11

I've started fiddling around with U2F and it's looking really promising. Got myself some security keys and started digging into it. I've managed to create a working register/login demo website which works well using the U2F tokens and the U2F Chrome extension.

However... and this is where my question arises: I've also enrolled a security key for my Google account and immediately got struck by the fact that it works without using the U2F Chrome extension. As a matter of fact I've done all the Google enrollment and logins without even having the extension installed. How is this possible? I've read (some of) the FIDO specifications and saw that there may be two API levels: high - which is the u2f namespace exposed by the extension and - and low - which involves using MessagePort API. Maybe this is how Google does it? (also tried doing a chrome.runtime.connect(...) myself, but the chrome.runtime object is undefined in my web page)

Any pointer in the proper direction would be appreciated and of great value at this moment, as there aren't many resources available on this young project called U2F.

Robby Cornelissen
  • 91,784
  • 22
  • 134
  • 156
Mihai Caracostea
  • 8,336
  • 4
  • 27
  • 46

1 Answers1

7

Chrome is white listing Google domains. Non-Google domains has to use the extension for now. However, this will change "very soon" according to Google -- this is documented here and mentioned by a Google developer in this webinar.

Edit: The extension is no longer required with Chrome 41. You can test it out here (Note: When accessed from and older version of Chrome, or not via HTTPS, the site will fall back to using the extension).

minisu
  • 1,000
  • 6
  • 11
  • Wow... didn't expect that! Remember me saying chrome.runtime was undefined? Well, if I access the same html page via a google.com url (test.google.com made to point to my server, via hosts file), the chrome.runtime is now available... – Mihai Caracostea Nov 28 '14 at 14:06
  • The webinar provides the proper answer for this question, which is: for google domains chrome provides support at its core, for non-google domains the extension is required. However... in the following months, Google Chrome will incorporate in its core the support for all other domains also. So it will be bye bye U2F extension requirement. Until then... we just have to wait... I find the extension solution too cumbersome for a regular user. – Mihai Caracostea Nov 28 '14 at 16:01
  • 1
    I just edited the answer. Chrome 41 no longer requires the extension. – minisu Jan 27 '15 at 10:11
  • ..yet it's not yet in Stable. – Xan Jan 27 '15 at 10:11
  • Thanks! Great info! I was all "happy" when I saw my Chrome upgrade from 39 to 40 and rushed to the change log. Bummer! Still, great to hear that the next major version is ditching the extension. Now waiting for its stable release and for other major browsers to step in, too. – Mihai Caracostea Jan 27 '15 at 12:09
  • Good news! Tested the release version 41 and all is well, without the extension. Cheers! – Mihai Caracostea Apr 17 '15 at 21:11
  • Chrome v45 still doesn't expose the `window.u2f` global, even on this Yubico demo site, or on any other site implementing https. But rather, a polyfill script has to be inserted on page that communicates with a built in internal extension accessed via chrome.runtime - this isn't obvious at first this is where `u2f` seems to come from in the examples. – simbolo Oct 11 '15 at 09:50