-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
U2F support in the future versions of Chrome #423
Comments
I don't get this message in the JS Console, I get a dialog for this message with the same text asking to block or give access. But issue 232 is I think a solution for this, maybe the maintainer can merge the code and 'bake' a new release. |
I'm seeing this as a popup rather than in the JS console. Is this likely to be resolved before 1 February? Thanks. |
@BackSeat - I can confirm - after latest Chrome update (v.96) I also get the notice about February 2022 |
Is anyone on the plugin development team aware of this issue yet? Looks like it's going to be a big mess come February, if the plugin isn't changed over to the Web Authentication API by then. |
This is an issue for me, as well. It sounds like this plugin will become useless for me in Feb. Even now, I cannot register my key on new things. |
Noting a few folks have posted here here as well: |
Google documentation for the deprecation: https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A This will break logging in to wordpress for anyone using this plugin with a U2F security key in a chromium-based browser after February. |
Any update on this? We are currently 3 weeks from February...not knowing when the update will be hitting that will remove the U2F API means we could be in a real mess sooner than later. |
I personally haven't had time to work on this, unfortunately. The tricky thing is that the the two-factor plugin is currently available on both WP.org and Packagist.org which mirrors this source repo, however, adding webauthn will probably need some helper JS libraries to be added via npm (along with build tooling) so we'll need to either keep tracking the built assets as part of the repo or create a dedicated release repo which contains the built assets and map it to the Packagist source. Happy to support with reviewing a pull request if anyone is up for creating one. Relating this to #232. |
Here is some existing art from @mcguffin https://github.com/mcguffin/two-factor-webauthn Looks like we'll need to pull in both external JS and PHP dependencies (and potentially even PHP extensions) for this to work. |
@kasparsd I'd be happy to craft a PR. I just managed to get rid of one of the large dependencies in mcguffin/two-factor-webauthn. The other ones are aesy to refactor. The PR should introduce about 2k new lines of PHP and 500 lines of JS. Minimum PHP would increase to 7.2 (according to phpcompatinfo), but luckily there are no other php extensions necessary as the ones WP requires anway. |
Just FYI, since I am using Edge Beta I am already hit by the deprecation. I have added Wp-WebAuthn plugin and that allowed me to log in via direct webauthn authentication via my yubikey, while this plugin is still active. This might be an alternative route. |
@mcguffin would gladly welcome a PR to help out here! 🙏🏼 |
👋🏽 I have developed yet another WebAuthn provider for Two Factor. Its main advantage is that it seamlessly integrates with the U2F FIDO provider without having the user register their keys again (there is a video in the README.md file). Please feel free to get some ideas from my implementation (in addition to U2F, it supports user verification (this is configurable), authenticator attachment requirement (also configurable), and properly validates the signature counter). I have successfully tested it in both normal and WP VIP environments. I am not going to compete with @mcguffin and create another PR; my implementation differs in spirit from the rest of Two Factor and I don't have time to rewrite it anyway :-) |
Tested. Works great. @sjinks do you have any plans to upload your implementation to the WordPress plugin archive for updating (subscribed to notifications on releases in your repo in the mean time)? |
That's a nice feature! It would be great if we could provide a 100% seamless upgrade path to all users, maybe even default to the WebAuthn authenticator as the plugin update is released. |
@kasparsd @sjinks I like the migration of legacy keys too and would be ready to adapt #427 accordingly this week. |
@kasparsd the only issue is that there are only a couple of WebAuthn implementations supporting U2F. webauthn-server supports it and probably webauthn-lib (in the Hard Way, but it was too hard for me as it required much more time than I could invest). The other implementations I tested (webauthn by Lucas Buchs and webauthn by David Earl) don't because they don't support the AppID extension properly (they fail upon the RpID signature check). |
The plugin has stopped working for me now. |
@BackSeat - it stopped working for everyone who is using Chrome 98 or browsers on the same engine. For me Firefox works as a fallback at this moment. |
OTP codes still work fine. |
@westonruter - right, I have also added OTP as an alternative just in case, but if somebody used only physical keys, then he cannot log in on Chrome and Chromium-based browsers anymore. |
@dziudek you can use this addon to Two Factor until #427 gets merged. |
This is affecting me now in Chrome. My Yubikey won't work in Chrome on macOS, and since it won't work in Chrome on ChromeOS, I can't get into my Wordpress sites on my Chromebook without using my fallback auth. Yubikey on Chrome/ChromeOS works fine with other sites that have moved to FIDO2 (forgive me if I have the wrong standard here, I'm not deep on the background of the Yubikey). Yubikey works fine to log into Chromebook with 2FA. Just not this WP plugin. Using:
N.B. - this Yubikey still works fine on Firefox (which I'm using nearly all the time) with the released two-factor plugin. Please don't remove U2F from releases until you have a replacement that works! |
I'm using Firefox 111.0b4, and U2F fails with
I'm not sure why this happens. There is [1] but my But anyway, I won't be surprised if Firefox also drops U2F completely soon. [1] https://hg.mozilla.org/mozilla-central/rev/c2c5479b5bf0 Edit: It's working again in 111.0b8. |
I don't get it. What's holding anyone back from merging #491? Wouldn't that fix it? |
No, we need to merge #427 (or an alternative) to make keys work (regardless of whether they were registered in the past with U2F, or today with WebAuthn). #491 is just to migrate existing U2F keys to WebAuthn keys. If you read through #427 you'll see some of the complexity involved. In the meantime, https://wordpress.org/plugins/two-factor-provider-webauthn/ is a good workaround. |
Unfortunately recently released Firefox 114 as a last popular browser fully removed support for legacy U2F support, so it would be nice to implement WebAuthn :( |
|
Could you please share your configuration? You can email me at [email protected] if there's something you don't want to share publicly. |
Looks like you're missing mbstring (php7.4-mbstring), which seems to be required to run this plugin. You might want to check the list of "highly recommended" Extensions to be sure your server can handle Wordpress and plugins properly. |
Thanks for that info. I installed the recommended extension and the "interim step" is working. Sorry for my misfire. |
Hi,
Today I have seen in my JS console the following warning while I was logging in using my Yubikey:
It means that in the next year security keys won't work at all with your plugin?
The text was updated successfully, but these errors were encountered: