Update fido/u2f to WebAuthn

Would like to see the current FIDO U2F support updated to the w3c webauthn standard, and/or FIDO2 support added; from some high level reading it sounds like possibly FIDO2 is backwards compatible for previously-enrolled keys.

On Firefox at least, to make use of Bitwarden’s U2F support, you have to about:config and manually enable the legacy u2f setting. For those of us with iOS-based mobile devices, FIDO2 is likely going to be the first of these standardized protocols to be supported, whether by Apple’s hopelessly out of date Safari, or Firefox/Chrome mobile if they get around to it first.

I looked into this, mainly because webauthn is supported in Electron whereas window.u2f is not. This would allow us to use U2F with the desktop app.

However, I cannot find any sample code anywhere showing how to implement U2F register and sign functions using webauthn APIs. According to the spec, webauthn must be backwards compat with U2F, so it must be possible, I just can’t find any implementation guidance.

This repo helped us. This guy is on the FIDO alliance.

This also would enable biometrics when logging into vault on Chrome for Android.

Very cool if implemented!

1 Like

Not sure if this will be of any help at all, but most of the online references I can find that dig into the backwards compatibility topic seem to focus on CTAP1 vs CTAP2. An example, https://www.imperialviolet.org/2018/03/27/webauthn.html which, at the bottom, does touch on the issue of u2f and webauthn using domain name vs URL, etc.

@dabura667 I don’t see anything with this library that covers U2F?

I’d love to see support for fido2/webauthn/passwordless here…!

Here is a super great article that explains the plethora of concepts and then dives into the API.

And…: herrjemand/awesome-webauthn: A curated list of awesome WebAuthn/FIDO2 resources

HTH!

Note that Safari 13 now supports WebAuthn.
This would allow iOS & macOS users to authenticate using FIDO2/U2F :+1:

1 Like

+1 for WebAuthN support please! :grin:

The native prompts when using supported browsers is much better than U2F, and is pretty well supported at present, and I’d expect it to be the standard for a while.

See a demo here: https://webauthn.io/

(Use a security key or platform authentication with a fingerprint Macbook or Android phone )

Or use https://krypt.co/ to make your phone act as a security key!

I’ve done this in Ruby myself, but have no experience of the Bitwarden stack.
This library might help:

And this particular section might help about the U2F migration (which has lots of links for other places to look):

Maybe this will be more help:

1 Like

Here is some dev guide from Yubico:
https://developers.yubico.com/WebAuthn/
I hope it will help you

1 Like

@kspearrin I think you’re misunderstanding the backwards compatibility, there’s no septate U2F functions in webauthn as far as I’m aware, the webauthn functions will just try again with U2F if it fails the first time with webauthn. Though I haven’t worked with either U2F or webauthn personally. This guide seems like a perfect breakdown of U2F to webauthn migration, it seems like the only issues with migration are U2F appid and encoding. This also seems like a great list of resources for webauthn.

1 Like

I would like to point out that as of January 2021, the Bitwarden Community forum has better security key (FIDO) support than the web vault itself.
The forum software uses WebAuthn instead of the U2F API (so it works on all browsers) and also supports FIDO2 + platform authenticators (so you need to enter a PIN + you can add Windows Hello/Android as security keys) too.

1 Like

Add as a 2FA webauthn like https://www.yubico.com/

I think the Web Vault code to change U2F to WebAuthn has been merged, but is not yet available in official release. Looking at sample videos, it looks like Windows Hello example is shown:

The current vault 2.19.0 was released 15 days ago.
The new code was merged 10 days ago.
So probably will be available in upcoming release (2.19.1 or 2.20.0 ?).

Also, server WebAuthn support merged 4 days ago:

And browser extension WebAuthn support merged 9 days ago:

1 Like