Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

U2F support in the future versions of Chrome #423

Open
dziudek opened this issue Nov 11, 2021 · 41 comments · May be fixed by #427
Open

U2F support in the future versions of Chrome #423

dziudek opened this issue Nov 11, 2021 · 41 comments · May be fixed by #427

Comments

@dziudek
Copy link

dziudek commented Nov 11, 2021

Hi,

Today I have seen in my JS console the following warning while I was logging in using my Yubikey:

The U2F Security Key API is deprecated and will be removed soon. If you own this website, please migrate to the Web Authentication API. For more information see https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A/m/yg20tsVFBAAJ

It means that in the next year security keys won't work at all with your plugin?

@innertruth
Copy link

I don't get this message in the JS Console, I get a dialog for this message with the same text asking to block or give access. But issue 232 is I think a solution for this, maybe the maintainer can merge the code and 'bake' a new release.

@BackSeat
Copy link

I'm seeing this as a popup rather than in the JS console.

Is this likely to be resolved before 1 February?

Thanks.

@dziudek
Copy link
Author

dziudek commented Nov 25, 2021

@BackSeat - I can confirm - after latest Chrome update (v.96) I also get the notice about February 2022

@westonruter
Copy link
Member

I just got it as well:

Screen Shot 2021-11-29 at 14 15 42

@blogtutor
Copy link

Is anyone on the plugin development team aware of this issue yet? Looks like it's going to be a big mess come February, if the plugin isn't changed over to the Web Authentication API by then.

@bemyhre
Copy link

bemyhre commented Nov 30, 2021

This is an issue for me, as well. It sounds like this plugin will become useless for me in Feb. Even now, I cannot register my key on new things.

@timarney
Copy link

timarney commented Dec 6, 2021

Noting a few folks have posted here here as well:
https://wordpress.org/support/topic/u2f-api-deprecation-message/

@pjv
Copy link
Contributor

pjv commented Dec 22, 2021

Google documentation for the deprecation: https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A

This will break logging in to wordpress for anyone using this plugin with a U2F security key in a chromium-based browser after February.

@supawiz6991
Copy link

Any update on this? We are currently 3 weeks from February...not knowing when the update will be hitting that will remove the U2F API means we could be in a real mess sooner than later.

@kasparsd
Copy link
Collaborator

I personally haven't had time to work on this, unfortunately.

The tricky thing is that the the two-factor plugin is currently available on both WP.org and Packagist.org which mirrors this source repo, however, adding webauthn will probably need some helper JS libraries to be added via npm (along with build tooling) so we'll need to either keep tracking the built assets as part of the repo or create a dedicated release repo which contains the built assets and map it to the Packagist source.

Happy to support with reviewing a pull request if anyone is up for creating one.

Relating this to #232.

@kasparsd
Copy link
Collaborator

Here is some existing art from @mcguffin https://github.com/mcguffin/two-factor-webauthn

Looks like we'll need to pull in both external JS and PHP dependencies (and potentially even PHP extensions) for this to work.

@jeffpaul jeffpaul added this to the 0.8.0 milestone Jan 12, 2022
@mcguffin
Copy link

@kasparsd I'd be happy to craft a PR.

I just managed to get rid of one of the large dependencies in mcguffin/two-factor-webauthn. The other ones are aesy to refactor. The PR should introduce about 2k new lines of PHP and 500 lines of JS.

Minimum PHP would increase to 7.2 (according to phpcompatinfo), but luckily there are no other php extensions necessary as the ones WP requires anway.

@norbusan
Copy link

Just FYI, since I am using Edge Beta I am already hit by the deprecation. I have added Wp-WebAuthn plugin and that allowed me to log in via direct webauthn authentication via my yubikey, while this plugin is still active. This might be an alternative route.

@jeffpaul
Copy link
Member

@mcguffin would gladly welcome a PR to help out here! 🙏🏼

@mcguffin mcguffin linked a pull request Jan 21, 2022 that will close this issue
@sjinks
Copy link
Contributor

sjinks commented Jan 24, 2022

👋🏽 I have developed yet another WebAuthn provider for Two Factor. Its main advantage is that it seamlessly integrates with the U2F FIDO provider without having the user register their keys again (there is a video in the README.md file).

Please feel free to get some ideas from my implementation (in addition to U2F, it supports user verification (this is configurable), authenticator attachment requirement (also configurable), and properly validates the signature counter). I have successfully tested it in both normal and WP VIP environments.

I am not going to compete with @mcguffin and create another PR; my implementation differs in spirit from the rest of Two Factor and I don't have time to rewrite it anyway :-)

@pjv
Copy link
Contributor

pjv commented Jan 24, 2022

👋🏽 I have developed yet another WebAuthn provider for Two Factor. Its main advantage is that it seamlessly integrates with the U2F FIDO provider without having the user register their keys again (there is a video in the README.md file).

Tested. Works great.

@sjinks do you have any plans to upload your implementation to the WordPress plugin archive for updating (subscribed to notifications on releases in your repo in the mean time)?

@kasparsd
Copy link
Collaborator

Its main advantage is that it seamlessly integrates with the U2F FIDO provider without having the user register their keys again (there is a video in the README.md file).

That's a nice feature! It would be great if we could provide a 100% seamless upgrade path to all users, maybe even default to the WebAuthn authenticator as the plugin update is released.

@mcguffin
Copy link

@kasparsd @sjinks I like the migration of legacy keys too and would be ready to adapt #427 accordingly this week.
I think from a usability perspective it could make sense to build WebAuthn support directly into the U2F FIDO provider and drop the extra WebAuthn provider entirely.
Maybe some more opinions on this?

@sjinks
Copy link
Contributor

sjinks commented Jan 24, 2022

It would be great if we could provide a 100% seamless upgrade path to all users

@kasparsd the only issue is that there are only a couple of WebAuthn implementations supporting U2F.

webauthn-server supports it and probably webauthn-lib (in the Hard Way, but it was too hard for me as it required much more time than I could invest). The other implementations I tested (webauthn by Lucas Buchs and webauthn by David Earl) don't because they don't support the AppID extension properly (they fail upon the RpID signature check).

@sjinks
Copy link
Contributor

sjinks commented Jan 24, 2022

@pjv yes; I am planning to get a couple of peer reviews/code reviews this week and address the found issues. After that, I will upload the plugin to WP.org. In the meantime, you can grab the plugin zip file from the Releases page.

@jeffpaul jeffpaul linked a pull request Jan 24, 2022 that will close this issue
@sjinks
Copy link
Contributor

sjinks commented Jan 28, 2022

@pjv https://wordpress.org/plugins/two-factor-provider-webauthn/

@BackSeat
Copy link

The plugin has stopped working for me now.

@dziudek
Copy link
Author

dziudek commented Feb 10, 2022

@BackSeat - it stopped working for everyone who is using Chrome 98 or browsers on the same engine. For me Firefox works as a fallback at this moment.

@westonruter
Copy link
Member

OTP codes still work fine.

@dziudek
Copy link
Author

dziudek commented Feb 10, 2022

@westonruter - right, I have also added OTP as an alternative just in case, but if somebody used only physical keys, then he cannot log in on Chrome and Chromium-based browsers anymore.

@sjinks
Copy link
Contributor

sjinks commented Feb 10, 2022

@dziudek you can use this addon to Two Factor until #427 gets merged.

@jimmiedave
Copy link

jimmiedave commented Oct 27, 2022

This is affecting me now in Chrome. My Yubikey won't work in Chrome on macOS, and since it won't work in Chrome on ChromeOS, I can't get into my Wordpress sites on my Chromebook without using my fallback auth.

Yubikey on Chrome/ChromeOS works fine with other sites that have moved to FIDO2 (forgive me if I have the wrong standard here, I'm not deep on the background of the Yubikey).

Yubikey works fine to log into Chromebook with 2FA. Just not this WP plugin.

Using:

macOS:    Google Chrome: Version 106.0.5249.119 (Official Build) (x86_64)
ChromeOS: Google Chrome: Version 107.0.5304.51 (Official Build) beta (64-bit)

N.B. - this Yubikey still works fine on Firefox (which I'm using nearly all the time) with the released two-factor plugin. Please don't remove U2F from releases until you have a replacement that works!

@iandunn
Copy link
Member

iandunn commented Nov 2, 2022

WebAuthn/FIDO2 is being added in #427 , and the existing FIDO1 keys may be migrated (see #439). Those are both scheduled for the 0.8.0 release.

@Frederick888
Copy link

Frederick888 commented Feb 22, 2023

I'm using Firefox 111.0b4, and U2F fails with

u2f.sign() is deprecated and will be removed at a future date. Use navigator.credentials.get() instead. fido-u2f-login.js:8:5
Registration Failed 1 fido-u2f-login.js:10:19

I'm not sure why this happens. There is [1] but my security.webauth.u2f is still true.

But anyway, I won't be surprised if Firefox also drops U2F completely soon.

[1] https://hg.mozilla.org/mozilla-central/rev/c2c5479b5bf0

Edit: It's working again in 111.0b8.

@nursoda
Copy link

nursoda commented Jun 4, 2023

I don't get it. What's holding anyone back from merging #491? Wouldn't that fix it?

@iandunn
Copy link
Member

iandunn commented Jun 5, 2023

No, we need to merge #427 (or an alternative) to make keys work (regardless of whether they were registered in the past with U2F, or today with WebAuthn). #491 is just to migrate existing U2F keys to WebAuthn keys.

If you read through #427 you'll see some of the complexity involved. In the meantime, https://wordpress.org/plugins/two-factor-provider-webauthn/ is a good workaround.

@dziudek
Copy link
Author

dziudek commented Jun 15, 2023

Unfortunately recently released Firefox 114 as a last popular browser fully removed support for legacy U2F support, so it would be nice to implement WebAuthn :(

@jimmiedave
Copy link

  1. Wow this is awful. Can't get into the site with my Yubikey.
  2. The "two-factor-provider-webauthn" broke my site when I tried to install it a couple weeks ago. It's a pretty-close-to-vanilla WP site with minimal plugins and a venerable theme. It's no workaround if it doesn't work.
  3. With great respect for the fact I got awesome software for zero dollars, and that you guys do this out of generosity and interest only, would you please merge something that unbreaks this?

@sjinks
Copy link
Contributor

sjinks commented Jun 15, 2023

@jimmiedave

The "two-factor-provider-webauthn" broke my site when I tried to install it a couple weeks ago. It's a pretty-close-to-vanilla WP site with minimal plugins and a venerable theme. It's no workaround if it doesn't work.

Could you please share your configuration? You can email me at [email protected] if there's something you don't want to share publicly.

@jimmiedave
Copy link

jimmiedave commented Jun 15, 2023

Apache2.4.56, WP 6.2.2, PHP 7.4.33 en-us language/locale
Two Factor 0.8.1

I disabled every plugin but Two Factor 0.8.1, and installed webauthn provider for two factor
Logged in, password, got the "trouble with site" screen.
Screen Shot 2023-06-15 at 5 34 24 PM
apache2 error log had:
[Thu Jun 15 21:34:13.793879 2023] [php7:error] [pid 3870468] [client 1.2.3.4:56068] PHP Fatal error: Uncaught Error: Call to undefined function mb_strtolower() in /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/vendor/madwizard/webauthn/src/Web/Origin.php:93\nStack trace:\n#0 /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/vendor/madwizard/webauthn/src/Web/Origin.php(41): WildWolf\\WordPress\\TwoFactorWebAuthn\\Vendor\\MadWizard\\WebAuthn\\Web\\Origin::parseElements()\n#1 /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/vendor/madwizard/webauthn/src/Config/RelyingParty.php(34): WildWolf\\WordPress\\TwoFactorWebAuthn\\Vendor\\MadWizard\\WebAuthn\\Web\\Origin::parse()\n#2 /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/inc/class-utils.php(34): WildWolf\\WordPress\\TwoFactorWebAuthn\\Vendor\\MadWizard\\WebAuthn\\Config\\RelyingParty->__construct()\n#3 /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/inc/class-webauthn-provider.php(80): WildWolf\\WordPress\\TwoFact in /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/vendor/madwizard/webauthn/src/Web/Origin.php on line 93, referer: https://{web site}/wp-login.php?loggedout=true&wp_lang=en_US

(In case it's not clear {path_to_site} and {web site} as well as 1.2.3.4 for the IP address are my personal data obfuscations.)

I deleted {webauthn...} directory from wp-content/plugins, reloaded page and was asked for my key. I clicked to enter my backup auth method, entered it and got in.

Renabled my plugins to where they were, changed my theme from themify Simfo (very old - maybe 2011, but continuously maintained and updated on my site) to the Wordpress 2023 default theme. Reinstalled {webauthn...} plugin, logged out, logged back in.

Result: Same error message on screen, identical log line (except for date/time/port).

Deleted {webauthn...} plugin directory from folder and got my site back up again in the same manner, and put the theme back on.

HTH.

@adlerweb
Copy link

Call to undefined function mb_strtolower()

Looks like you're missing mbstring (php7.4-mbstring), which seems to be required to run this plugin. You might want to check the list of "highly recommended" Extensions to be sure your server can handle Wordpress and plugins properly.

@jimmiedave
Copy link

Thanks for that info. I installed the recommended extension and the "interim step" is working.

Sorry for my misfire.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.