36

An increasing number of web services support hardware USB login tokens, and they are supported in Safari and other major browsers.

If you enable this on your accounts (Github, Gmail, etc. all support it), then you will need to resort to using a backup 2FA method on Orion, as U2F isn't supported, and the website will report U2F is unsupported. I believe U2F relies on WebUSB.

U2F tokens are likely a bit more common among techie users than non-techie users, but developers might be quite likely to have to use them to access accounts.

    2 months later

    When websites request authentication via security key (Yubikey, Google Titan key, etc.), the browser gives no prompt or hint that user interaction is needed. Both Safari and Firefox (and I assume Chrome?) have user visual prompts for 2fa interaction, as well as error messages when auth fails.

    Firefox:

    Safari:

      danhcole Also, a note for failed 2fa interactions, there is no way to see a failure, or for the website to prompt the user for another 2fa method, other than waiting for the u2f interaction to timeout (and again, there's no indication that there's even an issue)

          2 months later

          Steps to reproduce:
          Try adding a YubiKey via FIDO2 (not YubiKey OTP) that has a PIN code registered to it, on a site that requires entering that PIN such as https://anonaddy.com

          Orion and macOS:
          Orion 0.99.109.1-beta (WebKit 613.1.12)
          macOS Version 12.1 (Build 21C52)
          MacBookAir10,1

          Enabled Extensions:

          • Bitwarden - Free Password Manager (chrome)
          • uBlock Origin (chrome)
          • Bypass Paywalls Clean (firefox)

          Disabled Extensions:

          Non Default Settings:

          • AutofillEnabled => 0
          • ShowFullWebsiteAddress => 1
          • ContentBlockerLastUpdated => 2021-12-21 00:00:00 +0000
          • CustomAppIcon => appicon2
          • CustomAppIconData => {length = 234817, bytes = 0x89504e47 0d0a1a0a 0000000d 49484452 ... 49454e44 ae426082 }
          • ShowBackgroundImageOnStartPage => 0
          • backgroundImageOnStartPage => file:///System/Library/Desktop%20Pictures/Solid%20Colors/Soft%20Pink.png
          • isBackgroundImageDarkOnStartPage => 1
          • ShowRecommendationsOnStartPage => 1
          • FirstLaunch => 0
          • FirstTimeWebExtensionNotice => 1
          • HyperlinkAuditingEnabled => 0
          • LastUsedBuildVersion => 109.1
          • PreCompiledContentRuleListVersion => 109.1
          • LastCrashCheckDate => 2021-12-25 10:15:36 +0000
          • NetworkPredictionEnabled => 0
          • NextBookmarkID => 12
          • NextDownloadID => 15
          • SavedWindowSize => 1280.0,875.0
          • SavedWindowPosition => -2560.0,-0.0
          • SearchSuggestEnabled => 0
          • SendCrashReports => autoSend
          • QuitWithConfirmation => 1
          • CurrentToolbarSize => small
          • ActivePreferenceTab => privacy
            Merged 2 posts from YubiKey 5, no prompts for PIN Code, silently fails.

              Just got access to the iOS beta but saw that I can’t login to websites with security keys. I think it would be really nice if support for security keys was added.

                Merged 1 post from Add support for security keys.
                  4 months later

                  Not able to logging into AWS console. Until this is resolved, the browser is not usable for anyone who is doing serious development on AWS.

                    a month later

                    MFA with Yubikey 5 does work for me (at least on Cloudflare), but it often requires plugging it in-and-out a couple times and clicking the retry button.

                      a month later
                      Merged 10 posts from Security key (FIDO2/U2F) doesn't prompt, and doesn't display errors.

                        @gp and others..

                        1. Is WebAuthN the only API we need to support?

                        2. Are you aware of any macOS/iOS dev docs/libraries to make this job easier?

                        • gp replied to this.
                          Vlad changed the title to Support for WebAuthn .

                            Vlad

                            I will revisit this later, as I think it actually “works” behind the scenes in Orion, just without the UI over the top.

                                Vlad

                                Pleased to report that Orion does indeed currently "support" WebAuthn. There is no UI around the feature however, so a user will not be aware it is there, or working.

                                WebAuthn can be tested at https://webauthn.io/ - enter a random username, leave everything at defaults, and hit register. You won't see a pop-up prompt here (this is where you will want to look to Safari behaviour), but if you have a U2F/webauthn token plugged in, the LED will flash to prompt you to authenticate by pushing the button.

                                You can then repeat this process, clicking "login", and again the LED will flash (without Orion prompt). Press the button on the Webauthn dongle, and you'll get "logged in".

                                The Safari flows for reference.

                                1. After pressing register:

                                (No text changes whether the token is plugged in or not)

                                1. After pressing login (slightly different message, as register != login to the token)
                                  4 days later

                                  If Platform (TPM) authentication is used on webauthn.io on safari or chrome/vivaldi/etc, it will allow for the use of Touch ID on macs and Touch ID or Face ID on iDevices. Screenshots of macOS Safari attached for reference: