
Firefox enables deprecated Fido U2F Support for Google Accounts - coffee--
https://groups.google.com/d/msg/mozilla.dev.platform/q5cj38hGTEA/lC834665BQAJ
======
snek
Damn shame to see the internet move backwards because Google refuses to use
the standardized APIs.

Edit: Usually HN is so angry about Google not following web standards but
everyone in this thread seems to be in favor of Google trampling the WebAuthn
standard. Weird.

~~~
jrockway
What sites could you sign into with a cryptographic second factor before
Google launched U2F? All that was out there were easily-phishable TOTP tokens.
Now you can register a security key and use it as a second factor on desktops
and phones. It's pretty impressive, though unfortunate that ultimately the
industry picked a similar-but-different standard.

What sites currently let me authenticate with WebAuthn? (Github still uses
U2F, it seems.)

~~~
phren0logy
Dropbox uses WebAuthn. They are, as far as I can tell, the most significant
site using it currently.

~~~
ecesena
Microsoft also supports passwordless login, the "novelty" of FIDO2. I just
found it out yesterday reading this article [1], page 3 (it's in German).

Disclaimer: I make the Solo key that's mentioned in the article.

[1] [https://www.golem.de/news/fido-sticks-im-test-endlich-
schlec...](https://www.golem.de/news/fido-sticks-im-test-endlich-schlechte-
passwoerter-1903-139953-3.html)

------
AdmiralAsshat
Would be nice. Even with the experimental settings turned on in about:config,
I could only _read_ input from my Yubikey, I couldn't add one. I had to
install Chromium just so I could add my Yubikey to my Google account.

~~~
akerl_
This is mentioned as a side note in the first comment of the Firefox issue:
they were explicitly whitelisting the “Sign” operation so that registration
didn’t work.

------
mediocrejoker
This is good. It's been working with FastMail for months so I'm not sure what
the problem was.

~~~
lkbm
From what I understand:

* FastMail has implemented WebAuth, the newer standard, which Firefox supports

* Google hasn't implemented WebAuth because they have to(?) wait for the end-of-life of old Android devices.

* Firefox is going to put an override so that you can use the old standard on Google accounts, which Google does support.

It sounds like Google's slowness to enable WebAuth is a somewhat legitimate
issue of backwards compatibility for old devices, though I haven't personally
evaluated it.

~~~
chrismorgan
FastMail is still using the old FIDO U2F API; we’ve been planning on migrating
to WebAuthn since it was finalised, but investigation revealed that the
migration would not be entirely straightforward (especially if tokens
registered with WebAuthn needed to still work with U2F, which at the time was
important but could probably now be skipped), so we deferred it, since the U2F
support is adequate for most users. I expect this is the experience with many
small teams that support the FIDO U2F API. Documentation on migration is
difficult to come by; I think
[https://www.imperialviolet.org/2018/03/27/webauthn.html](https://www.imperialviolet.org/2018/03/27/webauthn.html)
is the main source I’ve encountered.

~~~
lkbm
Thanks for the clarification.

------
drewg123
Not a web dev. Is there a way to force U2F with firefox for google accounts?
The lack of (obvious) U2F support in FF for Google accounts is one of the
things holding me back from switching back to FF from Chrome.

~~~
ecesena
Note that if you enable 2fa with Chrome, then you can log in with Firefox.
Just adding/removing keys (in Google) doesn't work.

~~~
chedabob
Yep, I've just been through this process on both personal and work Gsuite.

They've changed the message in Firefox to make it a little clearer this is how
to do it.

------
inetknght
Does this mean I can finally use my Yubikey in Firefox on Linux as my second
factor authentication with my Google accounts?

~~~
ecesena
Pretty sure you can already use it. You can't _register_ it currently.

~~~
taeric
I can confirm this.

I'm also curious if anyone in this topic has advice for how to make U2F a
habit. I posted
[https://news.ycombinator.com/item?id=19316509](https://news.ycombinator.com/item?id=19316509),
but didn't get anything. :(

------
breakingcups
For all the hooks Google has into nearly every Android device through Google
Play, I would've thought the one party burned in ROMs wouldn't be a problem
for would be Google.

------
amluto
If you’re on Linux, you’ll want u2f-hideaway-policy installed to avoid
permission issues.

[https://github.com/amluto/u2f-hidraw-
policy](https://github.com/amluto/u2f-hidraw-policy)

~~~
taeric
Is this necessary for newer installs? Pretty sure the titan keys and the
yubikey I have worked without any special setup on the latest ubuntu.

~~~
amluto
AFAICT Ubuntu uses a big hack that maintains a list of known U2F tokens rather
than detecting whether the device speaks the U2F protocol. u2f-hidraw-policy
does the latter, so it’s forward compatible.

I should get it into upstream systemd.

------
caprese
Does this make Ledger Nanos work on Firefox now?

