Would like to see the current FIDO U2F support updated to the w3c webauthn standard, and/or FIDO2 support added; from some high level reading it sounds like possibly FIDO2 is backwards compatible for previously-enrolled keys.
On Firefox at least, to make use of Bitwarden’s U2F support, you have to about:config and manually enable the legacy u2f setting. For those of us with iOS-based mobile devices, FIDO2 is likely going to be the first of these standardized protocols to be supported, whether by Apple’s hopelessly out of date Safari, or Firefox/Chrome mobile if they get around to it first.
I looked into this, mainly because webauthn is supported in Electron whereas window.u2f is not. This would allow us to use U2F with the desktop app.
However, I cannot find any sample code anywhere showing how to implement U2F register and sign functions using webauthn APIs. According to the spec, webauthn must be backwards compat with U2F, so it must be possible, I just can’t find any implementation guidance.
Not sure if this will be of any help at all, but most of the online references I can find that dig into the backwards compatibility topic seem to focus on CTAP1 vs CTAP2. An example, https://www.imperialviolet.org/2018/03/27/webauthn.html which, at the bottom, does touch on the issue of u2f and webauthn using domain name vs URL, etc.
@kspearrin I think you’re misunderstanding the backwards compatibility, there’s no septate U2F functions in webauthn as far as I’m aware, the webauthn functions will just try again with U2F if it fails the first time with webauthn. Though I haven’t worked with either U2F or webauthn personally. This guide seems like a perfect breakdown of U2F to webauthn migration, it seems like the only issues with migration are U2F appid and encoding. This also seems like a great list of resources for webauthn.
I would like to point out that as of January 2021, the Bitwarden Community forum has better security key (FIDO) support than the web vault itself.
The forum software uses WebAuthn instead of the U2F API (so it works on all browsers) and also supports FIDO2 + platform authenticators (so you need to enter a PIN + you can add Windows Hello/Android as security keys) too.