cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
era
New member
Status: In development

Firefox supports WebAuthn, but as far as I could tell only with hardware tokens. I could not find a word about Firefoxs support of Passkeys (like Apple announced recently) anywhere

Personally I don't know why passkeys werent adopted much sooner, it seems such a long hanging fruit to just store the key in the FF password manager.

I use FF to support a web where there is not only one option, like Chrome, but FF keeps falling behind and behind instead of being at the forefront. This should be a top priority.

126 Comments
Jon
Community Manager
Community Manager

(Note: similar ideas have been merged into this thread)

dcunited001
New member

@Honza @Jon 

this might not be the correct place for my question, but it seems related, since I encountered it when enrolling for Github passkeys.

FIDO v1 Error Handling

is there any way to fail with a friendly message when a FIDO key is plugged in, but the site requires FIDO2? this has gotten me on other sites as well. Most browsers do not handle this well, though this may be faulty logic in the HTML/JS app or in API calls.

i have two yubikeys i use:

  • A Yubikey 5ci with FIDO2
  • A Yubikey 4 with FIDO (firmware 4.3.7)

A few sites let me enroll the FIDO device. However, each site that fails does so in a very cryptic way, which usually leads me into setting a breakpoint or examining DOM and JS. It's happened on Google, Github and my school's authentication (which formerly only supported FIDO and not FIDO2).

To reproduce

Try enrolling a FIDO v1 key on Github. It triggers an uncaught exception that for me leads to restricted cross-site API requests. Other DOM-related errors are then triggered. A bit confusing.

Feedback on passkeys & webauthn

The rest of the comment is just feedback. I probably won't be able to check in on the status and again. Sorry if it's the wrong place for this.

Thanks for the privacy-focused features like containers.

The reason these clear error messages important: for everyday people, tangible objects are an excellently simple way to be secure. FIDO and webauthn are about as simple as needing your keys to start your car. Very easy to explain and it's very easy to do, if the enrollment and authorization process is simple.

Most people have MFA-method fatigue and may be unwilling to adopt a novel method, even though it's simpler. However, the second that an everyday person encounters the unending onslaught of crypto acronyms, they'll reject this newer method. I also did not quite realize that passkeys would default to my yubikey.

The one other aspect that's confusing for hardware passkeys is enrolling multiple yubikeys. I don't think the average person would take the time to enroll both keys. The platform/browser keys used for passkeys aren't really satisfying. I guess a third-party service like OpenID or the newer auth startups would work.

dcunited001
New member

apologies if this is a duplicate. my account is new, so maybe manual approval is needed. also, this might not be the correct place for my question, but it seems related, since I encountered it when enrolling for Github passkeys.

@Honza

FIDO v1 Error Handling

is there any way to fail with a friendly message when a FIDO key is plugged in, but the site requires FIDO2? this has gotten me on other sites as well. Most browsers do not handle this well, though this may be faulty logic in the HTML/JS app or in API calls.

i have two yubikeys i use:

A Yubikey 5ci with FIDO2
A Yubikey 4 with FIDO (firmware 4.3.7)

A few sites let me enroll the FIDO device. However, each site that fails does so in a very cryptic way, which usually leads me into setting a breakpoint or examining DOM and JS. It's happened on Google, Github and my school's authentication (which formerly only supported FIDO and not FIDO2).

To reproduce

Try enrolling a FIDO v1 key on Github. It triggers an uncaught exception that for me leads to restricted cross-site API requests. Other DOM-related errors are then triggered. A bit confusing.

Feedback on passkeys & webauthn

The rest of the comment is just feedback. I probably won't be able to check in on the status and again. Sorry if it's the wrong place for this.

Thanks for the privacy-focused features like containers.

The reason these clear error messages important: for everyday people, tangible objects are an excellently simple way to be secure. FIDO and webauthn are about as simple as needing your keys to start your car. Very easy to explain and it's very easy to do, if the enrollment and authorization process is simple.

Most people have MFA-method fatigue and may be unwilling to adopt a novel method, even though it's simpler. However, the second that an everyday person encounters the unending onslaught of crypto acronyms, they'll reject this newer method. I also did not quite realize that passkeys would default to my yubikey.

The one other aspect that's confusing for hardware passkeys is enrolling multiple yubikeys. I don't think the average person would take the time to enroll both keys. The platform/browser keys used for passkeys aren't really satisfying. I guess a third-party service like OpenID or the newer auth startups would work

tesmite
New member

I recently downgraded to version 117.0b5 of Android's Firefox Beta due to different circumstances.

When accessing My Nintendo, which doesn't support Passkey in the current version, I found sign in with Passkey became possible, and there was no longer a warning about "partial passkey support" on GitHub.

For some reason, Passkey support seems to have regressed in the latest version.

Gwaihir
Strollin' around

Passkeys seem to finally work in 122.0b1, thanks!

blimmer
New member

I'm a bit confused by the messaging in the beta release notes:https://www.mozilla.org/en-US/firefox/122.0beta/releasenotes/

"Firefox now supports creating and using passkeys stored in the iCloud Keychain on macOS."

Does this mean that 1Password Passkeys will not be supported in 122?

 

TylerM
New member

Hey @blimmer,

1Password's WebAuthn function will still continue to work as normal on Firefox. Meaning, you'll be able to use your passkeys just as usual when Firefox 122 rolls out.

1Password prioritizes their API over Firefox's so passkeys shown through their extension should always pop-up first.

Although, if you are still struggling to use passkeys on 1Password in Firefox, contact 1Password support at: https://support.1password.com/contact/ 

Many thanks!

Tho-mas
Strollin' around

I have been using Firefox for a long time and I am grateful that the project is alive thanks to many people. I would like to know the current status of support for passkeys and webauthn for Firefox (desktop for Windows) and Firefox for Android.

I have not found any information in the release notes for versions 120 and 121.  I would like to see more transparent communication about these and other planned features. 

 

  • 1) What is the current status of the Psskey and webauthn features?
  •  2) Is there a time frame for the implementation? 
  • 3) Are features intended for a specific version of Firefox? 
  • 4) Is there a current roadmap for Firefox? I have not found one.
era
New member

Unfortunately how Firefox implemented Passkeys in 122 is pretty useless.

macOS prompts me again to store the key in iCloud Keychain instead of FFs password manager. Basically this makes the whole passkey implementation useless, since the whole point of FF having passkey support is to store the key in FFs password manager so I can sync the key between all OSes FF runs on.

 

heksesang
New member

@eraI beg to disagree, as I for one is not interested in the flow you describe there. Passkey implementations should always use the system support for passkeys on OS where it's possible (making my passkeys available across multiple browsers on same computer).