[lholden]

Yep, though technically one could enable this before now by tweaking the about:config security.webauth.u2f setting. (Which is something I've been having to do for a while now).

As a side note... the way Google handles U2F is somewhat out of spec. For example, you haven't been able to register a u2f device with Firefox on google. I wonder if that's been worked around with this release? That would be great!

Otherwise, u2f has worked perfect with sites like GitLab and GitHub for example.

[amluto]

> the way Google handles U2F is somewhat out of spec.

Somewhat? As I understand it, it doesn’t even pretend to be fully specified. Chrome shipped it without going through the normal intent to ship process.

[phillc73]

> about:config security.webauth.u2f

I still have this set to Value: "false" in Firefox 66.0.5 and it's working fine for Google Accounts.

Edit: I'm pretty sure I registered by Nitrokeys with Google back in 2017 using Chrome, so I'm just referring to signing in with them.

[judge2020]

You could always sign in with any key, you just could only register keys via Chrome.

[phillc73]

I seem to recall U2F sign-in always failing with Firefox for a long time. I remember having to switch to Chrome for U2F and frankly ended up using a different 2FA method for a couple of years because of that.

[geofft]

Yes, that's what they worked around in this release and you can now register a U2F device with Firefox for Google Accounts. See their announcement blog post https://blog.mozilla.org/security/2019/04/04/shipping-fido-u... and the mozilla.dev.platform Intent-to-Ship post: https://groups.google.com/forum/#!msg/mozilla.dev.platform/q...

tl;dr (as I understand it): existing Android phones using NFC/Bluetooth U2F devices only speak the old U2F protocol, not WebAuthn, so if Google switched to WebAuthn registration, then you wouldn't be able to log into your account on Android, and they want to wait until all those Android devices die off. (Apparently it's in the part of Android that needs vendor updates, not in Google Play Services, so this reduces to the previously unsolved problem of Android OS updates on old devices.)