Deprecation of U2F API - Implementation of WebAuthn as 2FA-Provider

[itshappyli]

Summary

WebAuthn has been introduced as a new standard for 2FA, replacing the legacy U2F standard. Additionally, the WebAuthn standard is backward compatible with U2F devices. Unfortunately, the Google Chrome browser only supports U2F until February 2022. The same applies for the Microsoft Edge browser respectively.

Motivation

Since many organizations rely on hardware security keys in their IT infrastructure, support for authentication with these keys must be maintained and guaranteed.

Additional context

Also explained in this blog entry from the Chrome Developers: https://developer.chrome.com/blog/deps-rems-95/

As far as I know, there is already an implementation of WebAuthn in the mailcow UI. The current implementation allows hardware based login to the UI (hardware must also fully comply with the FIDO2 standard). My point of view is using WebAuthn as 2FA method as described above.

[FreddleSpl0it]

I've already worked on that and have successfully migrated from u2f to webauthn https://github.com/FreddleSpl0it/mailcow-dockerized. I will try to do a PR next week.

[itshappyli]

Thanks for your contribution! It's really nice to hear that you managed to successfully implement the WebAuthn API.

I can't wait until it's available!

[DerLinkman]

Yes and we will merge it into the Janmooary Update :)

[ghost]

Has anyone tested this new implementation under linux? Can't register a yubikey 5 NFC, i successfully used with the old U2F implementation. Tested under Ubuntu with Firefox 96 & Chromium 97.

(This yubikey demo works: https://demo.yubico.com/webauthn-technical/registration.)

[DerLinkman]

Can you give us a error code?

[FreddleSpl0it]

does your mailcow have a valid ssl certificate or does it have a self-signed/untrusted one?

[ghost]

Can you give us a error code?

There is just a timeout. Normally the yubikey would blink, during the firefox popup, and accept a touch. But in this case it doesn't.

does your mailcow have a valid ssl certificate or does it have a self-signed/untrusted one?

Yes, a valid ssl certificate.

[DerLinkman]

Did Webauthn use Javascript @FreddleSpl0it ? If so can you check if your Browser blocks Javascript?

[ghost]

Did Webauthn use Javascript @FreddleSpl0it ?

Yes.

If so can you check if your Browser blocks Javascript?

No, there are also no errors in the devtools console.

{
  "publicKey": {
    "rp": {
      "name": "WebAuthn Library",
      "id": "DOMAIN"
    },
    "authenticatorSelection": {
      "userVerification": "preferred",
      "requireResidentKey": true
    },
    "user": {
      "id": {},
      "name": "USERNAME",
      "displayName": "USERNAME"
    },
    "pubKeyCredParams": [
      {
        "type": "public-key",
        "alg": -7
      },
      {
        "type": "public-key",
        "alg": -257
      }
    ],
    "attestation": "indirect",
    "extensions": {
      "exts": true
    },
    "timeout": 30000,
    "challenge": {},
    "excludeCredentials": []
  }
}

But this object is logged, don't know if this helps.

[FreddleSpl0it]

I'll take a look at it. I can't tell if your browser just needs some time and that's why you get a timeout or if it's another problem. I'll try to reproduce the problem.

Do you get the same error when you try to use the key as only Fido2 registration?

[ghost]

I'll take a look at it. I can't tell if your browser just needs some time and that's why you get a timeout or if it's another problem. I'll try to reproduce the problem.

30 seconds should be enough. Please let me know if i can help with further debugging. (Normally the yubikey starts blinking under a second.)

Do you get the same error when you try to use the key as only Fido2 registration?

If i understand you correctly, thats what i did. (I only clicked on the register button to add the yubikey.)

[FreddleSpl0it]

Do you get the same error when you try to use the key as only Fido2 registration?

If i understand you correctly, thats what i did. (I only clicked on the register button to add the yubikey.)

And using your Key for 2 Factor Authentication via WebAuthn produced the same error?

[ghost]

And using your Key for 2 Factor Authentication via WebAuthn produced the same error?

Yes, same behaviour. Except the object i posted above isn't logged.

[FreddleSpl0it]

Your YubiKey 5 NFC has a FIDO2 interface. The new Fido2/Webauthn method will try to use your key via this interface instead of the old FIDO interface. This requires that you secure your key with a pin.

If no pin is set, the browser should normally prompt you to set a pin. At least on Windows. Can you check if your key has a pin? https://www.yubico.com/support/download/yubikey-manager/

[ghost]

Pin is set. I think the "CredentialCreationOptions" may be the problem.

(fido2-webauthn with bitwarden works with this key and browser. It's probably some problem with the mailcow implementation.)

Bitwardens "CredentialCreationOptions" differ from the ones used here, see:

[FreddleSpl0it]

I can only confirm this strange behaviour with firefox on ubuntu. However my yubikey works fine with chrome and opera. In chrome and opera i get prompted to enter a pin :/

The problem could be solved by setting requireResidentKey: false and userVerification: "discouraged" but this is a security feature we should discuss about before dropping it.

[ghost]

Yeah, maybe adding a setting in the ui for this, would be ok. And leave the default as is. Or a browser/OS detection, but thats not bulletproof.

Fido2+webauthn+pin support overview: https://support.yubico.com/hc/en-us/articles/360016615020-Operating-system-and-web-browser-support-for-FIDO2-and-U2F

firefox is affected under linux and macos, and some android browser.

and this seems to be the related firefox bug ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1530370

[FreddleSpl0it]

this issue is related #3859

[FreddleSpl0it]

UV flags are set to preferred for both FIDO Second factor and FIDO Passwordless MFA. Seeing this https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/, we should change that. My sugesstion is setting the UV flag for FIDO Passwordless MFA to reqiured and the UV flag for FIDO Second factor to discouraged. This way, at least FIDO Second factor should work on linux firefox browsers

[MAGICCC]

https://github.com/mozilla/authenticator-rs/pull/157 is now merged, so maybe with the next Nightly built it's included https://bugzilla.mozilla.org/show_bug.cgi?id=1752089

[itkfm]

I’d like to note that the new WebAuthn thingy is still broken here (Yubikey 5C, GNU/Linux 5.13, Firefox 100). It fails during the register step, the Yubikey won’t even start to blink waiting for me to touch it. Firefox is stuck looking for an applicable device.

WebAuthn tests like webauthn.me work fine, though.

[FreddleSpl0it]

I think there is a bug on Linux both in Firefox and Chrome Browser. The bug occurs when the parameter User Verification is set to preferred. Could you test the process here webauthn.io and go under Advanced Settings and set User Verification to Preferred. The same bug you mentioned should occur.

However you could create a vars.local.inc.php file in data/web/inc and set the "User Verification" Flag for Webauthn to discouraged like:

<?php
  $WEBAUTHN_UV_FLAG_REGISTER = 'discouraged';
  $WEBAUTHN_UV_FLAG_LOGIN = 'discouraged';
?>

[itkfm]

Could you test the process here webauthn.io and go under Advanced Settings and set User Verification to Preferred. The same bug you mentioned should occur.

It didn’t.Works fine.

[snevas]

@itshappyli It looks like all the issues with WebAuthn are fixed now, do you agree? If yes, can you close the issue?