[webkit-dev] Implementing Universal Second Factor (U2F)

Jacob Greenfield xales at naveria.com
Wed Feb 22 05:52:47 PST 2017 

I’m working on adding support to WebKit for FIDO U2F (JS API: https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html Architecture overview: https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.html ). The FIDO U2F specification allows a secure second factor to be used during authentication flow, with bidirectional verification (token verifies server, server verifies token and token’s knowledge of a specific private key). There are current implementations in Chrome, Opera, and Blink (Firefox). I’m primarily interested in bringing support to Safari, so that is the focus what I am currently working on.

The (USB) protocol itself works by sending USB HID reports (packets) to the key and getting USB HID reports back. There is a reference implementation by one of the members of the specification group - libu2f-host (by Yubico); however, it is licensed under GPL and LGPLv2.1. It also depends on two more libraries, hidapi and libusb. Figuring that adding all of these dependencies to Safari might be undesirable, I wrote a clean-room implementation outside of WebKit that uses IOKit directly to access the device (conveniently, IOKit exposes nice HID stuff). I’m now at the stage of adding this to WebKit.

Before I move forward, there are a couple of things that would be great to get some input on:

- What to do about other platforms - no implementation, use libu2f-host for them, or use libu2f-host everywhere
- UI for key access permission - malicious sites could (eventually) lock up a key, as well as possibly identifying a user; the specification suggests displaying an info bar for user to allow access - but, I’m not familiar with the process of designing/adding browser chromes
- What process should communicate with the token - the protocol is robust and designed for many simultaneous accesses and appropriate isolation of them, so this can (should?) be per-page; IOKit needs a CFRunLoop to schedule the report receive callback on: should this be on the main runloop or on another thread just for U2F?
- Presumably, this should be gated behind a macro; does a suitable one exist, or add a new one?

Thank you!

- Jacob Greenfield

More information about the webkit-dev mailing list