two-factor
two-factor copied to clipboard
WordPress
U2F support in the future versions of Chrome
Hi,
Today I have seen in my JS console the following warning while I was logging in using my Yubikey:
The U2F Security Key API is deprecated and will be removed soon. If you own this website, please migrate to the Web Authentication API. For more information see https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A/m/yg20tsVFBAAJ
It means that in the next year security keys won't work at all with your plugin?
I don't get this message in the JS Console, I get a dialog for this message with the same text asking to block or give access. But issue 232 is I think a solution for this, maybe the maintainer can merge the code and 'bake' a new release.
I'm seeing this as a popup rather than in the JS console.
Is this likely to be resolved before 1 February?
Thanks.
@BackSeat - I can confirm - after latest Chrome update (v.96) I also get the notice about February 2022
Is anyone on the plugin development team aware of this issue yet? Looks like it's going to be a big mess come February, if the plugin isn't changed over to the Web Authentication API by then.
This is an issue for me, as well. It sounds like this plugin will become useless for me in Feb. Even now, I cannot register my key on new things.
Noting a few folks have posted here here as well: https://wordpress.org/support/topic/u2f-api-deprecation-message/
Google documentation for the deprecation: https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A
This will break logging in to wordpress for anyone using this plugin with a U2F security key in a chromium-based browser after February.
Any update on this? We are currently 3 weeks from February...not knowing when the update will be hitting that will remove the U2F API means we could be in a real mess sooner than later.
I personally haven't had time to work on this, unfortunately.
The tricky thing is that the the two-factor plugin is currently available on both WP.org and Packagist.org which mirrors this source repo, however, adding webauthn will probably need some helper JS libraries to be added via npm (along with build tooling) so we'll need to either keep tracking the built assets as part of the repo or create a dedicated release repo which contains the built assets and map it to the Packagist source.
Happy to support with reviewing a pull request if anyone is up for creating one.
Relating this to #232.
Here is some existing art from @mcguffin https://github.com/mcguffin/two-factor-webauthn
Looks like we'll need to pull in both external JS and PHP dependencies (and potentially even PHP extensions) for this to work.
@kasparsd I'd be happy to craft a PR.
I just managed to get rid of one of the large dependencies in mcguffin/two-factor-webauthn. The other ones are aesy to refactor. The PR should introduce about 2k new lines of PHP and 500 lines of JS.
Minimum PHP would increase to 7.2 (according to phpcompatinfo), but luckily there are no other php extensions necessary as the ones WP requires anway.
Just FYI, since I am using Edge Beta I am already hit by the deprecation. I have added Wp-WebAuthn plugin and that allowed me to log in via direct webauthn authentication via my yubikey, while this plugin is still active. This might be an alternative route.
👋🏽 I have developed yet another WebAuthn provider for Two Factor. Its main advantage is that it seamlessly integrates with the U2F FIDO provider without having the user register their keys again (there is a video in the README.md file).
Please feel free to get some ideas from my implementation (in addition to U2F, it supports user verification (this is configurable), authenticator attachment requirement (also configurable), and properly validates the signature counter). I have successfully tested it in both normal and WP VIP environments.
I am not going to compete with @mcguffin and create another PR; my implementation differs in spirit from the rest of Two Factor and I don't have time to rewrite it anyway :-)
👋🏽 I have developed yet another WebAuthn provider for Two Factor. Its main advantage is that it seamlessly integrates with the U2F FIDO provider without having the user register their keys again (there is a video in the README.md file).
Tested. Works great.
@sjinks do you have any plans to upload your implementation to the WordPress plugin archive for updating (subscribed to notifications on releases in your repo in the mean time)?
Its main advantage is that it seamlessly integrates with the U2F FIDO provider without having the user register their keys again (there is a video in the README.md file).
That's a nice feature! It would be great if we could provide a 100% seamless upgrade path to all users, maybe even default to the WebAuthn authenticator as the plugin update is released.
@kasparsd @sjinks I like the migration of legacy keys too and would be ready to adapt #427 accordingly this week. I think from a usability perspective it could make sense to build WebAuthn support directly into the U2F FIDO provider and drop the extra WebAuthn provider entirely. Maybe some more opinions on this?
It would be great if we could provide a 100% seamless upgrade path to all users
@kasparsd the only issue is that there are only a couple of WebAuthn implementations supporting U2F.
webauthn-server supports it and probably webauthn-lib (in the Hard Way, but it was too hard for me as it required much more time than I could invest). The other implementations I tested (webauthn by Lucas Buchs and webauthn by David Earl) don't because they don't support the AppID extension properly (they fail upon the RpID signature check).
@pjv yes; I am planning to get a couple of peer reviews/code reviews this week and address the found issues. After that, I will upload the plugin to WP.org. In the meantime, you can grab the plugin zip file from the Releases page.
@BackSeat - it stopped working for everyone who is using Chrome 98 or browsers on the same engine. For me Firefox works as a fallback at this moment.
@westonruter - right, I have also added OTP as an alternative just in case, but if somebody used only physical keys, then he cannot log in on Chrome and Chromium-based browsers anymore.
Sorry for the delay everyone! I haven't been able to find time for this mentally and practically due to the recent world events and recently the Putin's war in Ukraine.
If anyone is able to review the recent revisions of #427 and test them locally (especially how it works with the existing U2F keys), feel free to merge it in and tag a new release. Pushing it to WP.org is as simple as npm run deploy which will ask you for WP.org credentials that have commit access to the repo https://wordpress.org/plugins/two-factor/advanced/
I've added @jeffpaul as a committer to the repo (in addition to @georgestephanis) so he can now add other people.
Hi there, thanks for all the time that went into two-factor. I'd prefer to stay with this plugin instead of (temporarily) switching to another plugin.
Any update so far?
cheers
Noting from yesterday's bug scrub that @georgestephanis is going to attempt a separate PR that deprecates and removes the U2F legacy code, from there we can continue to determine the best path forward.