U2F administratively disabled based on User Agent despite functioning plugin

Issue #14646 resolved
Jozef Knaperek created an issue

Even though Firefox does not support U2F by default, there's a [working U2F plugin|https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/?src=api] that works well (tested with Github and Google), but Bitbucket won't even allow the use of U2F if it does not see Google Chrome, and prints this message instead:

"Your browser doesn’t support the FIDO U2F standard yet. Get the latest version of [Google Chrome|https://www.google.com/chrome/browser/desktop/] if you want to use a security key device"

It's a shame this is based merely on User Agent and not the actual capability of browser, which can obviously be extended with a plugin.

Attached are two screenshots: one from Chromium demonstrating correct behavior; and one from Firefox showing the error.

Official response

  • Mark Adams staff

    Hi everyone,

    We just released some changes to our FIDO U2F implementation and it should now work with any browser that implements the window.u2f API (Firefox 57+) or implements the Chrome U2F plugin (Chrome & Opera).

    Please note, U2F has not been publicly released in Firefox and requires turning on the security.webauth.u2f config flag in about:config in order to take advantage of the functionality. Since this is currently behind a flag in Firefox, you should assume it is beta functionality and you may encounter bugs or other issues that may need to be fixed by the Firefox team.

    Thanks!

    Mark Adams, Sr. Developer, Bitbucket

Comments (7)

  1. Vladislav Yarmak

    Hello,

    Same thing with Opera. Opera is based on Chromium and does U2F very well, but your site forces me to spoof User-Agent in order to login in a convenient way.

  2. Mark Adams staff

    Hi everyone,

    We just released some changes to our FIDO U2F implementation and it should now work with any browser that implements the window.u2f API (Firefox 57+) or implements the Chrome U2F plugin (Chrome & Opera).

    Please note, U2F has not been publicly released in Firefox and requires turning on the security.webauth.u2f config flag in about:config in order to take advantage of the functionality. Since this is currently behind a flag in Firefox, you should assume it is beta functionality and you may encounter bugs or other issues that may need to be fixed by the Firefox team.

    Thanks!

    Mark Adams, Sr. Developer, Bitbucket

  3. Log in to comment