Default U2F behaviour is not friendly for beginners #4295
Replies: 1 comment 2 replies
-
|
To make browser+u2f beginner friendly, I created firejail-welcome.sh. If someone has U2F hardware plugged-in he/she will likely want to it (for login, ...). Therefore we should consider to remove |
Beta Was this translation helpful? Give feedback.
-
|
Does removing Also, since I came here as someone not too familiar with firejail but trying to use it -- is there a way to set |
Beta Was this translation helpful? Give feedback.
-
|
You can add |
Beta Was this translation helpful? Give feedback.
-
Apologies for this post because it is a bit of moan. Please feel free to ignore it if that is not what you want to read.
It's borne out of a few wasted hours of frustration of a default install of firejail +firejail-profiles on Debian 10 (latest updates)
Having just installed firejail and found that it broke my password manager (Bitwarden) and and stopped me logging into most of my account for different services because all of my browsers have blocked u2f support by default.
Is it right to have the default to block U2F keys by default and have to manually amend all profiles to add u2f allow stanzas into the
First of all this is really not beginner friendly for new users of firejail which is supposed to be fairly install and forget with all the default profiles that are shipped with it.
Second it is not at all obvious what is going on as the U2F prompts still come up (as it would do as that's controlled by the website you are trying to log into)
I believe that the default ought to be to allow U2F support BY DEFAULT for the following reasons:
It's more beginner friendly
The firejail profiles are supposed to make it easy for a beginner to get started with the firejail program not break the user's security. I found that just by installing firejail I managed to get locked out of every account I have including my password manager simply because U2F was blocked by default.
It wasnt until I raised an issue with the Bitwarden profile which blocks network access (so no sync OR login) I found a reference to U2F being blocked can be circumvented by editing the profiles (which presumably will be overwritten at the next update)
The first place a person looks is the man page which mentions there is an option to block U2F (--nou2f) which suggests that the default for firejail is yes to U2F
And yet every browser I tried and a few other apps all blocked U2F by default in the profiles.
**Beginners do not want to hack the profiles around UNTIL they get accustomed to the way things work and have the time to spend figuring it out.
Having the default blocking industry standard security measures doesn't make any sense and just ends up with frustration.**
It makes more sense
Virtually the whole U2F device market supports some kind of touch to prove physical presence - so what is the default behaviour of the profiles trying to do ?
Preventing U2F use is both detrimental to the user and confusing to the firejail beginner
Having to run the command with firejail --noprofile in order that I can gain access to the account is plain wrong and hacking away at profiles that come with firejail when you are a complete newbie with firejail seems dangerous and likely to risk corrupting any working configs even if the user can find the U2F documentation.
What do other people think?
Should the browsers, and presumably all U2F enabled applications allow U2F by default
(I'm thinking Bitwarden, KeePass** and other password managers as well as browsers, oh and presumably GPG/Kleopatra/any other GPG tool and then I suppose that all the yubikey tools need to be checked and PKCS11 smart card tools)
Checking and changing a load of profiles seems wrong and the default behavior for U2F ought to be allow
Beta Was this translation helpful? Give feedback.
All reactions