On Thursday, November 5, 2015 at 1:18:44 AM UTC-7, Jeroen Hoek wrote: > In December 2014 the first public release of the Fido alliance's > Universal 2nd Factor (U2F) specification was published. The idea behind > this open specification is to provide a secure two-factor authentication > method with affordable hardware keys and a friendly UX. > > If I buy a hardware key that implements Fido U2F today, I can use it to > log on to Google's GMail and Github. It is possible to use the same > hardware key with any web service offering Fido U2F support, by design. > The specification allows for three methods of communication: USB, NFC, > and Bluetooth Low Energy (BLE). > > For Fido U2F to work, a browser implementing this technology is required. > > > There is an issue about Fido U2F support in Firefox: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1065729 > > Unfortunately, this issue appears to receive no priority from Mozilla. > Reading the comments in this issue, it appears that despite the > attractiveness of the Fido U2F specification, developers see support in > Firefox as a deal-breaker. Personally, I feel that a security technology > such as this needs at least one free software browser to support it to > provide a viable alternative. > > Judging from the bounty placed on this Firefox issue (currently > exceeding 1000 USD), there appears to be a fairly strong community > desire to see this feature implemented. Commenters on the issue are, > however, worried about the (perceived lack of) priority afforded to this > issue. > > Developers participating in the issue recommended we post questions > about the prioritizing of this issue to the mozilla.dev.platform mailing > list. My apologies if this is not the place to discuss this issue. > > -- > > Is Fido U2F a technology that Mozilla can endorse and support? > > Could this technology be considered for inclusion in Firefox? > > -- > > Some background on this technology for those who are unfamiliar with it: > > The full Fido U2F specifications are available for download here: > > https://fidoalliance.org/specifications/overview/ > https://fidoalliance.org/specifications/download/ > > Specifically, the U2F overview may be interesting if you want a more > in-depth architectural overiew: > > https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-overview.html > > > Google announced support for Fido U2F a year ago, in October 2014, and > Chrome currently implements the Fido U2F standard: > > https://googleonlinesecurity.blogspot.nl/2014/10/strengthening-2-step-verification-with.html > > > Microsoft is backing this standard as well: > > https://blogs.windows.com/business/2015/02/13/microsoft-announces-fido-support-coming-to-windows-10/ > > > Yubico is one of the driving forces behind the Fido specifications from > the manufacturers side. They produce USB and NFC hardware tokens that > can be used with open security standards such as OATH-HOTP and > OATH-TOTP. Their recent line-up includes Fido U2F support as well: > > https://www.yubico.com/products/yubikey-hardware/ > > Yubico on Fido U2F: > > https://www.yubico.com/applications/fido/ > > Yubico is not the only manufacturer -- other Fido-certified keys can be > found on Amazon -- but they do appear to have a leading edge. > > > I am personally interested in Fido U2F from a professional standpoint. > The possibility to provide affordable two-factor authentication either > through USB, NFC, or BLE is appealing, and my employer is considering > opting for this standard to secure the health care software services we > provide -- cross-browser support is, however, a requirement. > > I am not affiliated with the Fido alliance or its backers. > > -- > Kind regards, > > Jeroen Hoek
This is definitely an important feature, but I'm not holding my breath. I have had a lot of experience with Mozilla over the years and I really doubt anything will materialize in the near future. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
