Security/Web Authentication

From MozillaWiki
Jump to: navigation, search

Password authentication is known to be a security liability on the Web. The W3C Web Authentication Working Group is developing a specification for using Scoped Credentials to supplement or replace passwords. Mozilla intends to continue supporting the Web Authentication (WebAuthn) specification.

Useful testing sites

Web Authentication

U2F (behind a pref, experimental, not released)

Platform support

Desktop platforms

On Windows 10, Firefox supports using Windows Hello for WebAuthn, which provides support for many compliant devices as well as built-in platform authenticators.

On other desktop platforms, Firefox uses the rust authenticator-rs package for WebAuthn, which as of Sept 2020 supports CTAP1 (U2F) devices over USB.

Mobile platforms

Firefox for Android (Fenix) supports the Google Play Services FIDO2 authenticator for WebAuthn, which provides support for many compliant devices as well as built-in platform authenticators such as fingerprint sensors.


The FIDO2 authenticator requires the application have a valid signature by an approved signing key for WebAuthn to work. Under other circumstances, a SECURITY_ERROR is the most likely result. Mozilla worked with Google to add several signing keys to the allow-list; all of these signing keys are protected in hardware security modules as part of Mozilla's release infrastructure. This makes testing WebAuthn support on Android complex.

Allowed In Release

 public static final String FIREFOX_RELEASE_PACKAGE_NAME = "org.mozilla.firefox";
 public static final byte[] FIREFOX_RELEASE_FINGERPRINT =
     new byte[] {
       (byte) 0xA7, (byte) 0x8B, (byte) 0x62, (byte) 0xA5, (byte) 0x16, (byte) 0x5B,
       (byte) 0x44, (byte) 0x94, (byte) 0xB2, (byte) 0xFE, (byte) 0xAD, (byte) 0x9E,
       (byte) 0x76, (byte) 0xA2, (byte) 0x80, (byte) 0xD2, (byte) 0x2D, (byte) 0x93,
       (byte) 0x7F, (byte) 0xEE, (byte) 0x62, (byte) 0x51, (byte) 0xAE, (byte) 0xCE,
       (byte) 0x59, (byte) 0x94, (byte) 0x46, (byte) 0xB2, (byte) 0xEA, (byte) 0x31,
       (byte) 0x9B, (byte) 0x04
 public static final String FIREFOX_BETA_PACKAGE_NAME = "org.mozilla.firefox_beta";
 public static final String FIREFOX_FOCUS_PACKAGE_NAME = "org.mozilla.focus";
 public static final byte[] FIREFOX_FOCUS_FINGERPRINT =
     new byte[] {
       (byte) 0x62, (byte) 0x03, (byte) 0xA4, (byte) 0x73, (byte) 0xBE, (byte) 0x36,
       (byte) 0xD6, (byte) 0x4E, (byte) 0xE3, (byte) 0x7F, (byte) 0x87, (byte) 0xFA,
       (byte) 0x50, (byte) 0x0E, (byte) 0xDB, (byte) 0xC7, (byte) 0x9E, (byte) 0xAB,
       (byte) 0x93, (byte) 0x06, (byte) 0x10, (byte) 0xAB, (byte) 0x9B, (byte) 0x9F,
       (byte) 0xA4, (byte) 0xCA, (byte) 0x7D, (byte) 0x5C, (byte) 0x1F, (byte) 0x1B,
       (byte) 0x4F, (byte) 0xFC
 public static final String FIREFOX_NIGHTLY_PACKAGE_NAME = "org.mozilla.fennec_aurora";
 public static final byte[] FIREFOX_NIGHTLY_FINGERPRINT =
     new byte[] {
       (byte) 0xBC, (byte) 0x04, (byte) 0x88, (byte) 0x83, (byte) 0x8D, (byte) 0x06,
       (byte) 0xF4, (byte) 0xCA, (byte) 0x6B, (byte) 0xF3, (byte) 0x23, (byte) 0x86,
       (byte) 0xDA, (byte) 0xAB, (byte) 0x0D, (byte) 0xD8, (byte) 0xEB, (byte) 0xCF,
       (byte) 0x3E, (byte) 0x77, (byte) 0x30, (byte) 0x78, (byte) 0x74, (byte) 0x59,
       (byte) 0xF6, (byte) 0x2F, (byte) 0xB3, (byte) 0xCD, (byte) 0x14, (byte) 0xA1,
       (byte) 0xBA, (byte) 0xAA
 public static final String FIREFOX_ROCKET_PACKAGE_NAME = "org.mozilla.rocket";
 public static final byte[] FIREFOX_ROCKET_FINGERPRINT =
     new byte[] {
       (byte) 0x86, (byte) 0x3A, (byte) 0x46, (byte) 0xF0, (byte) 0x97, (byte) 0x39,
       (byte) 0x32, (byte) 0xB7, (byte) 0xD0, (byte) 0x19, (byte) 0x9B, (byte) 0x54,
       (byte) 0x91, (byte) 0x12, (byte) 0x74, (byte) 0x1C, (byte) 0x2D, (byte) 0x27,
       (byte) 0x31, (byte) 0xAC, (byte) 0x72, (byte) 0xEA, (byte) 0x11, (byte) 0xB7,
       (byte) 0x52, (byte) 0x3A, (byte) 0xA9, (byte) 0x0A, (byte) 0x11, (byte) 0xBF,
       (byte) 0x56, (byte) 0x91
 // openssl x509 -sha256 -fingerprint -in org.mozilla.fenix.pem
 // SHA256 Fingerprint=50:04:77:90:88:E7:F9:88:D5:BC:5C:C5:F8:79:8F:EB:F4:F8:CD:08:4A:1B:2A:46:EF:D4:C8:EE:4A:EA:F2:11
 public static final String FIREFOX_FENIX_PACKAGE_NAME = "org.mozilla.fenix";
 public static final byte[] FIREFOX_FENIX_FINGERPRINT =
     new byte[] {
       (byte) 0x50, (byte) 0x04, (byte) 0x77, (byte) 0x90, (byte) 0x88, (byte) 0xE7,
       (byte) 0xF9, (byte) 0x88, (byte) 0xD5, (byte) 0xBC, (byte) 0x5C, (byte) 0xC5,
       (byte) 0xF8, (byte) 0x79, (byte) 0x8F, (byte) 0xEB, (byte) 0xF4, (byte) 0xF8,
       (byte) 0xCD, (byte) 0x08, (byte) 0x4A, (byte) 0x1B, (byte) 0x2A, (byte) 0x46,
       (byte) 0xEF, (byte) 0xD4, (byte) 0xC8, (byte) 0xEE, (byte) 0x4A, (byte) 0xEA,
       (byte) 0xF2, (byte) 0x11
 // openssl x509 -sha256 -fingerprint -in org.mozilla.fenix.beta.pem
 // SHA256 Fingerprint=F5:62:C0:8F:30:77:86:86:D2:A4:7B:85:8F:45:E9:EF:35:70:83:08:5C:B2:89:1A:96:C4:09:F3:60:E9:CA:B9
 public static final String FIREFOX_FENIX_BETA_PACKAGE_NAME = "org.mozilla.fenix.beta";
 public static final byte[] FIREFOX_FENIX_BETA_FINGERPRINT =
     new byte[] {
       (byte) 0xF5, (byte) 0x62, (byte) 0xC0, (byte) 0x8F, (byte) 0x30, (byte) 0x77,
       (byte) 0x86, (byte) 0x86, (byte) 0xD2, (byte) 0xA4, (byte) 0x7B, (byte) 0x85,
       (byte) 0x8F, (byte) 0x45, (byte) 0xE9, (byte) 0xEF, (byte) 0x35, (byte) 0x70,
       (byte) 0x83, (byte) 0x08, (byte) 0x5C, (byte) 0xB2, (byte) 0x89, (byte) 0x1A,
       (byte) 0x96, (byte) 0xC4, (byte) 0x09, (byte) 0xF3, (byte) 0x60, (byte) 0xE9,
       (byte) 0xCA, (byte) 0xB9
 // openssl x509 -sha256 -fingerprint -in org.mozilla.fenix.nightly.pem
 // SHA256 Fingerprint=77:EA:C4:CE:ED:36:AF:EF:BA:76:17:99:31:DD:4C:C1:95:AB:0C:D5:4B:AF:35:5D:21:5E:7B:BD:D2:8E:40:2A
 public static final String FIREFOX_FENIX_NIGHTLY_PACKAGE_NAME = "org.mozilla.fenix.nightly";
 public static final byte[] FIREFOX_FENIX_NIGHTLY_FINGERPRINT =
     new byte[] {
       (byte) 0x77, (byte) 0xEA, (byte) 0xC4, (byte) 0xCE, (byte) 0xED, (byte) 0x36,
       (byte) 0xAF, (byte) 0xEF, (byte) 0xBA, (byte) 0x76, (byte) 0x17, (byte) 0x99,
       (byte) 0x31, (byte) 0xDD, (byte) 0x4C, (byte) 0xC1, (byte) 0x95, (byte) 0xAB,
       (byte) 0x0C, (byte) 0xD5, (byte) 0x4B, (byte) 0xAF, (byte) 0x35, (byte) 0x5D,
       (byte) 0x21, (byte) 0x5E, (byte) 0x7B, (byte) 0xBD, (byte) 0xD2, (byte) 0x8E,
       (byte) 0x40, (byte) 0x2A

Additionally Allowed in Userdebug Android Builds

 public static final String FIREFOX_WEBAUTHN_DEBUG_PACKAGE_NAME =
 public static final byte[] FIREFOX_WEBAUTHN_DEBUG_FINGERPRINT =
     new byte[] {
       (byte) 0xBD, (byte) 0xAE, (byte) 0x82, (byte) 0x02, (byte) 0x80, (byte) 0xD2,
       (byte) 0xAF, (byte) 0xB7, (byte) 0x74, (byte) 0x94, (byte) 0xEF, (byte) 0x22,
       (byte) 0x58, (byte) 0xAA, (byte) 0x78, (byte) 0xA9, (byte) 0xAE, (byte) 0xA1,
       (byte) 0x36, (byte) 0x41, (byte) 0x7E, (byte) 0x8B, (byte) 0xC2, (byte) 0x3D,
       (byte) 0xC9, (byte) 0x87, (byte) 0x75, (byte) 0x2E, (byte) 0x6F, (byte) 0x48,
       (byte) 0xE8, (byte) 0x48

The signing key for this userdebug build is available for internal use; contact Crypto Engineering or use this internal link.