Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

U2F Keys broken with WordPress 6.2 #553

Closed
openaiken opened this issue Apr 17, 2023 · 8 comments
Closed

U2F Keys broken with WordPress 6.2 #553

openaiken opened this issue Apr 17, 2023 · 8 comments

Comments

@openaiken
Copy link

Describe the bug

When I first installed this plugin, I was running 6.1 and the plugin version was 0.7.3. It worked perfectly then. Since then, my WordPress automatically updated to 6.2, and two-factor updated twice -- from 0.7.3 to 0.8.0, and then from 0.8.0 to 0.8.1.

When logging into an account that default's to U2F for the 2nd factor, the page loads directing the user to insert and press the key, but there is no longer a prompt for the key.

Alternate login methods still work if enabled for the user.

I bypassed the issue by logging into the backend, removing /public_html/wp-content/plugins/two-factor, logging in with just 1 factor, installing+activating the plugin again, and then editing both of my user accounts to have TOTP codes enabled as a backup. The behavior persists, but the backup option works so I'm good to go. Can't say the same for a user that posted ~3 days ago on the Wordpress.com forum.

Steps to Reproduce

  1. WordPress 6.2
  2. two-factor 0.8.1
  3. enable U2F keys for a user
  4. log out and test logging into that user

Screenshots, screen recording, code snippet

No response

Environment information

WP 6.2, using just the default Twenty Twenty-Three theme. I'm running WP in an Ubuntu sandbox via Virtualmin. I am running the most recent versions of Firefox and open-source Chromium on Manjaro (arch-based, stable branch) Linux, with Gnome.

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes

@openaiken openaiken added the Bug label Apr 17, 2023
@openaiken
Copy link
Author

To clarify... I recognize that the plugin is not tested with 6.2. I am simply reporting that this particular feature seems to have been broken, as I did not see a similar report on the wp forum or on this project's issues.

The other plugins I have activated are just ActivityPub and NodeInfo, nothing else. Hope this helps!

Thank you so much for making this plugin to begin with.

@iandunn
Copy link
Member

iandunn commented Apr 17, 2023

Are you using U2F on any other sites? IIRC all the major browsers have already disabled it, so it won't work anywhere. We're updating the plugin to migrate to WebAuthn in #423 / #427, but it's not ready yet.

You could install https://wordpress.org/plugins/two-factor-provider-webauthn/ in the meantime, and your existing keys should still work.

Let me know if that's not the problem, though.

@openaiken
Copy link
Author

@iandunn you know what, I used "U2F" flippantly because that's what it read in the User Settings, but your comment made me realize that we're talking about FIDO/U2F versus FIDO2/WebAuthn, and that might be the difference.

Thanks for showing me the issues where you are upgrading. I will happily wait until y'all feel that it is ready.

@iandunn
Copy link
Member

iandunn commented Apr 18, 2023

Sounds good, thanks! 👍🏻

@guyru
Copy link

guyru commented May 25, 2023

If you're using firefox, you can still enable U2F by going to about:config and setting security.webauth.u2f to true

@openaiken
Copy link
Author

If you're using firefox, you can still enable U2F by going to about:config and setting security.webauth.u2f to true

thank you for this! I didn't know it was toggleable, this is a great workaround for now.

@guyru
Copy link

guyru commented Jul 9, 2023

The security.webauth.u2f workaround for Firefox seems to have stopped working :-(.

@openaiken
Copy link
Author

The security.webauth.u2f workaround for Firefox seems to have stopped working :-(.

Shot/chaser. Hate to see it :/ lol

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants