WebAuthn has subsumed U2F and we don’t want to encourage new use of an old API. Removing cryptotoken will allow us to make these APIs unavailable to websites that are not explicitly listed as connectable by an extension. WebAuthn guards this behavior behind a feature policy.īecause Cryptotoken is a component extension and externally connectable from any URL, it effectively exposes the ntime APIs unconditionally to the entire web. Sites can unconditionally query U2F credentials when embedded in cross-origin iframes. WebAuthn presents either a tab-modal dialog or UI provided by the operating system for every request. We believe this isn’t ideal from a secure UX perspective. Instead we rely on the website to handle UI for the requested security key interaction. U2F’s continued existence presents several issues:Ĭryptotoken requests don’t trigger a permission prompt or any UI indicating that the website is interacting with a special type of USB device. U2F and Cryptotoken are firmly in maintenance mode and we encouraged sites to migrate to WebAuthn two years ago. Chrome never directly supported the FIDO U2F JavaScript API in Blink, but rather shipped a component extension called cryptotoken, which exposes an equivalent API. U2F never became an Open Web standard and was subsumed by WebAuthn ( launched in M67 ).
It allows sites to register public key credentials on USB security keys and challenge them for building phishing-resistant two-factor authentication systems. U2F is Chrome’s original security key API. USB security keys that are supported by the U2F API are also supported by the WebAuthn API. Credentials that were originally registered via the U2F API can be challenged via WebAuthn. (But not U2F security keys themselves, which will continue to work.)Īffected sites should migrate to the Web Authentication API (WebAuthn).
Primary eng (and PM), want to deprecate and remove the legacy U2F API for interacting with security keys.
0 kommentar(er)
