[webkit-dev] Implementing Universal Second Factor (U2F)

Rick Byers rbyers at chromium.org
Wed Feb 22 12:56:40 PST 2017

Chrome ships with a built-in extension that exposes the high-level API
(which I think we all agree is a hack).  We recently had this discussion
about the right path forward here, and agreed that we should instead focus
our efforts
on the Web Authentication API <https://w3c.github.io/webauthn/> instead,
since it seemed much more likely to be something that would become
interoperable between browsers.

On Wed, Feb 22, 2017 at 3:46 PM, Sam Weinig <weinig at apple.com> wrote:

> On Feb 22, 2017, at 5:52 AM, Jacob Greenfield <xales at naveria.com> wrote:
> I’m working on adding support to WebKit for FIDO U2F (JS API:
> https://fidoalliance.org/specs/fido-u2f-v1.1-id-
> 20160915/fido-u2f-javascript-api-v1.1-id-20160915.html Architecture
> overview: https://fidoalliance.org/specs/fido-u2f-v1.1-id-
> 20160915/fido-u2f-overview-v1.1-id-20160915.html ). The FIDO U2F
> specification allows a secure second factor to be used during
> authentication flow, with bidirectional verification (token verifies
> server, server verifies token and token’s knowledge of a specific private
> key). There are current implementations in Chrome, Opera, and Blink
> (Firefox). I’m primarily interested in bringing support to Safari, so that
> is the focus what I am currently working on.
> Hi Jacob, and welcome to WebKit.
> I went looking for how to use the feature in Chrome and Firefox (I assume
> you meant Gecko (Firefox), not Blink (Firefox)) I’m a little confused as to
> how this feature is exposed in the other browsers.  On the topic of the
> low-level MessagePort API, section 3 states “This specification does not
> describe how such a port is made available to RP web pages, as this is (for
> now) implementation and browser dependent” (https://fidoalliance.org/
> specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-
> api-v1.1-id-20160915.html#api-levels).  Similarly, for the high-level
> API, it states in section 3.2, “Implementations may choose how to make such
> an API available to RP web pages. If such an API is provided,
> it should provide a namespace object u2f of the following interface" (
> https://fidoalliance.org/specs/fido-u2f-v1.1-id-
> 20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#
> high-level-javascript-api).
> Do you have insight into how either of these APIs are exposed in other
> browsers? How do you plan on exposing them in WebKit?
> I should say, generally, I am concerned with APIs that leave important
> details like how the APIs are exposed to the implementation, as they lead
> to non-interoperable implementations.
> Thanks,
> - Sam
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-dev/attachments/20170222/a1dff991/attachment.html>

More information about the webkit-dev mailing list