U2F keys in Firefox


#1

When will duo support u2f keys in Firefox? A yubikey has worked in firefox for months using an add-on, and with firefox 57 released a few weeks ago the u2f support is native; it works with many 2fa systems but not yet with duo.

the current message is:
“Your browser does not support U2F token authentication.
Please use a U2F compatible browser.”

i have heard of people using a user-agent switcher to spoof chrome, then supposedly duo will work with u2f keys, but i have not tested this and prefer not to use this regularly.

thanks!


#2

We are aware of Firefox’s native U2F support and plan to support it for authentication (but I can’t give you a specific date).


#3

Great, thanks! good to hear it’s on the horizon.


#4

Yes, my university rolled out Duo, and I’m anxiously awaiting the ability to use Firefox with my yubikey U2F device


#5

Me too. I’m glad to hear that Firefox support is coming!


#6

Quick update here, as I know this is a popular feature request:

Firefox has a different implementation of U2F compared to Chrome with a newer protocol, and we are working on a project to implement support for that protocol universally across Chrome and Firefox. There is still not a guaranteed release date for Firefox U2F support, but we are looking at an ETA of mid-to-late 2018.


#7

@DuoKristina @Dooley Any updates on this feature? Is there a way we can track its development?

FWIW, the issue is also tracked on Bugzilla here: https://bugzilla.mozilla.org/show_bug.cgi?id=1340738

Thanks!


#8

Security key support in Firefox is on our active roadmap, with more info to come before the end of the year.

Contact your Duo account executive or customer success manager for more information, or you may contact Duo Support and request to be added to the existing feature request (so you’ll be notified of status change).


#9

How do i find my “customer success manager”?


#10

An assigned customer success manager is part of our Duo Care offering. If you had Duo Care and a CSM, you’d know.

I don’t know what organization you or most Community posters are with, so I mention the three usual contact points a Duo customer has with us in my replies. If you don’t have a CSM or AE, contact Duo Support.


#11

Can’t wait to start using U2F in Firefox with duo, hoping this is still on track for a “mid-to-late 2018” release :slight_smile:


#13

Can you elaborate on this difference? So far websites I’ve accessed that implement FIDO2 have worked with the same Yubi 5 in Chrome and Firefox.


#14

I’d just like to pile on to the queue of people clamoring for this feature. I’m a privacy-conscious Firefox user, and now that my university has mandated that we use Duo 2FA for logging in to our learning management system, I find it very frustrating to have to open Google Chrome from a disk image to log in.

As other people have said, I can use my YubiKey in Firefox just fine with other websites that implement U2F, so it’s pretty baffling to me that Duo still doesn’t support it.

Even worse, Duo used to work in Firefox if I set my User-Agent to Chrome on Windows, but something happened in the past 6 months to break that workaround too. The Firefox developers seem to think this problem stems from you guys trying to set a global variable that is read-only in Firefox’s API, but read-write in Chrome’s. I’m sure many Firefox users would appreciate it if you could perform that feature test in a different way, so that we all could continue using our browser of choice.


#15

Is Duo just planning to wait on this until the W3C’s WebAuthn spec is implemented in all of the (commercially relevant) browsers?


#16

That just happened, so hopefully soon. Duo also doesn’t work with chrome on android. From what I can tell it really looks like the problem is with duo’s checks for browser type being too strict. For android, if you have something like a Yubikey 5 NFC, it really should work with android too. Hopefully soon.


#17

I noticed this pop up in the Duo Admin panel today:

March 1, 2019

WebAuthn is now available in the Duo Prompt

Use Touch ID on MacOS with the Chrome Browser or Security Keys with Chrome or Firefox. Learn more about the WebAuthn policies and setting up a WebAuthn device in our release notes.

However, when I follow the link to the March 1, 2019 Release notes there is no mention of WebAuthn in those notes. I suspect the intended that message to correspond to impending release notes for today or tomorrow March 7/8, 2019 which are not yet posted. Also, I don’t see any change in behavior with Firefox yet, so that suggests they haven’t pushed the corresponding update (everywhere) yet.


#18

I think this blog post Touch ID and Beyond: Duo’s Plans for WebAuthn | Duo Security will be welcome news for everyone watching this thread:

Thanks to Firefox’s early adoption of WebAuthn, we’re happy to announce that we’ll also be supporting Security Keys in Firefox.

This feature should be available for all customers by March 15. Configuration documentation for these new authentication methods will be coming soon as well.


#19

That’s great news, thanks for cross posting.

I’d still like to know about U2F over NFC … it doesn’t work and I’m not sure where lies the limitation.


#20

Quick update: Much more information on Firefox support for Security Keys and TouchID auth on macOS, including links to the new documentation, is available in the latest release notes post here: Duo Release Notes for March 15, 2019


#21

Any additional guidance on getting U2F to work with Duo in Firefox? I have the latest version of Firefox 65.0.2, enabled security.webauth.u2f in about:config, and have authenticated using U2F through Chrome one additional time as outlined in the Duo release notes. I also have a policy created and applied to the Duo Device Management Portal application with WebAuthn (Security Keys, Touch ID) as an allowed Authentication Method. I’m testing this by logging in to the DMP in Firefox but I still get the message about “Requires Chrome to use Security Keys” when trying to use my Security Key (U2F) to log in to the DMP.