[webkit-dev] Implementing Universal Second Factor (U2F)

Sam Weinig weinig at apple.com
Wed Feb 22 12:46:01 PST 2017

> On Feb 22, 2017, at 5:52 AM, Jacob Greenfield <xales at naveria.com> wrote:
> I’m working on adding support to WebKit for FIDO U2F (JS API: https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html Architecture overview: https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.html ). The FIDO U2F specification allows a secure second factor to be used during authentication flow, with bidirectional verification (token verifies server, server verifies token and token’s knowledge of a specific private key). There are current implementations in Chrome, Opera, and Blink (Firefox). I’m primarily interested in bringing support to Safari, so that is the focus what I am currently working on.

Hi Jacob, and welcome to WebKit.

I went looking for how to use the feature in Chrome and Firefox (I assume you meant Gecko (Firefox), not Blink (Firefox)) I’m a little confused as to how this feature is exposed in the other browsers.  On the topic of the low-level MessagePort API, section 3 states “This specification does not describe how such a port is made available to RP web pages, as this is (for now) implementation and browser dependent” (https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#api-levels <https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#api-levels>).  Similarly, for the high-level API, it states in section 3.2, “Implementations may choose how to make such an API available to RP web pages. If such an API is provided, it should provide a namespace object u2f of the following interface" (https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#high-level-javascript-api <https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#high-level-javascript-api>).

Do you have insight into how either of these APIs are exposed in other browsers? How do you plan on exposing them in WebKit?

I should say, generally, I am concerned with APIs that leave important details like how the APIs are exposed to the implementation, as they lead to non-interoperable implementations. 

- Sam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-dev/attachments/20170222/671a804b/attachment.html>

More information about the webkit-dev mailing list