Consider disabling webauthn

Fenix uses Google's fido library from Google Play. It is probably okay, but we should only intentionally use it.

changed milestone to %Tor Browser: 10.0

mentioned in issue #40215 (closed)

diff --git a/mobile/android/app/geckoview-prefs.js b/mobile/android/app/geckoview-prefs.js
index db07dc5a7b62..c4181f2fe2e8 100644
--- a/mobile/android/app/geckoview-prefs.js
+++ b/mobile/android/app/geckoview-prefs.js
@@ -68,10 +68,6 @@ pref("browser.safebrowsing.features.fingerprinting.update", true);
 // Treat mouse as touch only on TV-ish devices
 pref("ui.android.mouse_as_touch", 2);
 
-// Fenix is currently not whitelisted for Web Authentication
-pref("security.webauth.webauthn_enable_android_fido2", false);
-pref("security.webauth.webauthn", false);
-

We could revert that change in the short-term. That will set GetAndroidFido2Enabled() as false.

https://searchfox.org/mozilla-central/source/dom/webauthn/U2FTokenManager.cpp#108

And then we fallback to available hardware tokens: https://searchfox.org/mozilla-central/source/dom/webauthn/U2FTokenManager.cpp#277

@acat what do you think? Should we disable this?

I don't think the usb tokens currently work: https://searchfox.org/mozilla-central/rev/02cb78667e87ccc42fea5edc6f3f2dd2edd6ecd5/modules/libpref/init/all.js#156. So I the only webauthn implementation available seems to be currently the Google Play one. I guess @gk comment (#34193 (comment 2705801)) would also apply here, even though we'll probably never be able to audit this one (I assume it's not open source).

I haven't read much of the webauthn/fido2 spec, and I don't know if there can be anything in Google Play's implementation can lead to something like proxy bypass or other issues. Maybe we can keep this disabled for now and test/investigate a bit before deciding whether we enable in future versions. We can also see if there is demand for it from users.

There is the consistent-behavior-across-platforms angle, too, we should consider. I.e. we should have some reasons at least why we diverge if we diverge and Mozilla is not diverging.

Ah. Desktop is still bound by #26614 for webauthn. Allowing u2f but disabling webauthn seems like a strange decision for Tor Browser, unless we have a reason for thinking u2f is "safer" than webauthn.

Hm.

Android Firefox will (likely) never support U2F due to the available Android API: https://bugzilla.mozilla.org/show_bug.cgi?id=1550625#c7

Let's disable webauthn in 10.0 and we can evaluate it for 10.5. It provides nice usability improvements (especially on mobile). If access to the WebAPI is protected by a permission in the browser (and, more generally, the API doesn't leak authentication providers by default, then I think enabling this is a good idea).

Note: https://bugzilla.mozilla.org/show_bug.cgi?id=1550164

moved from fenix#40107 (moved)

I'm considering this as covered by #26614. I don't see a benefit in disabling adding security.webauth.webauthn_enable_android_fido2 in addition to security.webauth.webauthn.

closed

mentioned in issue #26614

mentioned in issue #34193

marked this issue as related to #41161

marked this issue as related to #41162

mentioned in issue #40783 (closed)

marked this issue as related to #26614