Support W3C Web Authentication #232
Comments
|
Please support webauthn. Currently only Chrome is supported by your plugin, which pushes the Chrome monopoly even further. By supporting webauthn, you don't force people to use Chrome. |
|
@PHPGangsta That's not the case. You can use Google Authenticator with any browser, and you can use U2F with Firefox (I do, every single day) - although at the moment it's not enabled by default. |
|
@pwaring So you can use the "Two Factor" Wordpress plugin with a plain Firefox and webauthn/U2F? I'm using "WordPress 5.0.3" and "Two Factor 0.3.0" and Firefox 64. I get this in my Wordpress if I want to activate U2F for a Wordpress user: Which is clear: This Plugin only supports Chrome as a U2F browser, not all (via webauthn). I'm asking that webauthn is added to the "Two Factor" Wordpress plugin, so you can use U2F in Firefox without any plugins. Maybe you have installed the "U2F" Firefox-Addon which adds the old non-standard U2F functionality that Chrome supported for a few years? |
|
@PHPGangsta What you said was: "Currently only Chrome is supported by your plugin". That's not the case - you can use this plugin with Firefox and other browsers, either by using TOTP (through Google Authenticator or a similar app) or by enabling U2F in Firefox. You can enable U2F in Firefox by going to |
|
@pwaring This whole ticket is about U2F. I know that the Google Authenticator works with Chrome. But we are talking about U2F/webauthn in this ticket. I have U2F devices, and would like to use them on plain Firefoxes (desktop + mobile). That's only possible if the "Two Factor" Plugin supports webauthn, or you have a "U2F Firefox Addon" installed (which I don't have on all computers/mobile phones where I will use U2F). The setting "security.webauth.u2f" is set to "true" in my browser (maybe because of tests years ago with the U2F-Addon), I still get the error message that I should use Chrome: Are you sure that you don't have the U2F-Addon installed in your Firefox? |
|
@PHPGangsta Yeah, the error message is misleading because there is no standard way of detecting U2F support in browsers. This is how we're currently checking for that: |
|
If you would support webauthn, the feature-check is: If you are using U2F in Firefox, you are using the Firefox Addon, not webauthn. |
|
U2F works in Firefox with no plugins if you enable the setting in |
|
@PHPGangsta U2F and webauthn are different things, although compatible. Do you know a more reliable way for detecting U2F support? |
|
@kasparsd As far as I know, there is no better feature detection for the "old U2F API", that's why all websites rely on "User Agent parsing", which is bad. Now, even if Firefox supports "the old U2F API" with the config-change, you have a lot of software in place with User-Agent-Detection instead of Feature-Detection. That's why webauthn is there, standardized by the W3C, with a proper feature detection mechanism. @pwaring OK, understood. I clicked the button "register new key" (ignoring the warning), and it worked in Firefox if But it's not working with a "Standard Firefox" (without internal config changes). Not everybody likes to edit about:config... That "old U2F API" in Firefox is not enabled by default, it's inofficial, and should not be used. webauthn should be used. webauthn is the future, which all major browsers support "by default" (without changing internal configs). Safari is the last one working on it. Instead of using the "old U2F API", the new standardized webauthn API should be used everywhere, so it works in all browsers without any hidden config changes. It's compatible with the old tokens which were generated by the "old U2F API" when using the webauthn appid-extension. I am currently using the following library to use webauthn in a project: I didn't want to create lots of discussion here, I just wanted to say that everybody should switch to webauthn as quickly as possible, so the "old U2F API" will go away. It's a pain, like an Internet Explorer feature from 2005: Quick solution to a problem, but many years later you have big pain because of that non-standard thing still being used, with user-agent-detection being a problem. |
|
You can let U2F and webauthn coexist first. |
|
Thanks for sharing |
|
I'd love to work on bringing Webauthn to WP :) |
|
Something new here? I would love to use FIDO2 on my website :-) |
|
Making progress, slowly but steadily :)
|
|
Any progress on this? I'd REALLY like to be able to use my fido tokens with safari. |
|
@fallingrock I just released Two Factor WebAuthn which is a WebAuth extension for the Two Factor plugin. It's based on the davidearl/webauthn library @PHPGangsta mentioned earlier. I am not yet certain about the future of the plugin. I'd be willing to maintain and release it on wporg once ready and tested. There are some composer dependencies in 2F Webauth and the JS is written in ESNEXT, which might be or no a no-go here. I'd be happy to discuss the issues and make changes to whatever is required. |
|
I am also hugely in favor of this especially as in combination with user verification you could go passwordless (aka enter your username, submit, and then authenticate to your Device using a PIN fingerprint or similar) and with resident keys even usernameless (where you just click a button instead of submitting your username) |
|
I'd also really like to be able to use my YubiKey with Safari. Unfortunately, it doesn't even work with the extension https://github.com/Safari-FIDO-U2F/Safari-FIDO-U2F. Does anyone have a solution to make it work? |
|
maybe if it's only users that have FIDO2 available with WP you can try this WP plugin instead. I made my blog passwordless with that which is pretty nice. |
I'm looking at that plugin. My only issue is that I'd also like to be able to use an authenticator app, as I don't always use a device that can handle a hardware key. |
You should be able to run both this plugin and wp-webauthn concurrently, giving you both WebAuthn, plus all the methods the two-factor plugin supports. |
are you referring to your phone? if you can log in even once (e.g. by not enforcing fido for a hot second), depending on the phone you can register itself as a Device as webauthn is supported directly on several android and a few ios versions |
|
I would also support to have W3C Web Authentication directly integrated in the two factor plugin. It is pretty much standard and one can use FIDO2 keys with PIN (e.g. Nitrokey, Yubikey). Additionally, people can use personal devices and advanced authentication (e.g. Windows Hello, FaceID etc.). I do not want to install 10 different plugins for different types of authentication. Hence, I really like and appreciate what the developers of the two factor plugin did. |
|
Whilst I know not everyone likes Google Chrome, I have been using Two Factor for some time with U2F tokens and Chrome is now issuing a warning that U2F will no longer be supported in February 2022. So I add my support to the inclusion of WebAuthn (which is I believe backward compatible with U2F?) as a method within this plugin for those who don't want to go pure passwordless with Webauthn. |
|
Sup webauthn can be basically used in 3 what i call 'modes'
|
|
I'm seeing the same problem described in #301 (marked as duplicate to this issue) here: My FIDO2 key is set as a second factor, which is correctly requested when logging in on a PC (Firefox), but there is no prompt to authenticate on Android (also Firefox). Is this still an issue of the plugin not supporting FIDO2 but only U2F (which Firefox/PC may support, but Firefox/Android does not?) |
Correct, there's no Android API for U2F in browsers, so Firefox could not implement it. |
|
but chrome on android does iirc I thought android has u2f support (which similarly to windows 10 1903+ is piped through something on the OS to also include platform authenticators) |
It does, but it is not exposed for even allowlisted browser applications to access, only Chrome. (Source: I'm the author for Firefox and an editor on the spec) |
|
Now that Apple has announced its Passkey implementation of Webauthn I'd really love to see this make its way into the plugin. Not just two factor, but as passwordless. |
|
@alexclst i think it would be useful to check the plugin below, as it's already made for pwless, both with and without resident keys. not sure how many changes this plugin would need for pwless. |
|
@My1 thanks, that helps, but that took extra work setting up gmp on the server. Got it working, though. |
iThemes Security Pro has also added passkey support per https://ithemes.com/blog/passkeys-biometric-login-wordpress/, if we're looking at existing options that provide this. Also, https://www.passwordless.dev/ (now part of BitWarden's efforts per https://bitwarden.com/blog/bitwarden-extends-passwordless-leadership-with-acquisition/ and on GitHub at https://github.com/passwordless) could be a decent option to consider or at least look into for passkeys. |
|
For what it's worth, we've been using @sjinks's add-on plugin on many client sites so that we can continue to use our Yubikeys. It's been working great for everyone on our team. Might be worth considering merging into Two Factor? https://wordpress.org/plugins/two-factor-provider-webauthn/ |
|
Now that BitWarden (and others) have rolled out Passkey support, this might warrant further consideration & effort to include as an authentication method that's natively supported by this plugin without relying on something like https://wordpress.org/plugins/two-factor-provider-webauthn/ to include the new authentication standard. |
WebAuthn is supported in Firefox 60, and supported shortly in Chrome 67 and Edge 18, providing a cross-browser support that is the spiritual successor to U2F.
It's possible to migrate U2F users and their credentials to WebAuthn, but also possible to run U2F and WebAuthn side-by-side as separate modules.
MDN: https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
Spec: https://www.w3.org/TR/webauthn/
The text was updated successfully, but these errors were encountered: