FIDO U2F tokens Web Browsers compatibilty

问题

This question was migrated from Information Security Stack Exchange because it can be answered on Stack Overflow. Migrated 4 years ago.

I'm trying to integrate U2F Authentication in GWT project and I need to know if is this solution compatible with all new web browsers (Firefox, Internet Explorer, Safari...)? Normally in Google Chrome I've to install a plugin that's called "FIDO U2F (Universal 2nd Factor) extension". Is the same for others browsers?

Is there any way to work without a plugin for new web browser?

回答1:

• Do other browsers support U2F? currently not.
• Is there any way to work without a plugin for a new web browser? No, that's the whole point of U2F: a phishing attack is made impossible thanks to direct communication with the browser.

Extra information

You had to install a plugin in Chrome in the past, currently (I think starting from version 40), this is not required anymore: U2F capability is built in from that version on in Chrome. As to which other browsers support U2F: currently none. Firefox supports U2F via the U2F Support Add-on, and is working on supporting U2F natively.

Microsoft reportedly will include FIDO support in Windows 10. It might be possible that browsers will rely on the OS-U2F-check then, and do not (need to) include FIDO support directly anymore. However, this is speculation only for the moment.

An easy compatibility check I'd like to carry out is to use the Yubikey's demo site.. It will be reported immediately when your browser does not support U2F (try opening the demosite in Firefox and see what happens).

回答2:

Yes, it is an old thread, but let's make an update:

2016 September update : FIDO U2F browser support

• Chrome for Windows, OS X and Linux: Yes (Built-in)
• Chrome for Android [for FIDO U2F over NFC and over BLE devices]: Yes (You still have to download the official Google Authenticator App but this requirement will disappear in the future)
• Firefox: Devs are now officially working on it. Mozilla Foundation joined the FIDO Alliance. For now, while waiting for the official built-in support, you can use this great addon: https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/ (It won't work on websites that do not know Firefox can be used too...)
• Safari, Internet Explorer and Edge: No U2F support is even planned, but who cares anyway... :)
• Just for the record: Opera Public Beta (v41) has U2F built-in support too. The next stable release should support FIDO U2F too.

回答3:

1. Google Chrome: out-the-box since Chrome 41 (no extension required) https://support.google.com/accounts/answer/6103523?hl=en
2. Internet Explorer: "in development" https://dev.modern.ie/platform/status/fido20webapis/
3. Mozilla Firefox: popular feature request https://bugzilla.mozilla.org/show_bug.cgi?id=1065729

回答4:

It isn't specifically true that browsers can't add compatibility via extensions as per Michael's post, the issue isn't that it's secure because the browser "directly communicates" - USB can be sniffed so U2F isn't secure in that sense, which is precisely why it has defences against replay attacks.

The issue relates to browsers not generally having support internally to directly talk to USB devices - or more usefully for extensions to do that (but that would throw up other unrelated security concerns). It's perfectly plausible for a piece of software to act as an intermediary for an extension and pass on authentication events to a FIDO device; I've investigated the possibility and it absolutely would work without harming the security of U2F itself - native browser support would be preferable though.

来源：https://stackoverflow.com/questions/29121484/fido-u2f-tokens-web-browsers-compatibilty