Google u2f6/29/2023 Because credentials registered via WebAuthn cannot be challenged via U2F, Google continues to require a mechanism for registering U2F-compatible security key credentials even after the U2F API has been removed from Chrome, or else users that register a security key on their desktop would be unable to sign into their affected Android devices with that security key. The factory image on some Android devices predates WebAuthn’s existence and therefore only supports the U2F API. WebAuthn has subsumed U2F and we don’t want to encourage new use of an old API. Removing cryptotoken will allow us to make these APIs unavailable to websites that are not explicitly listed as connectable by an extension. WebAuthn guards this behavior behind a feature policy.īecause Cryptotoken is a component extension and externally connectable from any URL, it effectively exposes the ntime APIs unconditionally to the entire web. Sites can unconditionally query U2F credentials when embedded in cross-origin iframes. WebAuthn presents either a tab-modal dialog or UI provided by the operating system for every request. We believe this isn’t ideal from a secure UX perspective. Instead we rely on the website to handle UI for the requested security key interaction. U2F’s continued existence presents several issues:Ĭryptotoken requests don’t trigger a permission prompt or any UI indicating that the website is interacting with a special type of USB device. U2F and Cryptotoken are firmly in maintenance mode and we encouraged sites to migrate to WebAuthn two years ago. Chrome never directly supported the FIDO U2F JavaScript API in Blink, but rather shipped a component extension called cryptotoken, which exposes an equivalent API. U2F never became an Open Web standard and was subsumed by WebAuthn ( launched in M67 ). It allows sites to register public key credentials on USB security keys and challenge them for building phishing-resistant two-factor authentication systems. U2F is Chrome’s original security key API. USB security keys that are supported by the U2F API are also supported by the WebAuthn API. Credentials that were originally registered via the U2F API can be challenged via WebAuthn. (But not U2F security keys themselves, which will continue to work.)Īffected sites should migrate to the Web Authentication API (WebAuthn). Primary eng (and PM), want to deprecate and remove the legacy U2F API for interacting with security keys.
0 Comments
Leave a Reply. |