum/#!msg/mozilla.dev.platform/q...

[will4274]

They helped write the new standard and it's been a standard for years now. There is really no excuse.

[Drdrdrq]

Well, they don't need an excuse. They are Google. :-/

[phillc73]

I have a U2F Nitrokey and noticed it's been working in Firefox 66.0.5 for the last few weeks. I thought it was just an announcement I missed. I can confirm it works signing into a Google Account.