Firefox-maker Mozilla would like to move on with the new WebAuthn standard for more secure and easier website logins. But instead the browser maker has decided to take a backward step and enable a legacy secure login standard – WebAuthn's predecessor, FIDO U2F.
The reason? Google Accounts doesn't yet fully support WebAuthn because millions of Android devices currently in use can't ever support it.
WebAuthn was only ratified last month but is already supported by Google Chrome, Microsoft Edge, Firefox, and the preview version of Apple's Safari, as well as Android and Windows 10.
The standard allows users to sign in to a website using biometric IDs, such as a fingerprint or face scan stored on a PC or smartphone.
WebAuthn is the successor to the FIDO U2F API, which allows users to sign in to Google Accounts and other sites with a physical security key, such as a Yubikey. The tech industry broadly would like to see the newer standard adopted as quickly as possible to get it off the ground.
As Mozilla cryptographer JC Jones explains, WebAuthn is "our best technical response to credential phishing".
"That's why we've championed it as a technology," he wrote in a post explaining why Mozilla is now going to add backward-compatibility for FIDO U2F API in Firefox, even though it is a deprecated, legacy standard with more limited sign-in options.
"We encourage the adoption of Web Authentication rather than the FIDO U2F API. However, some large web properties are encountering difficulty migrating: WebAuthn works with security credentials produced by the FIDO U2F API," wrote Jones.
"However, WebAuthn-produced credentials cannot be used with the FIDO U2F API. For the entities affected, this could lead to poor user experiences and inhibit overall adoption of this critical technology."
Those large web properties are Google sites like Gmail that billions of users sign in to via Google Accounts, which presently doesn't support registering security keys created with WebAuthn.
SEE: How to build a successful developer career (free PDF)
Jones explains on a Mozilla mailing list that the key obstacle lies in the large number of Android devices that can't be updated with WebAuthn security key support.
"We've recently learned that Google Accounts has slipped their schedule for using Web Authentication to register new credentials. This delay is attributed to security key support on Android being, for most devices, non-upgradable," the cryptographer wrote.
"WebAuthn is backwards-compatible with credentials produced by the FIDO U2F API. However, WebAuthn-produced credentials cannot be used with the FIDO U2F API. Because of that, credentials created using WebAuthn will never be usable on the majority of FIDO U2F-only Android devices currently in circulation."
Firefox has had experimental support for FIDO U2F API since Firefox 57, released in November 2017. However, due to the Android and Google Accounts WebAuthn issue, FIDO U2F will be enabled by default for all Firefox users, starting with Firefox Nightly 68 and Firefox 67 beta, due out next week.
The move follows debate among Mozilla developers throughout March about who's at fault and which party should fix the problem.
Mozilla sees Google Accounts as crucial to allowing Firefox users to sign in using WebAuthn, because G Suite and Gmail users are the largest population of users who rely on security keys to log in. But Jones also notes that Mozilla's support for FIDO U2F leaves it at the mercy of Google deciding when to support the new standard.
"It appears that the only way we get Firefox users of Google Accounts fully able to use security keys is to enable FIDO U2F API support so that said users can enroll via FIDO U2F API, and then authenticate via … well, either. We will have to trust that Google will roll out authentication-via-WebAuthn quickly for the sake of the standard moving forward."
As blame turned to Google, Alexei Czeskis from Google's identity and security team weighed in to explain that it can't switch to WebAuthn until enough older Android devices move out of circulation.
Czeskis said holding off on WebAuthn has nothing do with the company's level of motivation, which is "high".
"This has to do with OEM burned-in images on Android devices that have already shipped and the lifecycle of these devices out in the field. Without going into too many details, to not lock users out of their devices, we cannot switch U2F register to WebAuthn create() until there is sufficient churn in Android devices. You can expect WebAuthn get() to come much much sooner, as that is not impacted," he said.
"Again, this is only happening because of how the code that adds accounts is burned into certain devices. There are not any other websites, that I'm aware of, that are in a similar unfortunate situation. And so I'm hoping (and strongly believe) that this move would not encourage more usages of U2F (over WebAuthn)."
Mozilla's Jones noted that his organization will not address incomplete parts of Firefox's implementation of FIDO U2F.
"With the increase of using biometric mechanisms such as face recognition or fingerprints in devices, we are focusing our support on WebAuthn. It provides a sophisticated level of authenticators and cryptography that will protect Firefox users," he wrote.
"It's important that the web move to Web Authentication rather than building new capabilities with the deprecated, legacy FIDO U2F API."
More on WebAuthn and secure sign-in
- W3C finalizes Web Authentication (WebAuthn) standard
- Apple killing off web passwords? Safari trials WebAuthn logins on macOS
- Windows 10: Microsoft's plan to kill passwords moves on with new test build
- Windows 10 moves closer to killing off passwords with Edge WebAuthn logins
- Worries arise about security of new WebAuthn protocol
- MWC 2019: Your future Android phone, apps will need no password
- YubiKey: Protect your Facebook, Google, and other online accounts with this hardware authentication key
- How to make your apps passwordless with Microsoft Authenticator and FIDO2 TechRepublic
- Firefox moves browsers into post-password future with WebAuthn tech CNET