wax icon indicating copy to clipboard operation
wax copied to clipboard
verified publisher icon tanguilp

Can we use this to migrate existing U2F keys?

Open gdgp opened this issue 3 years ago • 7 comments

Hi @tanguilp !

Thank you for all the work put into building this library.

Since I have previously registered U2F keys I was wondering if this library would be able to support the migration of existing keys.

Thanks in advance

gdgp avatar Jan 24 '22 18:01 gdgp

Existing keys remain valid but the appid extension has to be supported, which is not currently the case in Wax. Doesn't seem to be very complicated to do, but can't guarantee it isn't and I'd like to implement a framework for extension as a whole.

Is it related to an incoming U2F Chrome deprecation or something?

tanguilp avatar Jan 24 '22 20:01 tanguilp

I see, I though that would be the case.

Is it related to an incoming U2F Chrome deprecation or something?

Yes, I was trying to migrate existing user keys seamlessly, but I think I will probably skip that for now then.

Looking forward for the extension framework and thanks for the quick reply!

gdgp avatar Jan 25 '22 09:01 gdgp

If I understood correctly, U2F is deprecated since Chrome 95 and will be disable in the coming weeks (or months?) in Chrome 98, right?

It doesn't look like a complicated feature to implement, but I'm trying to asses the urgency and the impact.

tanguilp avatar Jan 25 '22 09:01 tanguilp

Yes, it will be disabled next month, not sure about the impact in the beginning of February. When using a hardware key some people receive a prompt asking if they want to allow it with the following warning (translated from original language):

"This site will not be able to use U2F API after February 2022. If this site is yours you should update it to use Web Authentication API"

When looking into this post with a timeline we get (though not sure about how accurate it is):

M98 | February 2022 | Disable the U2F API by default; but keep it available to sites on the Deprecation Trial

I'm not sure what the "Deprecation Trial" means, maybe some simple warning or maybe an extra security step/warning, e.g. when a site is using a self-signed certificate.

gdgp avatar Jan 25 '22 10:01 gdgp

Anyway, I'd need a test case for this, so if you can provide me with a authentication response using appid that'd help a lot.

tanguilp avatar Jan 25 '22 12:01 tanguilp

I would, but to be honest I was not able to generate one, I just did an initial try by generating a challenge with this library (which is probably wrong and should do it with the old one), and used the key_handle from u2f for the id in the allowCredentials, but somehow it always failed.

I have to say that this was entirely exploratory and I don't understand all the details of the standard, so there might have also been some simple errors from my part, even in converting data between representations. If you have a suggestion for me to generate one I can give it a go.

I did find some references in ruby that could be useful if I were to try and actually do it myself and which could help in this situation like:

  1. Demo that goes from U2F to WebAuthn - link
  2. Migration guide - link

gdgp avatar Jan 25 '22 16:01 gdgp

Maybe you've got more info here: https://www.stackallocated.com/blog/2019/u2f-to-webauthn/#pitfalls and the following section.

Not much time to work on it this week, so let me know if you can generate a valid response that I can include in tests as a starting point.

tanguilp avatar Jan 25 '22 17:01 tanguilp