Mozilla Connect

(Note: similar ideas have been merged into this thread)

@Honza @Jon 

this might not be the correct place for my question, but it seems related, since I encountered it when enrolling for Github passkeys.

FIDO v1 Error Handling

is there any way to fail with a friendly message when a FIDO key is plugged in, but the site requires FIDO2? this has gotten me on other sites as well. Most browsers do not handle this well, though this may be faulty logic in the HTML/JS app or in API calls.

i have two yubikeys i use:

• A Yubikey 5ci with FIDO2
• A Yubikey 4 with FIDO (firmware 4.3.7)

A few sites let me enroll the FIDO device. However, each site that fails does so in a very cryptic way, which usually leads me into setting a breakpoint or examining DOM and JS. It's happened on Google, Github and my school's authentication (which formerly only supported FIDO and not FIDO2).

To reproduce

Try enrolling a FIDO v1 key on Github. It triggers an uncaught exception that for me leads to restricted cross-site API requests. Other DOM-related errors are then triggered. A bit confusing.

Feedback on passkeys & webauthn

The rest of the comment is just feedback. I probably won't be able to check in on the status and again. Sorry if it's the wrong place for this.

Thanks for the privacy-focused features like containers.

The reason these clear error messages important: for everyday people, tangible objects are an excellently simple way to be secure. FIDO and webauthn are about as simple as needing your keys to start your car. Very easy to explain and it's very easy to do, if the enrollment and authorization process is simple.

Most people have MFA-method fatigue and may be unwilling to adopt a novel method, even though it's simpler. However, the second that an everyday person encounters the unending onslaught of crypto acronyms, they'll reject this newer method. I also did not quite realize that passkeys would default to my yubikey.

The one other aspect that's confusing for hardware passkeys is enrolling multiple yubikeys. I don't think the average person would take the time to enroll both keys. The platform/browser keys used for passkeys aren't really satisfying. I guess a third-party service like OpenID or the newer auth startups would work.

apologies if this is a duplicate. my account is new, so maybe manual approval is needed. also, this might not be the correct place for my question, but it seems related, since I encountered it when enrolling for Github passkeys.

@Honza

FIDO v1 Error Handling

is there any way to fail with a friendly message when a FIDO key is plugged in, but the site requires FIDO2? this has gotten me on other sites as well. Most browsers do not handle this well, though this may be faulty logic in the HTML/JS app or in API calls.

i have two yubikeys i use:

A Yubikey 5ci with FIDO2
A Yubikey 4 with FIDO (firmware 4.3.7)

A few sites let me enroll the FIDO device. However, each site that fails does so in a very cryptic way, which usually leads me into setting a breakpoint or examining DOM and JS. It's happened on Google, Github and my school's authentication (which formerly only supported FIDO and not FIDO2).

To reproduce

Try enrolling a FIDO v1 key on Github. It triggers an uncaught exception that for me leads to restricted cross-site API requests. Other DOM-related errors are then triggered. A bit confusing.

Feedback on passkeys & webauthn

The rest of the comment is just feedback. I probably won't be able to check in on the status and again. Sorry if it's the wrong place for this.

Thanks for the privacy-focused features like containers.

The reason these clear error messages important: for everyday people, tangible objects are an excellently simple way to be secure. FIDO and webauthn are about as simple as needing your keys to start your car. Very easy to explain and it's very easy to do, if the enrollment and authorization process is simple.

Most people have MFA-method fatigue and may be unwilling to adopt a novel method, even though it's simpler. However, the second that an everyday person encounters the unending onslaught of crypto acronyms, they'll reject this newer method. I also did not quite realize that passkeys would default to my yubikey.

The one other aspect that's confusing for hardware passkeys is enrolling multiple yubikeys. I don't think the average person would take the time to enroll both keys. The platform/browser keys used for passkeys aren't really satisfying. I guess a third-party service like OpenID or the newer auth startups would work

Passkeys seem to finally work in 122.0b1, thanks!

I'm a bit confused by the messaging in the beta release notes:https://www.mozilla.org/en-US/firefox/122.0beta/releasenotes/

"Firefox now supports creating and using passkeys stored in the iCloud Keychain on macOS."

Does this mean that 1Password Passkeys will not be supported in 122?

I have been using Firefox for a long time and I am grateful that the project is alive thanks to many people. I would like to know the current status of support for passkeys and webauthn for Firefox (desktop for Windows) and Firefox for Android.

I have not found any information in the release notes for versions 120 and 121.  I would like to see more transparent communication about these and other planned features. 

• 1) What is the current status of the Psskey and webauthn features?
•  2) Is there a time frame for the implementation? 
• 3) Are features intended for a specific version of Firefox? 
• 4) Is there a current roadmap for Firefox? I have not found one.

Unfortunately how Firefox implemented Passkeys in 122 is pretty useless.

macOS prompts me again to store the key in iCloud Keychain instead of FFs password manager. Basically this makes the whole passkey implementation useless, since the whole point of FF having passkey support is to store the key in FFs password manager so I can sync the key between all OSes FF runs on.

@eraI beg to disagree, as I for one is not interested in the flow you describe there. Passkey implementations should always use the system support for passkeys on OS where it's possible (making my passkeys available across multiple browsers on same computer).

@eraI'd say it's implemented correctly. Passkey implementations should use the system implementation where available (macOS, Windows, iOS, Android).

If you want them synced across OS you can use password managers (both 1Password and Dashlane support it, Bitwarden will in the future if they haven't implemented it yet).

And if Firefox plans to support any sort of sync of passkeys beyond what I have mentioned, I don't think they have announced it yet unless I have missed it.

@heksesangOk, so you are saying there is no point to using Firefox - got it!

Why would I (or anyone for that matter) use Firefox if I didn't need a cross platform browser? If I wanted to tie my credentials to a specific platform I could just use Safari.

@heksesangAlso what is the point of the statement "just use a password manager". Firefox IS my password manager. I don't want to use crap like 1Password, Dashlane or BitWarden - that is the whole point of FF sync.

@heksesangwhenever I use a different browser on the same computer, it is to get a "clean slate" when it comes to logins etc. Other than that I don't see any need to use a different browser..? I do use firefox on multiple PCs though, and I would really like that passkeys worked the same way that password sync works today.

@eraIf you want a cross-platform way to handle credentials, you should use a cross-platform password manager. Those are made for that purpose.

Firefox, on the other hand, is a cross-platform browser, which is great if you want a cross-platform way to browse the Web. But if the only reason you use a cross-platform browser is to have cross-platform credentials, you really should look into cross-platform password managers instead (I mentioned a couple in the previous post). They have plugins so that they can be used in virtually any browser.