From 1ea8762eeb6b43871e2101995e12668a6380fb45 Mon Sep 17 00:00:00 2001
From: Oscar Hinton <oscar@oscarhinton.com>
Date: Tue, 16 Mar 2021 17:44:31 +0100
Subject: [PATCH] WebAuthn (#633)

---
 jslib                                         |   2 +-
 src/app/accounts/two-factor.component.html    |  19 +--
 src/app/app.module.ts                         |   6 +-
 .../settings/two-factor-setup.component.html  |   2 +-
 .../settings/two-factor-setup.component.ts    |  12 +-
 .../settings/two-factor-verify.component.ts   |   4 +-
 ...tml => two-factor-webauthn.component.html} |  33 ++---
 ...nt.ts => two-factor-webauthn.component.ts} |  99 ++++++--------
 src/connectors/common-webauthn.ts             |  62 +++++++++
 src/connectors/common.ts                      |  15 +++
 src/connectors/duo.ts                         |  17 +--
 src/connectors/sso.ts                         |  20 +--
 src/connectors/webauthn-fallback.html         |  36 ++++++
 src/connectors/webauthn-fallback.ts           | 118 +++++++++++++++++
 src/connectors/webauthn.html                  |  16 +++
 src/connectors/webauthn.scss                  |   5 +
 src/connectors/webauthn.ts                    | 122 ++++++++++++++++++
 src/images/two-factor/7.png                   | Bin 0 -> 1620 bytes
 src/locales/en/messages.json                  |  39 ++++++
 src/scss/styles.scss                          |  11 ++
 src/services/webPlatformUtils.service.ts      |   7 +-
 webpack.config.js                             |  12 ++
 22 files changed, 516 insertions(+), 141 deletions(-)
 rename src/app/settings/{two-factor-u2f.component.html => two-factor-webauthn.component.html} (79%)
 rename src/app/settings/{two-factor-u2f.component.ts => two-factor-webauthn.component.ts} (62%)
 create mode 100644 src/connectors/common-webauthn.ts
 create mode 100644 src/connectors/common.ts
 create mode 100644 src/connectors/webauthn-fallback.html
 create mode 100644 src/connectors/webauthn-fallback.ts
 create mode 100644 src/connectors/webauthn.html
 create mode 100644 src/connectors/webauthn.scss
 create mode 100644 src/connectors/webauthn.ts
 create mode 100644 src/images/two-factor/7.png

diff --git a/jslib b/jslib
index f80e89465ff..f20af0cd7c9 160000
--- a/jslib
+++ b/jslib
@@ -1 +1 @@
-Subproject commit f80e89465ffc004705d2941301c0ffb6bfd71d1a
+Subproject commit f20af0cd7c90adc07783950bed197b5d47892d6f
diff --git a/src/app/accounts/two-factor.component.html b/src/app/accounts/two-factor.component.html
index 0dbedf5cafb..72f99be6287 100644
--- a/src/app/accounts/two-factor.component.html
+++ b/src/app/accounts/two-factor.component.html
@@ -33,16 +33,10 @@
                                 required appAutofocus appInputVerbatim autocomplete="new-password">
                         </div>
                     </ng-container>
-                    <ng-container *ngIf="selectedProviderType === providerType.U2f">
-                        <p class="text-center" *ngIf="!u2fReady">
-                            <i class="fa fa-spinner fa-spin text-muted" title="{{'loading' | i18n}}"
-                                aria-hidden="true"></i>
-                            <span class="sr-only">{{'loading' | i18n}}</span>
-                        </p>
-                        <ng-container *ngIf="u2fReady">
-                            <p class="text-center">{{'insertU2f' | i18n}}</p>
-                            <img src="../../images/u2fkey.jpg" alt="" class="rounded img-fluid mb-3">
-                        </ng-container>
+                    <ng-container *ngIf="selectedProviderType === providerType.WebAuthn">
+                        <div id="web-authn-frame" class="mb-3">
+                            <iframe id="webauthn_iframe"></iframe>
+                        </div>
                     </ng-container>
                     <ng-container *ngIf="selectedProviderType === providerType.Duo ||
                         selectedProviderType === providerType.OrganizationDuo">
@@ -51,7 +45,7 @@
                         </div>
                     </ng-container>
                     <i class="fa fa-spinner text-muted fa-spin pull-right" title="{{'loading' | i18n}}"
-                        *ngIf="form.loading && selectedProviderType === providerType.U2f" aria-hidden="true"></i>
+                        *ngIf="form.loading && selectedProviderType === providerType.WebAuthn" aria-hidden="true"></i>
                     <div class="form-check" *ngIf="selectedProviderType != null">
                         <input id="remember" type="checkbox" name="Remember" class="form-check-input"
                             [(ngModel)]="remember">
@@ -65,7 +59,7 @@
                     <div class="d-flex mb-3">
                         <button type="submit" class="btn btn-primary btn-block btn-submit" [disabled]="form.loading"
                             *ngIf="selectedProviderType != null && selectedProviderType !== providerType.Duo && 
-                        selectedProviderType !== providerType.OrganizationDuo && selectedProviderType !== providerType.U2f">
+                        selectedProviderType !== providerType.OrganizationDuo && selectedProviderType !== providerType.WebAuthn">
                             <span>
                                 <i class="fa fa-sign-in" aria-hidden="true"></i> {{'continue' | i18n}}
                             </span>
@@ -84,4 +78,3 @@
     </div>
 </form>
 <ng-template #twoFactorOptions></ng-template>
-<iframe id="u2f_iframe" hidden></iframe>
diff --git a/src/app/app.module.ts b/src/app/app.module.ts
index 2224e4d76ea..df1b5420aa2 100644
--- a/src/app/app.module.ts
+++ b/src/app/app.module.ts
@@ -135,8 +135,8 @@ import { TwoFactorDuoComponent } from './settings/two-factor-duo.component';
 import { TwoFactorEmailComponent } from './settings/two-factor-email.component';
 import { TwoFactorRecoveryComponent } from './settings/two-factor-recovery.component';
 import { TwoFactorSetupComponent } from './settings/two-factor-setup.component';
-import { TwoFactorU2fComponent } from './settings/two-factor-u2f.component';
 import { TwoFactorVerifyComponent } from './settings/two-factor-verify.component';
+import { TwoFactorWebAuthnComponent } from './settings/two-factor-webauthn.component';
 import { TwoFactorYubiKeyComponent } from './settings/two-factor-yubikey.component';
 import { UpdateKeyComponent } from './settings/update-key.component';
 import { UpdateLicenseComponent } from './settings/update-license.component';
@@ -399,8 +399,8 @@ registerLocaleData(localeZhTw, 'zh-TW');
         TwoFactorOptionsComponent,
         TwoFactorRecoveryComponent,
         TwoFactorSetupComponent,
-        TwoFactorU2fComponent,
         TwoFactorVerifyComponent,
+        TwoFactorWebAuthnComponent,
         TwoFactorYubiKeyComponent,
         UnsecuredWebsitesReportComponent,
         UpdateKeyComponent,
@@ -454,7 +454,7 @@ registerLocaleData(localeZhTw, 'zh-TW');
         TwoFactorEmailComponent,
         TwoFactorOptionsComponent,
         TwoFactorRecoveryComponent,
-        TwoFactorU2fComponent,
+        TwoFactorWebAuthnComponent,
         TwoFactorYubiKeyComponent,
         UpdateKeyComponent,
     ],
diff --git a/src/app/settings/two-factor-setup.component.html b/src/app/settings/two-factor-setup.component.html
index 7b629208769..04fe750e130 100644
--- a/src/app/settings/two-factor-setup.component.html
+++ b/src/app/settings/two-factor-setup.component.html
@@ -51,4 +51,4 @@
 <ng-template #duoTemplate></ng-template>
 <ng-template #emailTemplate></ng-template>
 <ng-template #yubikeyTemplate></ng-template>
-<ng-template #u2fTemplate></ng-template>
+<ng-template #webAuthnTemplate></ng-template>
diff --git a/src/app/settings/two-factor-setup.component.ts b/src/app/settings/two-factor-setup.component.ts
index 1ee49e2a0fc..58aeac78580 100644
--- a/src/app/settings/two-factor-setup.component.ts
+++ b/src/app/settings/two-factor-setup.component.ts
@@ -23,7 +23,7 @@ import { TwoFactorAuthenticatorComponent } from './two-factor-authenticator.comp
 import { TwoFactorDuoComponent } from './two-factor-duo.component';
 import { TwoFactorEmailComponent } from './two-factor-email.component';
 import { TwoFactorRecoveryComponent } from './two-factor-recovery.component';
-import { TwoFactorU2fComponent } from './two-factor-u2f.component';
+import { TwoFactorWebAuthnComponent } from './two-factor-webauthn.component';
 import { TwoFactorYubiKeyComponent } from './two-factor-yubikey.component';
 
 @Component({
@@ -34,9 +34,9 @@ export class TwoFactorSetupComponent implements OnInit {
     @ViewChild('recoveryTemplate', { read: ViewContainerRef, static: true }) recoveryModalRef: ViewContainerRef;
     @ViewChild('authenticatorTemplate', { read: ViewContainerRef, static: true }) authenticatorModalRef: ViewContainerRef;
     @ViewChild('yubikeyTemplate', { read: ViewContainerRef, static: true }) yubikeyModalRef: ViewContainerRef;
-    @ViewChild('u2fTemplate', { read: ViewContainerRef, static: true }) u2fModalRef: ViewContainerRef;
     @ViewChild('duoTemplate', { read: ViewContainerRef, static: true }) duoModalRef: ViewContainerRef;
     @ViewChild('emailTemplate', { read: ViewContainerRef, static: true }) emailModalRef: ViewContainerRef;
+    @ViewChild('webAuthnTemplate', { read: ViewContainerRef, static: true }) webAuthnModalRef: ViewContainerRef;
 
     organizationId: string;
     providers: any[] = [];
@@ -117,10 +117,10 @@ export class TwoFactorSetupComponent implements OnInit {
                     this.updateStatus(enabled, TwoFactorProviderType.Email);
                 });
                 break;
-            case TwoFactorProviderType.U2f:
-                const u2fComp = this.openModal(this.u2fModalRef, TwoFactorU2fComponent);
-                u2fComp.onUpdated.subscribe((enabled: boolean) => {
-                    this.updateStatus(enabled, TwoFactorProviderType.U2f);
+            case TwoFactorProviderType.WebAuthn:
+                const webAuthnComp = this.openModal(this.webAuthnModalRef, TwoFactorWebAuthnComponent);
+                webAuthnComp.onUpdated.subscribe((enabled: boolean) => {
+                    this.updateStatus(enabled, TwoFactorProviderType.WebAuthn);
                 });
                 break;
             default:
diff --git a/src/app/settings/two-factor-verify.component.ts b/src/app/settings/two-factor-verify.component.ts
index 104dd9b1691..6c55a95fd30 100644
--- a/src/app/settings/two-factor-verify.component.ts
+++ b/src/app/settings/two-factor-verify.component.ts
@@ -59,8 +59,8 @@ export class TwoFactorVerifyComponent {
                 case TwoFactorProviderType.Email:
                     this.formPromise = this.apiService.getTwoFactorEmail(request);
                     break;
-                case TwoFactorProviderType.U2f:
-                    this.formPromise = this.apiService.getTwoFactorU2f(request);
+                case TwoFactorProviderType.WebAuthn:
+                    this.formPromise = this.apiService.getTwoFactorWebAuthn(request);
                     break;
                 case TwoFactorProviderType.Authenticator:
                     this.formPromise = this.apiService.getTwoFactorAuthenticator(request);
diff --git a/src/app/settings/two-factor-u2f.component.html b/src/app/settings/two-factor-webauthn.component.html
similarity index 79%
rename from src/app/settings/two-factor-u2f.component.html
rename to src/app/settings/two-factor-webauthn.component.html
index af0a4d6b0d8..69f68114b8f 100644
--- a/src/app/settings/two-factor-u2f.component.html
+++ b/src/app/settings/two-factor-webauthn.component.html
@@ -4,7 +4,7 @@
             <div class="modal-header">
                 <h2 class="modal-title" id="2faU2fTitle">
                     {{'twoStepLogin' | i18n}}
-                    <small>FIDO U2F</small>
+                    <small>{{'webAuthnTitle' | i18n}}</small>
                 </h2>
                 <button type="button" class="close" data-dismiss="modal" appA11yTitle="{{'close' | i18n}}">
                     <span aria-hidden="true">&times;</span>
@@ -19,27 +19,20 @@
                         {{'twoStepLoginProviderEnabled' | i18n}}
                     </app-callout>
                     <app-callout type="warning">
-                        <p>{{'twoFactorU2fWarning' | i18n}}</p>
+                        <p>{{'twoFactorWebAuthnWarning' | i18n}}</p>
                         <ul class="mb-0">
-                            <li>{{'twoFactorU2fSupportWeb' | i18n}}</li>
+                            <li>{{'twoFactorWebAuthnSupportWeb' | i18n}}</li>
                         </ul>
                     </app-callout>
-                    <img src="../../images/two-factor/4.png" class="float-right ml-5" alt="">
+                    <img src="../../images/two-factor/7.png" class="float-right ml-5" alt="">
                     <ul class="fa-ul">
                         <li *ngFor="let k of keys; let i = index" #removeKeyBtn [appApiAction]="k.removePromise">
                             <i class="fa-li fa fa-key"></i>
-                            <strong *ngIf="!k.configured || !k.name">{{'u2fkeyX' | i18n : i + 1}}</strong>
+                            <strong *ngIf="!k.configured || !k.name">{{'webAuthnkeyX' | i18n : i + 1}}</strong>
                             <strong *ngIf="k.configured && k.name">{{k.name}}</strong>
                             <ng-container *ngIf="k.configured && !removeKeyBtn.loading">
-                                <ng-container *ngIf="k.compromised">
-                                    <i class="fa fa-fw fa-exclamation-triangle text-warning" aria-hidden="true"
-                                        title="{{'keyCompromised' | i18n}}"></i>
-                                    <span class="sr-only">{{'keyCompromised' | i18n}}</span>
-                                </ng-container>
-                                <ng-container *ngIf="!k.compromised">
-                                    <i class="fa fa-fw fa-check text-success" aria-hidden="true"
-                                        title="{{'enabled' | i18n}}"></i>
-                                    <span class="sr-only">{{'enabled' | i18n}}</span>
+                                <ng-container *ngIf="k.migrated">
+                                    <span>{{'webAuthnMigrated' | i18n}}</span>
                                 </ng-container>
                             </ng-container>
                             <ng-container *ngIf="keysConfiguredCount > 1 && k.configured">
@@ -51,7 +44,7 @@
                         </li>
                     </ul>
                     <hr>
-                    <p>{{'twoFactorU2fAdd' | i18n}}:</p>
+                    <p>{{'twoFactorWebAuthnAdd' | i18n}}:</p>
                     <ol>
                         <li>{{'twoFactorU2fGiveName' | i18n}}</li>
                         <li>{{'twoFactorU2fPlugInReadKey' | i18n}}</li>
@@ -66,7 +59,7 @@
                         </div>
                     </div>
                     <button type="button" (click)="readKey()" class="btn btn-outline-secondary mr-2"
-                        [disabled]="readKeyBtn.loading || u2fListening || !keyIdAvailable" #readKeyBtn
+                        [disabled]="readKeyBtn.loading || webAuthnListening || !keyIdAvailable" #readKeyBtn
                         [appApiAction]="challengePromise">
                         {{'readKey' | i18n}}
                     </button>
@@ -74,22 +67,22 @@
                         <i class="fa fa-spinner fa-spin text-muted" aria-hidden="true"></i>
                     </ng-container>
                     <ng-container *ngIf="!readKeyBtn.loading">
-                        <ng-container *ngIf="u2fListening">
+                        <ng-container *ngIf="webAuthnListening">
                             <i class="fa fa-spinner fa-spin text-muted" aria-hidden="true"></i>
                             {{'twoFactorU2fWaiting' | i18n}}...
                         </ng-container>
-                        <ng-container *ngIf="u2fResponse">
+                        <ng-container *ngIf="webAuthnResponse">
                             <i class="fa fa-check-circle text-success" aria-hidden="true"></i>
                             {{'twoFactorU2fClickSave' | i18n}}
                         </ng-container>
-                        <ng-container *ngIf="u2fError">
+                        <ng-container *ngIf="webAuthnError">
                             <i class="fa fa-warning text-danger" aria-hidden="true"></i>
                             {{'twoFactorU2fProblemReadingTryAgain' | i18n}}
                         </ng-container>
                     </ng-container>
                 </div>
                 <div class="modal-footer">
-                    <button type="submit" class="btn btn-primary" [disabled]="form.loading || !u2fResponse">
+                    <button type="submit" class="btn btn-primary" [disabled]="form.loading || !webAuthnResponse">
                         <i class="fa fa-spinner fa-spin" *ngIf="form.loading" title="{{'loading' | i18n}}"
                             aria-hidden="true"></i>
                         <span *ngIf="!form.loading">{{'save' | i18n}}</span>
diff --git a/src/app/settings/two-factor-u2f.component.ts b/src/app/settings/two-factor-webauthn.component.ts
similarity index 62%
rename from src/app/settings/two-factor-u2f.component.ts
rename to src/app/settings/two-factor-webauthn.component.ts
index cbcc6f5883b..de74bbf51d7 100644
--- a/src/app/settings/two-factor-u2f.component.ts
+++ b/src/app/settings/two-factor-webauthn.component.ts
@@ -1,8 +1,6 @@
 import {
     Component,
     NgZone,
-    OnDestroy,
-    OnInit,
 } from '@angular/core';
 
 import { ToasterService } from 'angular2-toaster';
@@ -15,48 +13,35 @@ import { PlatformUtilsService } from 'jslib/abstractions/platformUtils.service';
 import { TwoFactorProviderType } from 'jslib/enums/twoFactorProviderType';
 
 import { PasswordVerificationRequest } from 'jslib/models/request/passwordVerificationRequest';
-import { UpdateTwoFactorU2fDeleteRequest } from 'jslib/models/request/updateTwoFactorU2fDeleteRequest';
-import { UpdateTwoFactorU2fRequest } from 'jslib/models/request/updateTwoFactorU2fRequest';
+import { UpdateTwoFactorWebAuthnDeleteRequest } from 'jslib/models/request/updateTwoFactorWebAuthnDeleteRequest';
+import { UpdateTwoFactorWebAuthnRequest } from 'jslib/models/request/updateTwoFactorWebAuthnRequest';
 import {
     ChallengeResponse,
-    TwoFactorU2fResponse,
-} from 'jslib/models/response/twoFactorU2fResponse';
+    TwoFactorWebAuthnResponse,
+} from 'jslib/models/response/twoFactorWebAuthnResponse';
 
 import { TwoFactorBaseComponent } from './two-factor-base.component';
 
 @Component({
-    selector: 'app-two-factor-u2f',
-    templateUrl: 'two-factor-u2f.component.html',
+    selector: 'app-two-factor-webauthn',
+    templateUrl: 'two-factor-webauthn.component.html',
 })
-export class TwoFactorU2fComponent extends TwoFactorBaseComponent implements OnInit, OnDestroy {
-    type = TwoFactorProviderType.U2f;
+export class TwoFactorWebAuthnComponent extends TwoFactorBaseComponent {
+    type = TwoFactorProviderType.WebAuthn;
     name: string;
     keys: any[];
     keyIdAvailable: number = null;
     keysConfiguredCount = 0;
-    u2fError: boolean;
-    u2fListening: boolean;
-    u2fResponse: string;
+    webAuthnError: boolean;
+    webAuthnListening: boolean;
+    webAuthnResponse: PublicKeyCredential;
     challengePromise: Promise<ChallengeResponse>;
     formPromise: Promise<any>;
 
-    private u2fScript: HTMLScriptElement;
-
     constructor(apiService: ApiService, i18nService: I18nService,
         analytics: Angulartics2, toasterService: ToasterService,
         platformUtilsService: PlatformUtilsService, private ngZone: NgZone) {
         super(apiService, i18nService, analytics, toasterService, platformUtilsService);
-        this.u2fScript = window.document.createElement('script');
-        this.u2fScript.src = 'scripts/u2f.js';
-        this.u2fScript.async = true;
-    }
-
-    ngOnInit() {
-        window.document.body.appendChild(this.u2fScript);
-    }
-
-    ngOnDestroy() {
-        window.document.body.removeChild(this.u2fScript);
     }
 
     auth(authResponse: any) {
@@ -65,18 +50,18 @@ export class TwoFactorU2fComponent extends TwoFactorBaseComponent implements OnI
     }
 
     submit() {
-        if (this.u2fResponse == null || this.keyIdAvailable == null) {
+        if (this.webAuthnResponse == null || this.keyIdAvailable == null) {
             // Should never happen.
             return Promise.reject();
         }
-        const request = new UpdateTwoFactorU2fRequest();
+        const request = new UpdateTwoFactorWebAuthnRequest();
         request.masterPasswordHash = this.masterPasswordHash;
-        request.deviceResponse = this.u2fResponse;
+        request.deviceResponse = this.webAuthnResponse;
         request.id = this.keyIdAvailable;
         request.name = this.name;
 
         return super.enable(async () => {
-            this.formPromise = this.apiService.putTwoFactorU2f(request);
+            this.formPromise = this.apiService.putTwoFactorWebAuthn(request);
             const response = await this.formPromise;
             await this.processResponse(response);
         });
@@ -90,18 +75,18 @@ export class TwoFactorU2fComponent extends TwoFactorBaseComponent implements OnI
         if (this.keysConfiguredCount <= 1 || key.removePromise != null) {
             return;
         }
-        const name = key.name != null ? key.name : this.i18nService.t('u2fkeyX', key.id);
+        const name = key.name != null ? key.name : this.i18nService.t('webAuthnkeyX', key.id);
         const confirmed = await this.platformUtilsService.showDialog(
             this.i18nService.t('removeU2fConfirmation'), name,
             this.i18nService.t('yes'), this.i18nService.t('no'), 'warning');
         if (!confirmed) {
             return;
         }
-        const request = new UpdateTwoFactorU2fDeleteRequest();
+        const request = new UpdateTwoFactorWebAuthnDeleteRequest();
         request.id = key.id;
         request.masterPasswordHash = this.masterPasswordHash;
         try {
-            key.removePromise = this.apiService.deleteTwoFactorU2f(request);
+            key.removePromise = this.apiService.deleteTwoFactorWebAuthn(request);
             const response = await key.removePromise;
             key.removePromise = null;
             await this.processResponse(response);
@@ -115,41 +100,41 @@ export class TwoFactorU2fComponent extends TwoFactorBaseComponent implements OnI
         const request = new PasswordVerificationRequest();
         request.masterPasswordHash = this.masterPasswordHash;
         try {
-            this.challengePromise = this.apiService.getTwoFactorU2fChallenge(request);
+            this.challengePromise = this.apiService.getTwoFactorWebAuthnChallenge(request);
             const challenge = await this.challengePromise;
             this.readDevice(challenge);
         } catch { }
     }
 
-    private readDevice(u2fChallenge: ChallengeResponse) {
+    private readDevice(webAuthnChallenge: ChallengeResponse) {
         // tslint:disable-next-line
         console.log('listening for key...');
-        this.resetU2f(true);
-        (window as any).u2f.register(u2fChallenge.appId, [{
-            version: u2fChallenge.version,
-            challenge: u2fChallenge.challenge,
-        }], [], (data: any) => {
+        this.resetWebAuthn(true);
+
+        navigator.credentials.create({
+            publicKey: webAuthnChallenge,
+        }).then((data: PublicKeyCredential) => {
             this.ngZone.run(() => {
-                this.u2fListening = false;
-                if (data.errorCode) {
-                    this.u2fError = true;
-                    // tslint:disable-next-line
-                    console.log('error: ' + data.errorCode);
-                    return;
-                }
-                this.u2fResponse = JSON.stringify(data);
+                this.webAuthnListening = false;
+                this.webAuthnResponse = data;
             });
-        }, 15);
+        }).catch(err => {
+            // tslint:disable-next-line
+            console.error(err);
+            this.resetWebAuthn(false);
+            // TODO: Should we display the actual error?
+            this.webAuthnError = true;
+        });
     }
 
-    private resetU2f(listening = false) {
-        this.u2fResponse = null;
-        this.u2fError = false;
-        this.u2fListening = listening;
+    private resetWebAuthn(listening = false) {
+        this.webAuthnResponse = null;
+        this.webAuthnError = false;
+        this.webAuthnListening = listening;
     }
 
-    private processResponse(response: TwoFactorU2fResponse) {
-        this.resetU2f();
+    private processResponse(response: TwoFactorWebAuthnResponse) {
+        this.resetWebAuthn();
         this.keys = [];
         this.keyIdAvailable = null;
         this.name = null;
@@ -162,13 +147,13 @@ export class TwoFactorU2fComponent extends TwoFactorBaseComponent implements OnI
                     this.keys.push({
                         id: i, name: key[0].name,
                         configured: true,
-                        compromised: key[0].compromised,
+                        migrated: key[0].migrated,
                         removePromise: null,
                     });
                     continue;
                 }
             }
-            this.keys.push({ id: i, name: null, configured: false, compromised: false, removePromise: null });
+            this.keys.push({ id: i, name: null, configured: false, removePromise: null });
             if (this.keyIdAvailable == null) {
                 this.keyIdAvailable = i;
             }
diff --git a/src/connectors/common-webauthn.ts b/src/connectors/common-webauthn.ts
new file mode 100644
index 00000000000..b8daf0743d2
--- /dev/null
+++ b/src/connectors/common-webauthn.ts
@@ -0,0 +1,62 @@
+export function buildDataString(assertedCredential: PublicKeyCredential) {
+    const response = assertedCredential.response as AuthenticatorAssertionResponse;
+
+    const authData = new Uint8Array(response.authenticatorData);
+    const clientDataJSON = new Uint8Array(response.clientDataJSON);
+    const rawId = new Uint8Array(assertedCredential.rawId);
+    const sig = new Uint8Array(response.signature);
+
+    const data = {
+        id: assertedCredential.id,
+        rawId: coerceToBase64Url(rawId),
+        type: assertedCredential.type,
+        extensions: assertedCredential.getClientExtensionResults(),
+        response: {
+            authenticatorData: coerceToBase64Url(authData),
+            clientDataJson: coerceToBase64Url(clientDataJSON),
+            signature: coerceToBase64Url(sig),
+        },
+    };
+
+    return JSON.stringify(data);
+}
+
+export function b64Decode(str: string) {
+    return decodeURIComponent(Array.prototype.map.call(atob(str), (c: string) => {
+        return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
+    }).join(''));
+}
+
+// From https://github.com/abergs/fido2-net-lib/blob/b487a1d47373ea18cd752b4988f7262035b7b54e/Demo/wwwroot/js/helpers.js#L34
+// License: https://github.com/abergs/fido2-net-lib/blob/master/LICENSE.txt
+function coerceToBase64Url(thing: any) {
+    // Array or ArrayBuffer to Uint8Array
+    if (Array.isArray(thing)) {
+        thing = Uint8Array.from(thing);
+    }
+
+    if (thing instanceof ArrayBuffer) {
+        thing = new Uint8Array(thing);
+    }
+
+    // Uint8Array to base64
+    if (thing instanceof Uint8Array) {
+        let str = '';
+        const len = thing.byteLength;
+
+        for (let i = 0; i < len; i++) {
+            str += String.fromCharCode(thing[i]);
+        }
+        thing = window.btoa(str);
+    }
+
+    if (typeof thing !== 'string') {
+        throw new Error('could not coerce to string');
+    }
+
+    // base64 to base64url
+    // NOTE: "=" at the end of challenge is optional, strip it off here
+    thing = thing.replace(/\+/g, '-').replace(/\//g, '_').replace(/=*$/g, '');
+
+    return thing;
+}
diff --git a/src/connectors/common.ts b/src/connectors/common.ts
new file mode 100644
index 00000000000..08538656959
--- /dev/null
+++ b/src/connectors/common.ts
@@ -0,0 +1,15 @@
+export function getQsParam(name: string) {
+    const url = window.location.href;
+    name = name.replace(/[\[\]]/g, '\\$&');
+    const regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)');
+    const results = regex.exec(url);
+
+    if (!results) {
+        return null;
+    }
+    if (!results[2]) {
+        return '';
+    }
+
+    return decodeURIComponent(results[2].replace(/\+/g, ' '));
+}
diff --git a/src/connectors/duo.ts b/src/connectors/duo.ts
index 73c2bc2f5dd..21e4b667a66 100644
--- a/src/connectors/duo.ts
+++ b/src/connectors/duo.ts
@@ -1,4 +1,5 @@
 import * as DuoWebSDK from 'duo_web_sdk';
+import { getQsParam } from './common';
 
 // tslint:disable-next-line
 require('./duo.scss');
@@ -27,22 +28,6 @@ document.addEventListener('DOMContentLoaded', event => {
     }
 });
 
-function getQsParam(name: string) {
-    const url = window.location.href;
-    name = name.replace(/[\[\]]/g, '\\$&');
-    const regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)');
-    const results = regex.exec(url);
-
-    if (!results) {
-        return null;
-    }
-    if (!results[2]) {
-        return '';
-    }
-
-    return decodeURIComponent(results[2].replace(/\+/g, ' '));
-}
-
 function invokeCSCode(data: string) {
     try {
         (window as any).invokeCSharpAction(data);
diff --git a/src/connectors/sso.ts b/src/connectors/sso.ts
index b3f3337af01..ef9383a213a 100644
--- a/src/connectors/sso.ts
+++ b/src/connectors/sso.ts
@@ -1,4 +1,6 @@
-// tslint:disable-next-line
+import { getQsParam } from './common';
+
+// tslint:disable-next-line
 require('./sso.scss');
 
 document.addEventListener('DOMContentLoaded', event => {
@@ -19,22 +21,6 @@ document.addEventListener('DOMContentLoaded', event => {
     }
 });
 
-function getQsParam(name: string) {
-    const url = window.location.href;
-    name = name.replace(/[\[\]]/g, '\\$&');
-    const regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)');
-    const results = regex.exec(url);
-
-    if (!results) {
-        return null;
-    }
-    if (!results[2]) {
-        return '';
-    }
-
-    return decodeURIComponent(results[2].replace(/\+/g, ' '));
-}
-
 function initiateBrowserSso(code: string, state: string) {
     window.postMessage({ command: 'authResult', code: code, state: state }, '*');
     const handOffMessage = ('; ' + document.cookie).split('; ssoHandOffMessage=').pop().split(';').shift();
diff --git a/src/connectors/webauthn-fallback.html b/src/connectors/webauthn-fallback.html
new file mode 100644
index 00000000000..b3288cff880
--- /dev/null
+++ b/src/connectors/webauthn-fallback.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8" />
+    <title>Bitwarden WebAuthn Connector</title>
+</head>
+
+<body class="layout_frontend">
+    <div class="container">
+        <div class="row justify-content-center mt-5">
+            <div class="col-5">
+                <img src="../images/logo-dark@2x.png" class="mb-4 logo" alt="Bitwarden">
+                <div id="spinner">
+                    <p class="text-center">
+                        <i class="fa fa-spinner fa-spin fa-2x text-muted" title="Loading" aria-hidden="true"></i>
+                    </p>
+                </div>
+                <div id="content" class="card mt-4 d-none">
+                    <div class="card-body ng-star-inserted">
+                        <p id="msg" class="text-center"></p>
+                        <div class="form-check">
+                            <input type="checkbox" class="form-check-input" id="remember" name="remember">
+                            <label class="form-check-label" for="remember" id="remember-label"></label>
+                        </div>
+                        <hr>
+                        <p class="text-center mb-0">
+                            <button id="webauthn-button" onClick="javascript:init()" class="btn btn-primary btn-lg"></button>
+                        </p>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+</body>
+</html>
diff --git a/src/connectors/webauthn-fallback.ts b/src/connectors/webauthn-fallback.ts
new file mode 100644
index 00000000000..ed16ba61cd5
--- /dev/null
+++ b/src/connectors/webauthn-fallback.ts
@@ -0,0 +1,118 @@
+import { getQsParam } from './common';
+import { b64Decode, buildDataString } from './common-webauthn';
+
+// tslint:disable-next-line
+require('./webauthn.scss');
+
+let parentUrl: string = null;
+let parentOrigin: string = null;
+let sentSuccess = false;
+
+let locales: any = {};
+
+document.addEventListener('DOMContentLoaded', async () => {
+    const locale = getQsParam('locale');
+
+    const filePath = `locales/${locale}/messages.json?cache=${process.env.CACHE_TAG}`;
+    const localesResult = await fetch(filePath);
+    locales = await localesResult.json();
+
+    document.getElementById('msg').innerText = translate('webAuthnFallbackMsg');
+    document.getElementById('remember-label').innerText = translate('rememberMe');
+    document.getElementById('webauthn-button').innerText = translate('webAuthnAuthenticate');
+
+    document.getElementById('spinner').classList.add('d-none');
+    const content = document.getElementById('content');
+    content.classList.add('d-block');
+    content.classList.remove('d-none');
+});
+
+function translate(id: string) {
+    return locales[id]?.message || '';
+}
+
+(window as any).init = () => {
+    start();
+};
+
+function start() {
+    if (sentSuccess) {
+        return;
+    }
+
+    if (!('credentials' in navigator)) {
+        error(translate('webAuthnNotSupported'));
+        return;
+    }
+
+    const data = getQsParam('data');
+    if (!data) {
+        error('No data.');
+        return;
+    }
+
+    parentUrl = getQsParam('parent');
+    if (!parentUrl) {
+        error('No parent.');
+        return;
+    } else {
+        parentUrl = decodeURIComponent(parentUrl);
+        parentOrigin = new URL(parentUrl).origin;
+    }
+
+    let json: any;
+    try {
+        const jsonString = b64Decode(data);
+        json = JSON.parse(jsonString);
+    }
+    catch (e) {
+        error('Cannot parse data.');
+        return;
+    }
+
+    initWebAuthn(json);
+}
+
+async function initWebAuthn(obj: any) {
+    const challenge = obj.challenge.replace(/-/g, '+').replace(/_/g, '/');
+    obj.challenge = Uint8Array.from(atob(challenge), c => c.charCodeAt(0));
+
+    // fix escaping. Change this to coerce
+    obj.allowCredentials.forEach((listItem: any) => {
+        const fixedId = listItem.id.replace(/\_/g, '/').replace(/\-/g, '+');
+        listItem.id = Uint8Array.from(atob(fixedId), c => c.charCodeAt(0));
+    });
+
+    try {
+        const assertedCredential = await navigator.credentials.get({ publicKey: obj }) as PublicKeyCredential;
+
+        if (sentSuccess) {
+            return;
+        }
+
+        const dataString = buildDataString(assertedCredential);
+        const remember = (document.getElementById('remember') as HTMLInputElement).checked;
+        window.postMessage({ command: 'webAuthnResult', data: dataString, remember: remember }, '*');
+
+        sentSuccess = true;
+        success(translate('webAuthnSuccess'));
+    } catch (err) {
+        error(err);
+    }
+}
+
+function error(message: string) {
+    const el = document.getElementById('msg');
+    el.innerHTML = message;
+    el.classList.add('alert');
+    el.classList.add('alert-danger');
+}
+
+function success(message: string) {
+    (document.getElementById('webauthn-button') as HTMLButtonElement).disabled = true;
+
+    const el = document.getElementById('msg');
+    el.innerHTML = message;
+    el.classList.add('alert');
+    el.classList.add('alert-success');
+}
diff --git a/src/connectors/webauthn.html b/src/connectors/webauthn.html
new file mode 100644
index 00000000000..15a7541dea3
--- /dev/null
+++ b/src/connectors/webauthn.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8" />
+    <title>Bitwarden WebAuthn Connector</title>
+</head>
+
+<body style="background: transparent;">
+    <img src="../images/u2fkey.jpg" class="rounded img-fluid mb-3">
+    <div class="text-center">
+        <button id="webauthn-button" class="btn btn-primary" onclick="javascript:executeWebAuthn()"></button>
+    </div>
+</body>
+
+</html>
diff --git a/src/connectors/webauthn.scss b/src/connectors/webauthn.scss
new file mode 100644
index 00000000000..bf821966e0a
--- /dev/null
+++ b/src/connectors/webauthn.scss
@@ -0,0 +1,5 @@
+@import "../scss/styles.scss";
+
+body {
+    min-width: 0px !important;
+}
diff --git a/src/connectors/webauthn.ts b/src/connectors/webauthn.ts
new file mode 100644
index 00000000000..1d210802ad6
--- /dev/null
+++ b/src/connectors/webauthn.ts
@@ -0,0 +1,122 @@
+import { getQsParam } from './common';
+import { b64Decode, buildDataString } from './common-webauthn';
+
+// tslint:disable-next-line
+require('./webauthn.scss');
+
+document.addEventListener('DOMContentLoaded', () => {
+    init();
+
+    const text = getQsParam('btnText');
+    if (text) {
+        document.getElementById('webauthn-button').innerText = decodeURI(text);
+    }
+});
+
+let parentUrl: string = null;
+let parentOrigin: string = null;
+let stopWebAuthn = false;
+let sentSuccess = false;
+let obj: any = null;
+
+function init() {
+    start();
+    onMessage();
+    info('ready');
+}
+
+function start() {
+    sentSuccess = false;
+
+    if (!('credentials' in navigator)) {
+        error('WebAuthn is not supported in this browser.');
+        return;
+    }
+
+    const data = getQsParam('data');
+    if (!data) {
+        error('No data.');
+        return;
+    }
+
+    parentUrl = getQsParam('parent');
+    if (!parentUrl) {
+        error('No parent.');
+        return;
+    } else {
+        parentUrl = decodeURIComponent(parentUrl);
+        parentOrigin = new URL(parentUrl).origin;
+    }
+
+    try {
+        const jsonString = b64Decode(data);
+        obj = JSON.parse(jsonString);
+    }
+    catch (e) {
+        error('Cannot parse data.');
+        return;
+    }
+
+    const challenge = obj.challenge.replace(/-/g, '+').replace(/_/g, '/');
+    obj.challenge = Uint8Array.from(atob(challenge), c => c.charCodeAt(0));
+
+    // fix escaping. Change this to coerce
+    obj.allowCredentials.forEach((listItem: any) => {
+        const fixedId = listItem.id.replace(/\_/g, '/').replace(/\-/g, '+');
+        listItem.id = Uint8Array.from(atob(fixedId), c => c.charCodeAt(0));
+    });
+
+    stopWebAuthn = false;
+
+    if (navigator.userAgent.indexOf(' Safari/') !== -1 && navigator.userAgent.indexOf('Chrome') === -1) {
+        // TODO: Hide image, show button
+    } else {
+        executeWebAuthn();
+    }
+}
+
+function executeWebAuthn() {
+    if (stopWebAuthn) {
+        return;
+    }
+
+    navigator.credentials.get({ publicKey: obj })
+        .then(success)
+        .catch(err => error('WebAuth Error: ' + err));
+}
+
+(window as any).executeWebAuthn = executeWebAuthn;
+
+function onMessage() {
+    window.addEventListener('message', event => {
+        if (!event.origin || event.origin === '' || event.origin !== parentOrigin) {
+            return;
+        }
+
+        if (event.data === 'stop') {
+            stopWebAuthn = true;
+        }
+        else if (event.data === 'start' && stopWebAuthn) {
+            start();
+        }
+    }, false);
+}
+
+function error(message: string) {
+    parent.postMessage('error|' + message, parentUrl);
+}
+
+function success(assertedCredential: PublicKeyCredential) {
+    if (sentSuccess) {
+        return;
+    }
+
+    const dataString = buildDataString(assertedCredential);
+    parent.postMessage('success|' + dataString, parentUrl);
+    sentSuccess = true;
+}
+
+function info(message: string) {
+    parent.postMessage('info|' + message, parentUrl);
+}
+
diff --git a/src/images/two-factor/7.png b/src/images/two-factor/7.png
new file mode 100644
index 0000000000000000000000000000000000000000..7098e4c76843820c156cc6045ab73c113bd161ea
GIT binary patch
literal 1620
zcmV-a2CMmrP)<h;3K|Lk000e1NJLTq003kF000vR1^@s6X2qy200001b5ch_0Itp)
z=>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D1?fpdK~z{r)tGCD
zRaF$n&z(_=2y!gS$`4~k^ne^|q>oKR59mV*B{@<v6-hx4l^_YK@k7|l$}mbRMybpw
z&<|0lg&JfJC$ustYHW%K=}TJKYogo#x6fK<_Br?5bR6fVe^_^|z0W>t@AcSwuXB?l
z1?^K-kB6*zRA4mL++_TqpvfngI2yQ1^pob;o;D91($Q+-XyYCcYu=PLM~)^bn<45o
zI?eiPpl4*llC)J0jp>MVoon3<h2|v~hs{Ba20LW4sM~0ks2(~*vt;mzX|ojfi_p{7
z*WbA-^fVqfi(0kL8`9>{g(f*}ulRduGdQ#!x<to`t`DsO<bXD@OVU=d&UiziHL#0s
zPg}`+<0FRjP87|9tZUTZcgXX`TQq6S`D=YM(pCse8Ll=?fS0CX!@)h|muy>^Er$qn
zJ^>v@ou#mVG`*&ufmBW&FdicgLXDwnv*26PR<hD|T|;4OC}wb(Ek`s$K>GTx+b`zF
z%#7)0yg1He2lqk@-z|>IMH5poSz|m095&qS()d$MJQ(=y_(9~yRrhe`90`VNBjZiX
z5SP7+jE}EYnr}3jmvA<dko7C+6N;I4oAGtp9Uqz;p!cVWmP`Bwl3W$7ZJ+Y;$zebV
z^c+VrevggcB%-J&g`Q!UC(R12;Yo4d@%I|fLGN(<Y!~HhQJcGh{#UGx?LjuMmW?Jm
z2n0u3Y$NRq=n<h8!amA-N@ll@J9sD{cFcT{wvvU$!EEDHV?Ifi38u)MwaR#ajbZ1_
z4IM*H(hjS9spmBrBA~BV#Iqmi5YW$}i#yXnzbB2~U!FYI8ZQF<%oQ9_K(RlTnWy*;
zZH~*>9s*k|l3XwL#X5q02=NX94;v?%5EHl)Rw-zoiWl!1zs%_;XfYlXVZaX2G`&AL
zYNI=sMG?qADz>vkEuv*2fFU`wwf0uTIIh4_OROLpCwcBPdHASQ_vqJ806>D41(|QO
zmTHo4+`k`s>Q{Q$-=ej$_MXs_uCpT-kV>_>S}b-rk;8EVdfD$7ugLhI<e6WjxyxM7
zaAs%P3cG{=qmQ6?;6kwXJv0_Q{~!yDrL=AqvEa$ldxto?k45vHkzq{pF(d@p_Lt}-
z`hcy)cZnaz!$#lNbN&#E6YT@(E+*dIq?+_F=g0k>gK9sLcGtzCAzxMEkL}i6K(_6k
zgHhS#F3Kt=<KSuIIB|n<l;@5s;e6wOEMQAIc@S|h@6UbbmaYlylXk9~dEUk?l227%
zzc`Nm&c^t<CK-45?jSS2(pb*qKx+HF!aT*o<Zxo3Z+GXfCdXjiW$>g|;>_l~ERl;x
z7RWAl(G{tfP!<PRWY?#yWV-Rq>dz)I9B&-p%u>4S%&j<>3T<#)^Wd=;oc=i(*|o4^
zIsGSz#)??W-y)D1DJPROet#VZ9=Op!=FpL%CLreU&(c=FyXq_c4N@#^%RU6-Mb4Lw
znK60a;`PgRp0IFm!JIWq_HX@m+LiZhn0L{|&#qW-%?n$0Ui#dsx0UAmH1=oFg(wm}
zF%I0x93k8}W#nfx-%nFb2KAgc#yE-5aFp#3@VIgCrtuhLw_}GKTRc+}ovCl>*LO|s
zGL~bg;wTTZOMTBTY=(et-3y^QkzUT^-z8FpbIjqyFqhtCXZY@ThBee7cD%16{&4hw
z@Q3I*2;%I%tB{4_j&BI+1q6qGFJjTJ(h);O((m_*-zhohO#M@ALD~vNhrg*s)ZdHK
z?z-sFxQ|5oUJ2hLkBM;BQ<~cy<-21*H~$+Z*TbX6;}6BG3KQ*8KX)5z^C15(fB%#Q
z#2o&*hzzTjDLnUarO>-;#XKk&j<H<Syf?qnRJ~ig2uebN&HWUAUvR{QQd`bLhnM3k
zxAk}aW^z4HJvxF8vvHcp?PF~|*G+m}yXzYO%F0s6=-@ytEIyuc(3oyLk1Mdc&{!OZ
zP8`57hv7NcoWWV<^s_~L2h@!Bv7k&>8DjmR!!Vq+f%y4<=&b2Kkd7otl79gXD>r$m
S5~#-j0000<MNUMnLSTY&fF7*?

literal 0
HcmV?d00001

diff --git a/src/locales/en/messages.json b/src/locales/en/messages.json
index 7f88d2b8e02..51434de4f23 100644
--- a/src/locales/en/messages.json
+++ b/src/locales/en/messages.json
@@ -725,6 +725,15 @@
   "u2fTitle": {
     "message": "FIDO U2F Security Key"
   },
+  "webAuthnTitle": {
+    "message": "FIDO2 WebAuthn"
+  },
+  "webAuthnDesc": {
+    "message": "Use any WebAuthn enabled security key to access your account."
+  },
+  "webAuthnMigrated": {
+    "message": "(Migrated from FIDO)"
+  },
   "emailTitle": {
     "message": "Email"
   },
@@ -1260,6 +1269,15 @@
       }
     }
   },
+  "webAuthnkeyX": {
+    "message": "WebAuthn Key $INDEX$",
+    "placeholders": {
+      "index": {
+        "content": "$1",
+        "example": "2"
+      }
+    }
+  },
   "nfcSupport": {
     "message": "NFC Support"
   },
@@ -1305,6 +1323,9 @@
   "removeU2fConfirmation": {
     "message": "Are you sure you want to remove this security key?"
   },
+  "twoFactorWebAuthnAdd": {
+    "message": "Add a WebAuthn security key to your account"
+  },
   "readKey": {
     "message": "Read Key"
   },
@@ -1338,6 +1359,12 @@
   "twoFactorU2fProblemReadingTryAgain": {
     "message": "There was a problem reading the security key. Try again."
   },
+  "twoFactorWebAuthnWarning": {
+    "message": "Due to platform limitations, WebAuthn cannot be used on all Bitwarden applications. You should enable another two-step login provider so that you can access your account when WebAuthn cannot be used. Supported platforms:"
+  },
+  "twoFactorWebAuthnSupportWeb": {
+    "message": "Web vault and browser extensions on a desktop/laptop with a WebAuthn enabled browser (Chrome, Opera, Vivaldi, or Firefox with FIDO U2F enabled)."
+  },
   "twoFactorRecoveryYourCode": {
     "message": "Your Bitwarden two-step login recovery code"
   },
@@ -3762,5 +3789,17 @@
   },
   "dateParsingError": {
     "message": "There was an error saving your deletion and expiration dates."
+  },
+  "webAuthnFallbackMsg": {
+    "message": "To verify your 2FA please click the button below."
+  },
+  "webAuthnAuthenticate": {
+    "message": "Authenticate WebAutn"
+  },
+  "webAuthnNotSupported": {
+    "message": "WebAuthn is not supported in this browser."
+  },
+  "webAuthnSuccess": {
+    "message": "<strong>WebAuthn verified successfully!</strong><br>You may close this tab."
   }
 }
diff --git a/src/scss/styles.scss b/src/scss/styles.scss
index be32ef9e2f3..598fea83b30 100644
--- a/src/scss/styles.scss
+++ b/src/scss/styles.scss
@@ -604,6 +604,17 @@ app-user-billing {
     }
 }
 
+#web-authn-frame {
+    background: url('../images/loading.svg') 0 0 no-repeat;
+    height: 290px;
+
+    iframe {
+        width: 100%;
+        height: 100%;
+        border: none;
+    }
+}
+
 #bt-dropin-container {
     background: url('../images/loading.svg') 0 0 no-repeat;
     min-height: 50px;
diff --git a/src/services/webPlatformUtils.service.ts b/src/services/webPlatformUtils.service.ts
index 1bf2d0383c6..977b7f276b6 100644
--- a/src/services/webPlatformUtils.service.ts
+++ b/src/services/webPlatformUtils.service.ts
@@ -158,11 +158,8 @@ export class WebPlatformUtilsService implements PlatformUtilsService {
         return process.env.APPLICATION_VERSION || '-';
     }
 
-    supportsU2f(win: Window): boolean {
-        if (win != null && (win as any).u2f != null) {
-            return true;
-        }
-        return this.isChrome() || ((this.isEdge() || this.isOpera() || this.isVivaldi()) && !Utils.isMobileBrowser);
+    supportsWebAuthn(win: Window): boolean {
+        return (typeof(PublicKeyCredential) !== 'undefined');
     }
 
     supportsDuo(): boolean {
diff --git a/webpack.config.js b/webpack.config.js
index 90c4c24b7a8..e37ee076b4f 100644
--- a/webpack.config.js
+++ b/webpack.config.js
@@ -88,6 +88,16 @@ const plugins = [
         filename: 'u2f-connector.html',
         chunks: ['connectors/u2f'],
     }),
+    new HtmlWebpackPlugin({
+        template: './src/connectors/webauthn.html',
+        filename: 'webauthn-connector.html',
+        chunks: ['connectors/webauthn'],
+    }),
+    new HtmlWebpackPlugin({
+        template: './src/connectors/webauthn-fallback.html',
+        filename: 'webauthn-fallback-connector.html',
+        chunks: ['connectors/webauthn-fallback'],
+    }),
     new HtmlWebpackPlugin({
         template: './src/connectors/sso.html',
         filename: 'sso-connector.html',
@@ -158,6 +168,8 @@ const config = {
         'app/polyfills': './src/app/polyfills.ts',
         'app/main': './src/app/main.ts',
         'connectors/u2f': './src/connectors/u2f.js',
+        'connectors/webauthn': './src/connectors/webauthn.ts',
+        'connectors/webauthn-fallback': './src/connectors/webauthn-fallback.ts',
         'connectors/duo': './src/connectors/duo.ts',
         'connectors/sso': './src/connectors/sso.ts',
     },