{"id":2435,"date":"2019-04-04T11:31:40","date_gmt":"2019-04-04T18:31:40","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2435"},"modified":"2019-04-05T08:32:48","modified_gmt":"2019-04-05T15:32:48","slug":"shipping-fido-u2f-api-support-in-firefox","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/","title":{"rendered":"Backward-Compatibility FIDO U2F support shipping soon in Firefox"},"content":{"rendered":"<p><a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Web_Authentication_API\">Web Authentication (WebAuthn)<\/a>, a recent web standard blending public-key cryptography into website logins, is our best technical response to credential phishing. That\u2019s why we\u2019ve championed it as a technology. The <a href=\"https:\/\/fidoalliance.org\/specs\/fido-u2f-v1.0-nfc-bt-amendment-20150514\/fido-u2f-javascript-api.html\">FIDO U2F API<\/a> is the spiritual ancestor of WebAuthn; to-date, it\u2019s still much more commonly used. Firefox has had experimental support for the Javascript FIDO U2F API since version 57, as it was used to validate our Web Authentication implementation that then <a href=\"https:\/\/hacks.mozilla.org\/2018\/01\/using-hardware-token-based-2fa-with-the-webauthn-api\/\">shipped in Firefox 60<\/a>. Both technologies can help secure the logins of millions of users already in possession of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Universal_2nd_Factor\">FIDO U2F USB tokens<\/a>.<\/p>\n<p>We encourage the adoption of Web Authentication rather than the FIDO U2F API. However, some large web properties are encountering difficulty migrating: WebAuthn works with security credentials produced by the FIDO U2F API. However, WebAuthn-produced credentials cannot be used with the FIDO U2F API. For the entities affected, this could lead to poor user experiences and inhibit overall adoption of this critical technology.<\/p>\n<p>To smooth out this migration, after <a href=\"https:\/\/groups.google.com\/d\/msg\/mozilla.dev.platform\/q5cj38hGTEA\/lC834665BQAJ\">discussion on the mozilla.dev.platform mailing list<\/a>, we have decided to enable our support for the FIDO U2F API by default for all Firefox users. It&#8217;s enabled now in <a href=\"https:\/\/wiki.mozilla.org\/Releases\/Firefox_68\">Firefox Nightly 68<\/a>, and we plan for it to be <a href=\"https:\/\/wiki.mozilla.org\/Release_Management\/Uplift_rules\">uplifted<\/a> into <a href=\"https:\/\/wiki.mozilla.org\/Releases\/Firefox_67\">Firefox Beta 67<\/a> in the coming week.<\/p>\n<h2>Enabling FIDO U2F API in Firefox<\/h2>\n<div id=\"attachment_2436\" style=\"width: 262px\" class=\"wp-caption alignright\"><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2019\/04\/u2fdemo.png\"><img aria-describedby=\"caption-attachment-2436\" decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-2436\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2019\/04\/u2fdemo-252x293.png\" alt=\"\" width=\"252\" height=\"293\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2019\/04\/u2fdemo-252x293.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2019\/04\/u2fdemo-600x697.png 600w, https:\/\/blog.mozilla.org\/security\/files\/2019\/04\/u2fdemo.png 677w\" sizes=\"(max-width: 252px) 100vw, 252px\" \/><\/a><p id=\"caption-attachment-2436\" class=\"wp-caption-text\">A FIDO U2F API demo website being activated<\/p><\/div>\n<p>Firefox\u2019s implementation of the FIDO U2F API accommodates only the common cases of the specification; for details, see the <a href=\"https:\/\/groups.google.com\/d\/msg\/mozilla.dev.platform\/q5cj38hGTEA\/lC834665BQAJ\">mailing list discussion<\/a>. For those who are interested in using FIDO U2F API before they update to version 68, Firefox power users have successfully utilized the FIDO U2F API by enabling the \u201c<strong>security.webauth.u2f<\/strong>\u201d <a href=\"https:\/\/support.mozilla.org\/en-US\/kb\/about-config-editor-firefox\">preference in about:config<\/a> since Quantum shipped in 2017.<\/p>\n<p>Currently, the places where Firefox\u2019s implementation is incomplete are expected to remain so. \u00a0With the increase of using biometric mechanisms such as face recognition or fingerprints in devices, we are focusing our support on WebAuthn. It provides a sophisticated level of authentication and cryptography that will protect Firefox users.<\/p>\n<h2>The future of anti-phishing is Web Authentication<\/h2>\n<p>It\u2019s important that the Web move to Web Authentication rather than building new capabilities with the deprecated, legacy FIDO U2F API. Now <a href=\"https:\/\/www.w3.org\/2019\/03\/pressrelease-webauthn-rec.html\">a published Recommendation at the W3C<\/a>, Web Authentication has support for many more use cases than the legacy technology, and a much more robustly-examined browser security story.<\/p>\n<p>Ultimately, it\u2019s most important that Firefox users be able to protect their accounts with the strongest protections possible. We believe the strongest \u00a0to be Web Authentication, as it has improved usability via platform authenticators, <a href=\"https:\/\/blog.mozilla.org\/security\/2019\/03\/19\/passwordless-web-authentication-support-via-windows-hello\/\">capabilities for &#8220;passwordless&#8221; logins<\/a>, and more advanced security keys and tokens.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Web Authentication (WebAuthn), a recent web standard blending public-key cryptography into website logins, is our best technical response to credential phishing. That\u2019s why we\u2019ve championed it as a technology. The &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/\">Read more<\/a><\/p>\n","protected":false},"author":1349,"featured_media":2437,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[320796],"tags":[320796,320798],"coauthors":[45540],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Backward-Compatibility FIDO U2F support shipping soon in Firefox - Mozilla Security Blog<\/title>\n<meta name=\"description\" content=\"Firefox will now support FIDO U2F for all users, permitting the older form of using security keys for Web Authentication.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"J.C. Jones\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/\",\"name\":\"Backward-Compatibility FIDO U2F support shipping soon in Firefox - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2019\/04\/Security-Keys.jpg\",\"datePublished\":\"2019-04-04T18:31:40+00:00\",\"dateModified\":\"2019-04-05T15:32:48+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f2bfcea9a0c404ce2431925922bedbde\"},\"description\":\"Firefox will now support FIDO U2F for all users, permitting the older form of using security keys for Web Authentication.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2019\/04\/Security-Keys.jpg\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2019\/04\/Security-Keys.jpg\",\"width\":1381,\"height\":1381,\"caption\":\"A set of security keys usable with Web Authentication or with the FIDO U2F API.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Backward-Compatibility FIDO U2F support shipping soon in Firefox\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f2bfcea9a0c404ce2431925922bedbde\",\"name\":\"J.C. Jones\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/d063fc46e7671301c178b2781210dff7\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/64eb1412c9354cf356df31936368cdac?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/64eb1412c9354cf356df31936368cdac?s=96&d=identicon&r=g\",\"caption\":\"J.C. Jones\"},\"description\":\"Keeping people safe on the 'net. Cryptography Engineering lead for Firefox.\",\"sameAs\":[\"https:\/\/tacticalsecret.com\/\",\"https:\/\/x.com\/JamesPugJones\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Backward-Compatibility FIDO U2F support shipping soon in Firefox - Mozilla Security Blog","description":"Firefox will now support FIDO U2F for all users, permitting the older form of using security keys for Web Authentication.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/","twitter_misc":{"Written by":"J.C. Jones","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/","url":"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/","name":"Backward-Compatibility FIDO U2F support shipping soon in Firefox - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2019\/04\/Security-Keys.jpg","datePublished":"2019-04-04T18:31:40+00:00","dateModified":"2019-04-05T15:32:48+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f2bfcea9a0c404ce2431925922bedbde"},"description":"Firefox will now support FIDO U2F for all users, permitting the older form of using security keys for Web Authentication.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2019\/04\/Security-Keys.jpg","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2019\/04\/Security-Keys.jpg","width":1381,"height":1381,"caption":"A set of security keys usable with Web Authentication or with the FIDO U2F API."},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2019\/04\/04\/shipping-fido-u2f-api-support-in-firefox\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Backward-Compatibility FIDO U2F support shipping soon in Firefox"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f2bfcea9a0c404ce2431925922bedbde","name":"J.C. Jones","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/d063fc46e7671301c178b2781210dff7","url":"https:\/\/secure.gravatar.com\/avatar\/64eb1412c9354cf356df31936368cdac?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/64eb1412c9354cf356df31936368cdac?s=96&d=identicon&r=g","caption":"J.C. Jones"},"description":"Keeping people safe on the 'net. Cryptography Engineering lead for Firefox.","sameAs":["https:\/\/tacticalsecret.com\/","https:\/\/x.com\/JamesPugJones"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2435"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1349"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2435"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2435\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media\/2437"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2435"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2435"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2435"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2435"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}