Feel free calling me a troll, but there is a rationale behind my ramblings on https://bugzilla.mozilla.org/show_bug.cgi?id=1065729
The bug is named "Implement the FIDO Alliance u2f javascript API". The spec is here: https://www.w3.org/TR/webauthn/ "In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the ClientData. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software" Anyway, what I (early on) suggested was not deprecating the USB token project, but looking into the possibility offering a soft token solution as well. Then suddenly, Mozilla announces that they indeed have a soft token solution(!) which they don't want to productify since that would potentially give them "badwill" since that solution would be less secure than the "real" solution. 800 million Chinese folks using soft payment tokens seem to have survived. Now to the "funny" part. Mozilla, Google, and Microsoft have spent huge resources on defining and implementing a standard called WebCrypto. AFAICT, this scheme should have close to identical security characteristics to a soft U2F solution! I believe that it would pretty inconvenient for Google who is the engine behind U2F, to screw all their HW partners by offering a soft solution. Mozilla does not have this problem. This is not a question about security, but about product management. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
