Yubikey/U2F Key Support

Would the developers of Discourse consider allowing us to use U2F Keys for 2-factor authentication?

1 Like

As I understand it, browser support is still too immature to do so. Feel free to cite relevant examples for Safari, Edge, Chrome, and Firefox.

4 Likes

Yes as far as I know only Chrome adopted this standard. I agree we got to wait here, or someone can build a plugin.

Edge: The status of FIDO U2F in Microsoft Edge is Not currently planned - Microsoft Edge Development Not planned.

Firefox: Security/CryptoEngineering - MozillaWiki Supported in 57.

Safari: GitHub - Safari-FIDO-U2F/Safari-FIDO-U2F: FIDO U2F support for Safari. available via plugin.

2 Likes

It should be possible when WebAuthn is supported by major browsers. It’s already part of Firefox 60, will probably be in Chrome 67 and as far as I know it will be added to Edge and Safari in the near future.

https://www.w3.org/2018/04/pressrelease-webauthn-fido2.html.en

8 Likes

+1 I’d like to see U2F support as well.

Gitlab supports U2F by requiring users who want to leverate it to sign up for 2-factor authentication first… then if the user is unable to log-in via a U2F dongle (not accessible, browser lacks support, etc), they can do the normal authy/authenticator 2-factor.

U2F dongles are also getting cheap. http://a.co/8Q4C20f

I think the approach of Gitlab would be the ideal, if the U2F is not available fallback to the traditional 2FA.

Google is already launching its own U2F key, so that will speed up the adoption and will ensure full support in all Google products.

That would keep Discourse in the lastest security measures.

Here is all the info about the adoption FIDO-U2F is getting

https://fidoalliance.org/adoption/overview/

2 Likes

There are also U2F tools like https://krypt.co which are very handy to use. Integration of U2F in general will be much welcome.

Yes, this is unavoidable at the moment cause even the Yubikey neo does not support u2f on iPhone X despite NFC.

Not against adding this, but there is no rush here.

3 Likes

The reason for that is just that Apple does not allow NFC to do this stuff. So no U2F key supports that…
However, obviously, that is not an argument again implementing this, if just one platform has does not properly implement support for that.
And, of course, you should always be able to use another 2FA mode (if configured) as a fallback if you cannot use FIDO U2F/WebAuthn keys (and yes, there are more than YubiKeys).

1 Like

https://caniuse.com/#feat=webauthn

Once Edge supports it, then Safari needs to fall in line. Not there yet.

5 Likes

Safari support is incoming: Release Notes for Safari Technology Preview 71 | WebKit

I think it’s worthwhile to point out people don’t need to buy a physical security key to use WebAuthn:

  • Chrome desktop allows the use of Macbook fingerprint scanner to log in
  • Chrome Android can use fingerprint and screen lock pattern/PIN to authenticate
  • MS Edge can use Windows Hello face and fingerprint scanners

I expect Apple to include TouchID/FaceID in the final version of Safari - and that these platform authenticators will be much more attractive for end-users than a roaming authenticator (Yubikey and the like).

FWIW I’ve played around with this gem: GitHub - cedarcode/webauthn-ruby: WebAuthn ruby server library ― Make your Ruby/Rails web server become a conformant WebAuthn Relying Party

6 Likes

Yes, this would be fantastic. Huge fan of face login, I use it in Windows 10 and of course on new iPad and iPhone.

1 Like

With MS killing off Edge per se in favor of a Chromium based browser, “traditional” Edge seems to no longer be a significant factor.

2 Likes

Yes, that is one bright spot in that news story – we only need to wait for Safari now on this particular feature.

It’s generally not great news though.

https://appleinsider.com/articles/18/12/05/apple-testing-usb-security-key-support-for-safari

Less competition is never good news, particularly when there’s a good chance anticompetitive behavior may have squashed the small guy. How the tables have turned.

2 Likes

webAuthn is now official
https://www.w3.org/2019/03/pressrelease-webauthn-rec.html

1 Like

Yep, just needs to make its way into all the main production browsers now.

Oh, and iOS. No biggie :rofl:

1 Like

Firefox :white_check_mark:
Chrome :white_check_mark:
MS Edge :white_check_mark:
Android :white_check_mark:
Safari desktop Preview - works with some tweaks
Safari Mobile :no_entry_sign:

5 Likes