aws-google-auth icon indicating copy to clipboard operation
aws-google-auth copied to clipboard

Published 20 hours ago verified publisher icon cevoaustralia

No attempt to use U2F Security Key

Open Nuru opened this issue 4 years ago • 7 comments

I have a YubiKey U2F security key as my default MFA. aws-google-auth used to immediately use it when I logged in, but now it does not use it and instead prompts me to use a different MFA method.

This appears to be caused by a change with Google's pages, but I do not fully understand how the U2F integration works. I can say when I look at the MFA challenge selector page given to aws-google-auth it says that the security key is "not supported on this device or browser".

Update 1

On further investigation, it looks like U2F integration is switching to a JavaScript implementation. It may not be possible to support U2F without running JavaScript.

Nuru avatar Oct 15 '20 03:10 Nuru

So no more U2F support in aws-google-auth? Or does #203 fix the issue with the U2F integration?

chrisjaimon2012 avatar Oct 19 '20 10:10 chrisjaimon2012

@chrisjaimon2012 #203 restores operation of SMS and TOTP 2FA, but not U2F. I did not write the previous U2F integration and am not quite sure how it worked, so maybe someone else can fix it. As far as I can tell, Google is switching to a JavaScript UI that is going to require something like Selenium to make U2F integration work, but I could be wrong.

Personally I am leaning towards using aws-saml-capture-extension plus a shell script like this on the Mac:

#!/usr/bin/env bash

aws-google-auth -k -p $0 --saml-assertion $(pbpaste)

I would prefer someone fix aws-google-auth, but until then, this works better than the alternatives because, by using my real browser to log in, I have a reliable tool, I do not get asked for CAPTCHA or even 2FA that often, and since aws-google-auth both caches the SAML assertion (which is valid for 5 minutes) and modifies rather than overwrites ~/.aws/credentials, I can follow up the above with additional aws-google-auth commands to get credentials for other profiles and log into multiple accounts at once.

Nuru avatar Oct 19 '20 17:10 Nuru

Another fallback option is to do something based on the https://g.co/sc one-time security codes.

I have an initial support for that implemented in my https://github.com/andreaso/aws-google-auth/tree/wip/skotp-support branch, which builds on top of the https://github.com/cevoaustralia/aws-google-auth/pull/203 branch.

andreaso avatar Oct 20 '20 11:10 andreaso

Hmm.. I don't really think this one was closed by #203? @stevemac007?

forsberg avatar Jan 28 '21 13:01 forsberg

Looks like you are correct - this is back to the fact I don't have a device to test this with.

stevemac007 avatar Jan 28 '21 14:01 stevemac007

@stevemac007: If you would like a Yubikey we can ship you one free of charge.

andreaso avatar Jan 28 '21 16:01 andreaso

Hi, any chance that volkangurel's PR can get merged soon? I can confirm that this works as a good alternative for Yubikey users.

The user is asked to visit https://g.co/sc which gives them a one-time security code after verifying their Yubikey.

cmfcruz avatar Apr 19 '21 17:04 cmfcruz