two-factor icon indicating copy to clipboard operation
two-factor copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Remove U2F

Open georgestephanis opened this issue 2 years ago • 8 comments

As discussed with @jeffpaul with its deprecation we should remove the provider.

georgestephanis avatar Apr 20 '22 19:04 georgestephanis

@kasparsd note that this relates to https://github.com/WordPress/two-factor/issues/423#event-6301632114 wherein the next step after removing U2F is the determining the best path forward from here (happy to hear your input there).

jeffpaul avatar Apr 20 '22 19:04 jeffpaul

So this handles the code change, my only uncertainty at this point is whether we should do something to handle the data / ux.

That being, if someone had U2F enabled, but no other providers, would its sudden absence disable 2fa on their account entirely, and is that a case in which we should force enable an alternative, such as emailed codes so there is still some second factor?

georgestephanis avatar Apr 21 '22 13:04 georgestephanis

That being, if someone had U2F enabled, but no other providers, would its sudden absence disable 2fa on their account entirely, and is that a case in which we should force enable an alternative, such as emailed codes so there is still some second factor?

Yeah, this is a really important point!

Otherwise this looks good!

kasparsd avatar Apr 21 '22 18:04 kasparsd

@jeffpaul Do you have any thoughts on what the workflow should be if a user only has u2f enabled but no others?

georgestephanis avatar Apr 22 '22 17:04 georgestephanis

Hi,

U2F will be removed in v.0.8 but it will be still possible to use physical keys with webauthn? https://github.com/WordPress/two-factor/pull/427

Also - when we can expect v.0.8 release?

dziudek avatar May 20 '22 12:05 dziudek

@georgestephanis if a user only has U2F enabled and the plugin is updated to whatever version this removal will be part of (e.g. 0.8.0), then we could possibly go with one of the following:

  • Enable and set Primary on their Email method (this relies on them still having access to the email attached to their profile but at least keeps 2FA active for them)
  • Add a non-dismissable (until resolved) admin notice for affected users directing them to the 2FA portion of their profile to enable a new method (not a huge fan of adding another admin notice to what could be a lengthy list already, but this would be a more graceful yet less 2FA-secure approach)
  • something else I've yet to consider?

What are your thoughts on this?

jeffpaul avatar Sep 09 '22 16:09 jeffpaul

If we end up switching libraries in #427, then I think we could seamlessly migrate the existing U2F keys to the WebAuthn provider.

Update: @mcguffin started a PR for this in #491 🎉

iandunn avatar Oct 14 '22 19:10 iandunn

Discussing with @georgestephanis at WC US, we think it would be a good idea to "fail closed" here. That is, if someone has only the U2F 2FA method available, when we remove support for it, we don't want the user to have 2FA bypassed. Instead, we think we can enable the Two_Factor_Email method for the user if it is still available.

Otherwise, we should return a WP_Error from Two_Factor_Core::get_available_providers_for_user indicating that 2FA is not available, and they should contact their site administrator. This would be adding a new return type to the method, which may fatal a site. But that would be an edge case of an edge case, and still fail closed which is preferable to failing open.

TimothyBJacobs avatar Aug 24 '23 14:08 TimothyBJacobs