Changes

* 2018 Q1: Move error-string formatting for our error pages into the front-end JavaScript* 2018 Q2: Retool the "See more" sections of error pages using JavaScript to provide more help* 2018 Q3: Continue work on our Certificate Transparency implementation and test infrastructure[[Security/CryptoEngineering/Intermediate Preloading|Intermediate Preloading]]

Password authentication is known to be a security liability on the Web. The [https://www.w3.org/TR/webauthn/ W3C Web Authentication Working Group is developing a specification] for using Scoped Credentials to supplement or replace passwords. Mozilla intends to implement continue supporting the Web Authentication (WebAuthn) specification.

* 2016 Q2: FIDO U2F v1.1 JS API landed, hidden behind preferences.** You can test a "Soft Token" using any recent version of Firefox using the instructions at https://u2f.bin.coffee/ * 2017 Jan: Draft WebAuthn JS API available, hidden behind a pref, using the Soft Token from U2F.** [https://groups.google.com/d/msg/mozilla.dev.platform/F0rCRF8z87E/CPh7dIJ9BQAJ Intent to Implement Announcement]** [https://lists.w3.org/Archives/Public/public-webauthn/2017Jan/0083.html Ready For Experiment Announcement]* 2017 Q2: Support USB HID U2F devices on Linux, Mac OS X, and Windows. [https://github.com/jcjones/u2f-hid-rs/ rust u2f-hid-rs library]* 2017 Q2-3: Integrate '''USB HID U2F hardware support''' into Firefox.** Done in '''Firefox 57'''.* 2017 Q2-3: Update to Working Draft 5 of the WebAuthn JS API.** Done in '''Firefox 56'''* 2017 Q3: Integrate hardware support with the '''FIDO U2F v1.1 JS API'''** Done in '''Firefox 57'''.* 2017 September: Interoperability ==== Useful testing for WebAuthn.** Done.* 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API.** [https://bugzilla.mozilla.org/show_bug.cgi?idsites ====1384776 Bug 1384776]* 2019: Support USB HID CTAP devices on desktop platforms. (Exact version TBD)** [https://github.com/jcjones/u2f-hid-rs/issues/33 u2f-hid-rs Issue #33]* 2019: Support U2F hardware for Firefox for Android.** [https://github.com/jcjones/u2f-hid-rs/issues/42 u2f-hid-rs Issue #42]

All of the above dates are for landing in Firefox Nightly.  '''Goal''': permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57 (Done in '''Firefox 57'''), and Web Authentication (on by default) in Firefox 59 or 60. (See [[RapidRelease/Calendar]]) === Using U2F / WebAuthn === WebAuthn is enabled by default. To enable U2F as well, enable this preference in '''about:config''':* securityhttps://webauthn.webauthbin.u2fcoffee/ Enabling debugging (example for OSX):  MOZ_LOG="webauthnmanager:5, webauth_u2f:5, webauth_u2f:5, u2fkeymanager:5, u2fhidtoken:5, u2fmanager* https:5" ~/Desktop/NightlyDebugwebauthn.appio/Contents* https:/MacOS/firefox Enabling the soft token: In '''about:config''' enable:* securitywebauthndemo.webauthappspot.webauthn_enable_softtokencom/ This currently stops the use of USB tokens, as the soft token always answers first. To see its code, check * https://searchfoxdemo.yubico.org/mozilla-central/source/domcom/webauthn/U2FSoftTokenManager.cpp#151. ==== Useful testing sites ====

U2F(behind a pref, experimental, not released):