Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> It is interesting though that we find ourselves working around a bug we did not introduce triggered by code we do not control.

I used to be part of a team developing a popular browser WYSIWYG editor. Every release of any of the supported browsers was a coin toss regarding introducing new bugs.

From this perspective developing for the still supported back then IE8 was easier, because there was no chance for it to ever change.



Yes. But. We. Need. New. Features. Every. F...ing. Week.


Well... I was damn happy with 114.0 when it FINALLY introduced Webauthn support on Linux and Mac. That was a really long wait.

Some features really are worth it.

The problem is more that they prioritise the glossy fluff ones. Like time-limited "inspirational" colour schemes.


I'm confused. I have been using webauthn with a USB authenticator for at least a year now with Firefox. How is this a new feature?


What's new is full CTAP2 support in FIDO2. Passwordless with PIN code. This never worked at all.

2FA (FIDO1) has worked for a while yes. But it still requires a username and password and the token is only used for 2FA. But this is not what webauthn is. It's only a small subset that existed under the FIDO name before webauthn was designed and was basically grandfathered in. But it's not really what webauthn is about.

In full passwordless mode you insert the token, enter its pincode and touch it to login. No username nor password needed. It's a bit like a bank card.

Not many sites support this method, for example Paypal only supports normal old FIDO1 2FA (and only one token which is ridiculous). But this support is also needed to finally enable full passkeys in the future. This support is also needed to finally enable full passkeys in the future (I believe 1 or 2 things for that are still coming in a near-future version).


What operating system? The 114.0 (June 6th 2023) release notes say:

https://www.mozilla.org/en-US/firefox/114.0/releasenotes/

> Users on macOS, Linux, and Windows 7 can now use FIDO2 / WebAuthn authenticators over USB. Some advanced features, such as fully passwordless logins, require a PIN to be set on the authenticator.


Linux,

Webauthen was supported for quite some while, _but only a subset of it_.


Parent said they've been using it with USB for a year now. While Firefox says it's just now available to use with a USB for macOS, Linux, and Windows 7. Knowing nothing else I'm assuming an operating system other than these three (such as Windows 8+).


The problem wasn't the connection method. It was the type of authentication.

With CTAP you can insert the stick, enter its pincode, touch it and you're logged in. It replaces even the username.. This never worked.

What did work was using the token as a 2FA token only (FIDO1 method). But that doesn't replace passwords.


Yes I have been using it with USB for well over a year, too.

But I also only have been using a subset of the Webauthn standard, specifically the subset generally used when using it for the 2nd factor in 2FA.

But the standard provides other usage methods, too. E.g. like using it as main factor + a PIN. And this methods had not yet been supported in the past.


Me too. Here is my write up about it...

https://codeberg.org/vanous/YubiKey_On_Linux


It was when it came out, which is the event GP recalls.


Firefox 114 was just released




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: