[security] Add FIDO U2F USB security key feature
Introduction:
-
Upstream Firefox Browser natively supports USB security tokens for U2F authentication to web sites that have implemented WebAuthn protocol.
-
WebAuthN allows users to enable, if they choose, pass-through to local hardware devices such as Yubikeys, SoloKeys, OneKey, etc.
-
Please note that U2F and WebAuthn standard work across different operating systems, architectures, and devices. My testing environment is desktop tor browser, but other versions of tor browser, e.g. Android release, should also add this support too.
-
Please note that USB security device access is only one type of device for FIDO U2F authentication. Other examples are NFC security token, fingerprint reader, or camera.
Feature Request:
- Tor Browser should also have ability to use USB security tokens for U2F.
- This is a critical feature that will prevent users from dropping insecure MFA options like SMS, and "authenticator apps".
- While full U2F standard compatibility would be ideal, USB device access is the minimum needed for users to be able to drop insecure MFA options.
Additional Information regarding testing environment:
- Tor Browser Version: Linux
10.0.15
x86_64 official. - Linux Kernel version:
5.11.7-051107-generic #202103171746
- Tor Browser was installed via flathub / flatpak package. (this is a wrapper for the official download sources)
flatpak install com.github.micahflee.torbrowser-launcher
Screenshots:
- Attached screenshot displays how Github.com is unable to access local hardware devices via Tor Browser hooks into USB.
"This browser doesn't support security keys yet."
(Github is one many providers that supports WebAuthn for U2F login.
Gitlab is another FOSS provider that fully supports WebAuthn.)
Reference:
Software + Libraries + Testing
- LibFido
- https://fidoalliance.org/specifications/
- https://en.wikipedia.org/wiki/Universal_2nd_Factor
- How to test USB security device - https://webauthn.me
Hardware:
- https://solokeys.com (fully open source hardware and software)
- https://www.yubico.com/product/yubikey-5c/
- https://onlykey.io
Missing security token web page in github.com security settings: