FIDO U2F tokens Web Browsers compatibilty

browser web-applications fido-u2f

13,825

Solution 1

Do other browsers support U2F? currently not.
Is there any way to work without a plugin for a new web browser? No, that's the whole point of U2F: a phishing attack is made impossible thanks to direct communication with the browser.

Extra information

You had to install a plugin in Chrome in the past, currently (I think starting from version 40), this is not required anymore: U2F capability is built in from that version on in Chrome. As to which other browsers support U2F: currently none. Firefox supports U2F via the U2F Support Add-on, and is working on supporting U2F natively.

Microsoft reportedly will include FIDO support in Windows 10. It might be possible that browsers will rely on the OS-U2F-check then, and do not (need to) include FIDO support directly anymore. However, this is speculation only for the moment.

An easy compatibility check I'd like to carry out is to use the Yubikey's demo site.. It will be reported immediately when your browser does not support U2F (try opening the demosite in Firefox and see what happens).

Solution 2

Yes, it is an old thread, but let's make an update:

2016 September update : FIDO U2F browser support

Chrome for Windows, OS X and Linux: Yes (Built-in)
Chrome for Android [for FIDO U2F over NFC and over BLE devices]: Yes (You still have to download the official Google Authenticator App but this requirement will disappear in the future)
Firefox: Devs are now officially working on it. Mozilla Foundation joined the FIDO Alliance. For now, while waiting for the official built-in support, you can use this great addon: https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/ (It won't work on websites that do not know Firefox can be used too...)
Safari, Internet Explorer and Edge: No U2F support is even planned, but who cares anyway... :)
Just for the record: Opera Public Beta (v41) has U2F built-in support too. The next stable release should support FIDO U2F too.

Solution 3

Google Chrome: out-the-box since Chrome 41 (no extension required) https://support.google.com/accounts/answer/6103523?hl=en
Internet Explorer: "in development" https://dev.modern.ie/platform/status/fido20webapis/
Mozilla Firefox: popular feature request https://bugzilla.mozilla.org/show_bug.cgi?id=1065729

Solution 4

It isn't specifically true that browsers can't add compatibility via extensions as per Michael's post, the issue isn't that it's secure because the browser "directly communicates" - USB can be sniffed so U2F isn't secure in that sense, which is precisely why it has defences against replay attacks.

The issue relates to browsers not generally having support internally to directly talk to USB devices - or more usefully for extensions to do that (but that would throw up other unrelated security concerns). It's perfectly plausible for a piece of software to act as an intermediary for an extension and pass on authentication events to a FIDO device; I've investigated the possibility and it absolutely would work without harming the security of U2F itself - native browser support would be preferable though.

View more solutions

13,825

Abdessamad Doughri

Embedded Software engineer with interest in electronics

Updated on September 15, 2022

Comments

Abdessamad Doughri almost 2 years

I'm trying to integrate U2F Authentication in GWT project and I need to know if is this solution compatible with all new web browsers (Firefox, Internet Explorer, Safari...)? Normally in Google Chrome I've to install a plugin that's called "FIDO U2F (Universal 2nd Factor) extension". Is the same for others browsers?

Is there any way to work without a plugin for new web browser?
Abdessamad Doughri over 9 years

Thank you Mr. Michael for your help, I think that all I need to know for now
ZeissS almost 9 years

Played around with this today. Chrome only supports the MessagePort thingy out-of-the-box. You need to grab the u2f-api.js from somewhere to get a "nice" API. Also note that errors are not really helpful. Your site MUST HAVE https and the appId must be the domain of the current website, otherwise you get errorcode 2.
Michael almost 9 years

I did not say that browsers cant add U2F through a plugin. I actually said the opposite: at the time of writing a (nonexistent) plugin was required because native support was lacking. The question was whether or not support could be added WITHOUT a plugin, and at that time, the answer to that question was no.
streaky over 8 years

Sure, I didn't misinterpret it was more of an addendum to what was said. Incidentally now there is a U2F plugin for firefox that works at least for dev stuff here which incidentally works the way I mentioned.
My1 about 8 years

well there is an addon for U2F addon for FF
Mike Campbell almost 8 years

what's your basis for "Firefox: Devs are now officially working on it"? the bugzilla tracker for it seems full of negatives and it's been stale for years.
Watilin almost 7 years

“It won't work on websites that do not know Firefox can be used too...” Yeah, and that is really annoying. I don’t understand why they don’t simply do feature detection rather than browser detection.
Croad Langshan almost 7 years

As of late September 2017 U2F support has landed in Firefox and is available in nightly builds (and in beta in hours, I think), so I think right now is a good time to be testing it. Especially because 57 is super fast, apparently!
Tin Can about 5 years

Safari supports this now as an experimental feature. Webkit Feature Status
Jonathan Cross about 2 years

Note: Chromium has deprecated the earlier FIDO2 U2F system leading to a temporary situation in which keys may stop working. More info here on SE.