In December 2014 the first public release of the Fido alliance's Universal 2nd Factor (U2F) specification was published. The idea behind this open specification is to provide a secure two-factor authentication method with affordable hardware keys and a friendly UX.
If I buy a hardware key that implements Fido U2F today, I can use it to log on to Google's GMail and Github. It is possible to use the same hardware key with any web service offering Fido U2F support, by design. The specification allows for three methods of communication: USB, NFC, and Bluetooth Low Energy (BLE). For Fido U2F to work, a browser implementing this technology is required. There is an issue about Fido U2F support in Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1065729 Unfortunately, this issue appears to receive no priority from Mozilla. Reading the comments in this issue, it appears that despite the attractiveness of the Fido U2F specification, developers see support in Firefox as a deal-breaker. Personally, I feel that a security technology such as this needs at least one free software browser to support it to provide a viable alternative. Judging from the bounty placed on this Firefox issue (currently exceeding 1000 USD), there appears to be a fairly strong community desire to see this feature implemented. Commenters on the issue are, however, worried about the (perceived lack of) priority afforded to this issue. Developers participating in the issue recommended we post questions about the prioritizing of this issue to the mozilla.dev.platform mailing list. My apologies if this is not the place to discuss this issue. -- Is Fido U2F a technology that Mozilla can endorse and support? Could this technology be considered for inclusion in Firefox? -- Some background on this technology for those who are unfamiliar with it: The full Fido U2F specifications are available for download here: https://fidoalliance.org/specifications/overview/ https://fidoalliance.org/specifications/download/ Specifically, the U2F overview may be interesting if you want a more in-depth architectural overiew: https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-overview.html Google announced support for Fido U2F a year ago, in October 2014, and Chrome currently implements the Fido U2F standard: https://googleonlinesecurity.blogspot.nl/2014/10/strengthening-2-step-verification-with.html Microsoft is backing this standard as well: https://blogs.windows.com/business/2015/02/13/microsoft-announces-fido-support-coming-to-windows-10/ Yubico is one of the driving forces behind the Fido specifications from the manufacturers side. They produce USB and NFC hardware tokens that can be used with open security standards such as OATH-HOTP and OATH-TOTP. Their recent line-up includes Fido U2F support as well: https://www.yubico.com/products/yubikey-hardware/ Yubico on Fido U2F: https://www.yubico.com/applications/fido/ Yubico is not the only manufacturer — other Fido-certified keys can be found on Amazon — but they do appear to have a leading edge. I am personally interested in Fido U2F from a professional standpoint. The possibility to provide affordable two-factor authentication either through USB, NFC, or BLE is appealing, and my employer is considering opting for this standard to secure the health care software services we provide — cross-browser support is, however, a requirement. I am not affiliated with the Fido alliance or its backers. -- Kind regards, Jeroen Hoek Lable ✉ jeroen.h...@lable.nl GPG: 44D4 1D39 535A 1F9A 9509 92C5 A7A8 B913 D40D D022 http://lable.nl — KvK № 55984037 — BTW № NL8519.32.411.B.01
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform