Reputation: 3343
U2F Application ID (Facet ID) for a web site
The u2f dev guide leaves this part unspecified: will a single-facet AppId without the www prefix work for a visitor who accesses the site with the www-prefix? Will browsers consider them a match?
If not, I believe there are two alternatives for U2F deployments, neither very pleasant IMO - I explain below why so:
- Redirect all web users from www.example.com to example.com then use "example.com" facet.
- Provide a JSON resource which describes at least two facets: www.example.com, example.com
Now, I said that having to deal with the "www." explicitly isn't pleasant. My rationale is that single-site SSL certificates (including more diligent ones like EV-certs) deal with the www-prefix URLs transparently to web users. I see no reason why U2F would consider this a security hole and required an explicit way to deal with it.
Upvotes: 1
Views: 1426
Answers (1)
Reputation: 46
The browser will not consider them a match unless there is a JSON resource that supports this. See FIDO AppID and Facet Specification v1.0: Section 3.1 Processing Rules for AppID and FacetID Assertions.
Upvotes: 2
Related Questions
- Which websites support U2F?
- Unable to use AppId extension with WebAuthn for previously registered U2F keys
- How do you implement FIDO U2F using Webauthn APIs?
- FIDO2 compatibility with U2F/CTAP1
- How do I use from security token for FIDO?
- Is there a way to get a stable unique identifier for a U2F device using the Web Authentication API (WebAuthn)?
- U2F FIDO - application & challenge parameter
- FIDO U2F on a site with changing hostnames/IP addresses
- How do I use FIDO U2F to allow users to authenticate with my website?
- Multi Factor Authentication WSO2