Support W3C Web Authentication

[jcjones]

WebAuthn is supported in Firefox 60, and supported shortly in Chrome 67 and Edge 18, providing a cross-browser support that is the spiritual successor to U2F.

It's possible to migrate U2F users and their credentials to WebAuthn, but also possible to run U2F and WebAuthn side-by-side as separate modules.

MDN: https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API Spec: https://www.w3.org/TR/webauthn/

[PHPGangsta]

Please support webauthn. Currently only Chrome is supported by your plugin, which pushes the Chrome monopoly even further. By supporting webauthn, you don't force people to use Chrome.

[pwaring]

@PHPGangsta That's not the case. You can use Google Authenticator with any browser, and you can use U2F with Firefox (I do, every single day) - although at the moment it's not enabled by default.

[PHPGangsta]

@pwaring So you can use the "Two Factor" Wordpress plugin with a plain Firefox and webauthn/U2F?

I'm using "WordPress 5.0.3" and "Two Factor 0.3.0" and Firefox 64.

I get this in my Wordpress if I want to activate U2F for a Wordpress user:

Which is clear: This Plugin only supports Chrome as a U2F browser, not all (via webauthn).

I'm asking that webauthn is added to the "Two Factor" Wordpress plugin, so you can use U2F in Firefox without any plugins.

Maybe you have installed the "U2F" Firefox-Addon which adds the old non-standard U2F functionality that Chrome supported for a few years?

[pwaring]

@PHPGangsta What you said was: "Currently only Chrome is supported by your plugin". That's not the case - you can use this plugin with Firefox and other browsers, either by using TOTP (through Google Authenticator or a similar app) or by enabling U2F in Firefox.

You can enable U2F in Firefox by going to about:config and switching security.webauth.u2f to true. This definitely works in 64.0, not sure when it was added.

[PHPGangsta]

@pwaring This whole ticket is about U2F. I know that the Google Authenticator works with Chrome. But we are talking about U2F/webauthn in this ticket. I have U2F devices, and would like to use them on plain Firefoxes (desktop + mobile). That's only possible if the "Two Factor" Plugin supports webauthn, or you have a "U2F Firefox Addon" installed (which I don't have on all computers/mobile phones where I will use U2F).

The setting "security.webauth.u2f" is set to "true" in my browser (maybe because of tests years ago with the U2F-Addon), I still get the error message that I should use Chrome: If webauthn is not supported by "Two factor", it cannot work in Firefox...

Are you sure that you don't have the U2F-Addon installed in your Firefox?

[kasparsd]

@PHPGangsta Yeah, the error message is misleading because there is no standard way of detecting U2F support in browsers. This is how we're currently checking for that:

https://github.com/georgestephanis/two-factor/blob/f33778a5f72a08550cc7f25ab93f67bfd44c7c1d/includes/Google/u2f-api.js#L23

[PHPGangsta]

u2f && u2f.register That's how you detect the "old U2F thing by Google", which only Chrome supports, and can be added to Firefox with an Addon.

If you would support webauthn, the feature-check is: if (window.PublicKeyCredential) {

If you are using U2F in Firefox, you are using the Firefox Addon, not webauthn.

[pwaring]

U2F works in Firefox with no plugins if you enable the setting in about:config. You still get the warning about Chrome-only but it does work.

[kasparsd]

@PHPGangsta U2F and webauthn are different things, although compatible. Do you know a more reliable way for detecting U2F support?

[PHPGangsta]

@kasparsd As far as I know, there is no better feature detection for the "old U2F API", that's why all websites rely on "User Agent parsing", which is bad. Now, even if Firefox supports "the old U2F API" with the config-change, you have a lot of software in place with User-Agent-Detection instead of Feature-Detection. That's why webauthn is there, standardized by the W3C, with a proper feature detection mechanism.

@pwaring OK, understood. I clicked the button "register new key" (ignoring the warning), and it worked in Firefox if security.webauth.u2f = true. Firefox then seems to emulate the "old U2F API".

But it's not working with a "Standard Firefox" (without internal config changes). Not everybody likes to edit about:config... Here a statement I found: Clarification: Webauth is indeed planned for Firefox 60 (and almost ready) with U2F hardware used on client side, BUT FIDO U2F AP is not going to be supported officially (and will not be enabled by default) in favor to WebAuth standard

That "old U2F API" in Firefox is not enabled by default, it's inofficial, and should not be used. webauthn should be used. The "old U2F API" is also not supported by Edge + Opera (and all others) I guess. webauthn is supported there.

webauthn is the future, which all major browsers support "by default" (without changing internal configs). Safari is the last one working on it. https://caniuse.com/#search=webauthn

Instead of using the "old U2F API", the new standardized webauthn API should be used everywhere, so it works in all browsers without any hidden config changes. It's compatible with the old tokens which were generated by the "old U2F API" when using the webauthn appid-extension.

I am currently using the following library to use webauthn in a project: https://github.com/davidearl/webauthn It's not perfect, for example I had to hack in appid support (so I can use the old tokens in the database). But the rest is working fine. The project now has proper feature detection, and all major browsers but Safari support it. And when Safari supports it in the future, it will be usable from day 1, without any code changes.

I didn't want to create lots of discussion here, I just wanted to say that everybody should switch to webauthn as quickly as possible, so the "old U2F API" will go away. It's a pain, like an Internet Explorer feature from 2005: Quick solution to a problem, but many years later you have big pain because of that non-standard thing still being used, with user-agent-detection being a problem.

[kgamecarter]

You can let U2F and webauthn coexist first. Then drop U2F feature

[kasparsd]

Thanks for sharing ~your~ the library you're currently using @PHPGangsta!

[AVGP]

I'd love to work on bringing Webauthn to WP :)

[turcane]

Something new here? I would love to use FIDO2 on my website :-)

[AVGP]

Making progress, slowly but steadily :)

[fallingrock]

Any progress on this? I'd REALLY like to be able to use my fido tokens with safari.

[mcguffin]

@fallingrock I just released Two Factor WebAuthn which is a WebAuth extension for the Two Factor plugin. Still very alpha, so please use with caution …

It's based on the davidearl/webauthn library @PHPGangsta mentioned earlier.

I am not yet certain about the future of the plugin. I'd be willing to maintain and release it on wporg once ready and tested.
Anyway, my favorite approach (and propably the best for the users) would be a merge into Two Factor.

There are some composer dependencies in 2F Webauth and the JS is written in ESNEXT, which might be or no a no-go here. I'd be happy to discuss the issues and make changes to whatever is required.

[My1]

I am also hugely in favor of this especially as in combination with user verification you could go passwordless (aka enter your username, submit, and then authenticate to your Device using a PIN fingerprint or similar) and with resident keys even usernameless (where you just click a button instead of submitting your username)

[adrianstaffen]

I'd also really like to be able to use my YubiKey with Safari. Unfortunately, it doesn't even work with the extension https://github.com/Safari-FIDO-U2F/Safari-FIDO-U2F. Does anyone have a solution to make it work?

[My1]

maybe if it's only users that have FIDO2 available with WP you can try this WP plugin instead. I made my blog passwordless with that which is pretty nice. https://wordpress.org/plugins/wp-webauthn/

[fallingrock]

maybe if it's only users that have FIDO2 available with WP you can try this WP plugin instead. I made my blog passwordless with that which is pretty nice.

I'm looking at that plugin. My only issue is that I'd also like to be able to use an authenticator app, as I don't always use a device that can handle a hardware key.

[Steltek]

I'm looking at that plugin. My only issue is that I'd also like to be able to use an authenticator app, as I don't always use a device that can handle a hardware key.

You should be able to run both this plugin and wp-webauthn concurrently, giving you both WebAuthn, plus all the methods the two-factor plugin supports.

[My1]

maybe if it's only users that have FIDO2 available with WP you can try this WP plugin instead. I made my blog passwordless with that which is pretty nice.

I'm looking at that plugin. My only issue is that I'd also like to be able to use an authenticator app, as I don't always use a device that can handle a hardware key.

are you referring to your phone? if you can log in even once (e.g. by not enforcing fido for a hot second), depending on the phone you can register itself as a Device as webauthn is supported directly on several android and a few ios versions

[jornfranke]

I would also support to have W3C Web Authentication directly integrated in the two factor plugin. It is pretty much standard and one can use FIDO2 keys with PIN (e.g. Nitrokey, Yubikey). Additionally, people can use personal devices and advanced authentication (e.g. Windows Hello, FaceID etc.).

I do not want to install 10 different plugins for different types of authentication. Hence, I really like and appreciate what the developers of the two factor plugin did.

[ragnarkarlsson]

Whilst I know not everyone likes Google Chrome, I have been using Two Factor for some time with U2F tokens and Chrome is now issuing a warning that U2F will no longer be supported in February 2022. So I add my support to the inclusion of WebAuthn (which is I believe backward compatible with U2F?) as a method within this plugin for those who don't want to go pure passwordless with Webauthn.

[My1]

Sup webauthn can be basically used in 3 what i call 'modes'

1. simple second factor just like u2f (which also works with existing u2f sticks AND CREDENTIALS, which means you can just continue without needing to re-register your cred)

2. passwordless with username entry, basically enter a username and then use a fido2 compatible stick with pin or biometrics

3. usernameless (which also is passwordless) This allows literally for. Just a click and then entering your pin or bio to login, but has the drawback that the actual credential needs to be kept on hand so for example yubikeys allow only 25 creds, others allow some more but there's always a limit of these (max i saw is like 128)

[150d]

I'm seeing the same problem described in https://github.com/WordPress/two-factor/issues/301 (marked as duplicate to this issue) here: My FIDO2 key is set as a second factor, which is correctly requested when logging in on a PC (Firefox), but there is no prompt to authenticate on Android (also Firefox).

Is this still an issue of the plugin not supporting FIDO2 but only U2F (which Firefox/PC may support, but Firefox/Android does not?)

[jcjones]

which Firefox/PC may support, but Firefox/Android does not?)

Correct, there's no Android API for U2F in browsers, so Firefox could not implement it.

[My1]

but chrome on android does iirc I thought android has u2f support (which similarly to windows 10 1903+ is piped through something on the OS to also include platform authenticators)

[jcjones]

but chrome on android does iirc I thought android has u2f support

It does, but it is not exposed for even allowlisted browser applications to access, only Chrome.

(Source: I'm the author for Firefox and an editor on the spec)