Support U2F Keys

[butlermatt]

Test plan

See #12507

Original issue description

I use a U2F key (YubiKey Neo) for Two factor authentication in locations such as here on github and with Google accounts (as well as Lastpass extension).

While the key works great in Chrome, it's not currently supported in Brave. This is a significant blocker for me. I'd love to see this functionality implemented. See the error I get when trying log into my github account with Brave (at the point where the security key is requested).

[jmalonzo]

This might be an issue with electron - electron/electron#3226

[juniorz]

When I try to login on Google, it asks me to install this extension: https://chrome.google.com/webstore/detail/gnubbyd/beknehfpfkghjoafdifaflglpjkojoco

But there's no install button.

[butlermatt]

Yes, totally seeing the same issue still. Same notice as my first message posting. Sorry for the delay in responding I didn't get the notice properly.

[geekgonecrazy]

Pretty big blocker for me to be able to switch over fully. Would it be a matter of just baking in that extension? Or are there API's its going to need? Based on that electron issue linked it looks like there might be some missing API's?

[bridiver]

It's been a long time since I used a Yubikey, but I thought they acted as a keyboard and just typed in the box? I can take a look at the Chrome extension and see if we support the APIs it requires

[geekgonecrazy]

@bridiver from my understanding yes that's essentially what's happening. I think it does do some checks in the USB HID tree polling for descriptors.

[bridiver]

we do want to get this working and I'm looking at the extension, but it's odd because the whole thing seems antithetical to the concept behind yubikeys. They act like a keyboard to avoid the need for any special hardware support. I think I might still have an old one lying around somewhere that I can test with.

[terribleplan]

There is a new standard on the block called U2F, and yubikeys can now do
that. It actually performs some crypto to identify you to the site, and as
such there is no way it could simply be a keyboard.

Look into it, it's pretty neat:
https://fidoalliance.org/specifications/overview/

On Jul 12, 2016 16:52, "Aaron Ogle" notifications@github.com wrote:

@bridiver https://github.com/bridiver from my understanding yes that's
essentially what's happening. I think it does do some checks in the USB HID
tree polling for descriptors.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#518 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AEN0L3TouNHFtG1q23CCxIeHeYKo985Hks5qVAyCgaJpZM4HQoIU
.

[geekgonecrazy]

@bridiver yeah the yubikey that completely acts just like a HID device works no problem. Its the ones now based on the U2F standard that does a little more then the just pretend to be an HID device.

This is the standard that sites like Github / Google etc have embraced and now offer as a 2 factor authentication method.

[bridiver]

sounds like my old yubikey will not be helpful then. We don't support all of the chrome extensions apis yet, but if I can get it working with minimal effort we can push it out pretty quickly. If it requires more work we'll have to prioritize and schedule it.
cc @bbondy

[eamsden]

There is discussion about adding Chromium's U2F support to Electron at electron/electron#3226.

[eamsden]

I can see the following paths forward

• Hack Electron to expose Chromium's "gnubby" extension that supports U2F/FIDO.
• Hack Electron to expose chrome-hid and copy the "gnubby" code in Brave
• Copy the "gnubby" code to Brave and port it to use node-usb
• Write a new U2F/FIDO drive for brave on top of node-usb
• Write a new Native Node module to bind libu2f-host

[bridiver]

at least in theory the only thing you would have to implement to use the extension iscryptotokenPrivate. Everything else is provided by src/extensions, but there not all of them are in atom/browser/browser_context_keyed_service_factories.h and you will likely have to pull in a lot of new dependencies from chrome. You can see @darkdh recent autofill and importer work in https://github.com/brave/electron and https://github.com/brave/libchromiumcontent to see how to add new chrome dependencies

[eamsden]

If I read the docs correctly, cryptotokenPrivate is just for the UI to get explicit user permission to register a token with a website. That had to be native in Chromium because it had to show a native toolbar. But all of Brave's UI is JS on top of Electron, right? So it should be fairly easy to implement that and then pull in the rest of the necessary stuff from Chrome?

[bridiver]

I didn't look at it closely, but that sounds reasonable. You will definitely have to pull in additional dependencies in libchromiumcontent because we don't current have the hid support enabled in atom/browser/browser_context_keyed_service_factories.h. See extensions/browser/browser_context_keyed_service_factories.h in libchromiumcontent

[eamsden]

OK I'll look into that next time I get some spare hacking time.

[eamsden]

How do I pull my changes to libchromiumcontent to electron and Brave?

[willy-b]

Somebody else can probably answer this better than me, but if you put browser-laptop, brave-electron, and brave-libchromium content in sibling directories, brave-electron has scripts to help with this.

Given that electron and libchromium are in sibling directories,
you can run npm run libchromium-bootstrap (one-time) and npm run libchromium-build (each time) to update brave-electron with your libchromium changes.
Finally, to push the updated brave-electron to browser-laptop, you can use npm run browser-build from brave-electron.

[willy-b]

(extra detail)

By sibling directories I mean brave/browser-laptop, brave/electron, and brave/libchromiumcontent all share the same parent directory:

willy@xeris:~/projs/git/3rd/brave$ ls -1 | grep "electron$\|libchromium\|browser"
browser-laptop
electron
libchromiumcontent

All the npm scripts I mentioned are in brave/electron:

willy@xeris:~/projs/git/3rd/brave$ cd electron
willy@xeris:~/projs/git/3rd/brave/electron$ cat package.json | grep "\-build\|bootstrap" | grep -v "watch"
    "bootstrap": "python ./script/bootstrap.py",
    "browser-build": "npm run build && rsync -avz --delete out/D/Brave.app ../browser-laptop/node_modules/electron-prebuilt/dist/",
    "libchromium-build": "../libchromiumcontent/script/bootstrap && ../libchromiumcontent/script/update && ../libchromiumcontent/script/build && ../libchromiumcontent/script/create-dist --no_zip",
    "libchromium-bootstrap": "./script/bootstrap.py -v --libcc_source_path ../libchromiumcontent/dist/main/src --libcc_shared_library_path ../libchromiumcontent/dist/main/shared_library --libcc_static_library_path ../libchromiumcontent/dist/main/static_library",
    "browser-build-linux": "npm run build && rsync -avz --delete out/D/ ../browser-laptop/node_modules/electron-prebuilt/dist/",

[bridiver]

there are several recent PRs with examples of pulling in new deps

brave/libchromiumcontent#3

the scripts @willy-b referenced will work for the electron build after updating

[luixxiul]

Another request: https://community.brave.com/t/closed-fido-2fa-support-please-yubikey-trezor/694?u=suguru

[diracdeltas]

+1 from myself

[jonrh]

Blocks me from switching from Chrome. Bit of a shame since Brave is so incredibly enticing otherwise!

[armstrys]

No luck here either with the v0.21.9 beta. Still getting an error message that something went wrong when trying to use my yubikey with google... Did the old version of Brave need to be uninstalled? I didn't try that.

[evq]

@cannedshrimp what OS are you trying with?

[armstrys]

Running MarCOs High Sierra v10.13.3

[chmanie]

Same here. I’d be happy to help and debug this further (when given the instructions)

[evq]

It looks like there is a Mac specific issue, I was able to confirm it as working on Windows and Linux but Mac also did not work for me. Thanks for your help testing, I will investigate more.

[lamaral]

I tried it on Windows 10, with the version linked above and it didn't work with the Yubico test page: https://demo.yubico.com/start/u2f/neo?tab=register.
It worked with GitHub and Google tho.

Just to add on the discussion, I once had trouble with Google and Firefox and read somewhere that Google implements the U2F part slightly different from the standard and that's what broke Firefox.

[evq]

@lamaral Interesting, that test site also doesn't work for me. However https://demo.yubico.com/u2f does

[lamaral]

@evq This site works for me.

[bijeebuss]

Any updates on this? Mine setup does not work (confirmation does not appear on device)

Ubuntu Desktop 16.04 LTS
Ledger Nano S Firmware 1.4.1
Brave 0.21.18

It does work with the same setup and chrome

[evq]

Hey @bijeebuss. U2F support was moved back to our current beta channel release, 0.22 - I believe it is no longer present in 0.21. Please let me know if you have an issue if you try 0.22.

P.S. As an update to others, the mac specific issue mentioned above was resolved in #13345, so as of beta version 0.22.5 U2F has been tested / confirmed as working on Windows, MacOS and Linux.

Thanks all!

[armstrys]

I can confirm U2F working on Google with the new Beta release on Mac High Sierra! Also worked on https://demo.yubico.com/u2f

Nice job!

[srirambv]

Verified on Windows x64

• 0.22.6 e6ff4ea
• libchromiumcontent: 65.0.3325.162
• muon: 5.1.0
• Test plan works but still have issues relating to other domain login (U2F authentication doesn't work on specific websites #13564)

Verified on macOS 10.12.6 x64 using the following build:

• 0.22.7 8bb7e77
• libchromiumcontent: 65.0.3325.181
• muon: 5.1.1

Verified on Ubuntu 17.10 x64 using the following build:

• 0.22.8 3ae27f2
• libchromiumcontent: 65.0.3325.181
• muon: 5.1.2

Also checked the following websites using Ubuntu 17.10 x64:

• Google/Gmail - PASSED
• GitHub - PASSED
• FB - See U2F authentication doesn't work on specific websites #13564

[krmbzds]

I couldn't get Github or YubiKey Demo to work.

OS Details

ProductName:	Mac OS X
ProductVersion:	10.13.4
BuildVersion:	17E202

Browser Details

Brave: 0.22.721 
V8: 6.6.346.32 
rev: bfe7cdd026c68013236ebe206a33448db9370fca 
Muon: 6.0.12 
OS Release: 17.5.0 
Update Channel: Release 
OS Architecture: x64 
OS Platform: macOS 
Node.js: 7.9.0 
Brave Sync: v1.4.2 
libchromiumcontent: 66.0.3359.170

Newly formatted computer so it's mostly a default setup.

[kylerchin]

I really need this, the only thing stopping me from using brave full time.

[bsclifton]

@krmbzds @kylerchin we have an issue capturing the problem and discussing a fix here:
#13564