Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sunset U2F in favor of WebAuthn #10375

Closed
codingllama opened this issue Feb 15, 2022 · 4 comments · Fixed by #17030
Closed

Sunset U2F in favor of WebAuthn #10375

codingllama opened this issue Feb 15, 2022 · 4 comments · Fixed by #17030
Assignees
Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements platform-security

Comments

@codingllama
Copy link
Contributor

What

Teleport supports WebAuthn since 8.x and we are fast moving to a passwordless world. It's time to sunset U2F.

How

The WebAuthn RFD talks about the U2F phase out, which is split in two phases:

  1. "u2f" mode is aliased to "webauthn" (U2F implementation effectively removed)
  2. "u2f" mode is removed

The original intent was to land 1. in Teleport 9, but time flies, so we are likely looking at releases 10 and 11, respectively.

@codingllama codingllama added the feature-request Used for new features in Teleport, improvements to current should be #enhancements label Feb 15, 2022
@codingllama codingllama self-assigned this Feb 15, 2022
@russjones
Copy link
Contributor

@codingllama Can we migrate users from U2F to webauthn automatically? Or would this mean during an upgrade users would have to re-register?

@codingllama
Copy link
Contributor Author

@codingllama Can we migrate users from U2F to webauthn automatically? Or would this mean during an upgrade users would have to re-register?

The change should be seamless for end-users - no re-registration or other actions.

We can tweak the details, but the current plan is: starting from v10 it's still possible to use "u2f" as a second_factor setting, but it emits a warning and seamlessly changes the backing implementation to WebAuthn (so no more "u2f" devices will be registered). We'll remove as much API surface as possible here. In v11 all "u2f" options and remaining APIs are removed; at this stage admins have to change from second_factor "u2f" to a supported setting ("on", "optional" and "webauthn" all work).

codingllama added a commit that referenced this issue Feb 23, 2022
Alias the "u2f" second factor mode to "webauthn", effectively sunsetting U2F in
favor of WebAuthn.

The change effectively disables "U2F mode" server-side, making Teleport use
WebAuthn instead. This is in line with our compatibility promise, as Teleport
8.x clients are already WebAuthn-capable (and thus have no problems talking to
the cluster).

I have cleaned up a good chunk of U2F references in lib/web and lib/client, plus
a few other places. Changes on lib/auth are just the necessary to get the tests
back to good standing. There is more work to be done, but this seems enough for
a single PR.

#10375

* Remove "Disabled" field from types.Webauthn
* Update generated protos
* Treat second_factor "u2f" as "webauthn"
* Remove references to Webauthn.Disabled
* Remove U2F from lib/web/
* Remove U2F from lib/client/
* Remove U2F from lib/auth/ (partially)
* Fix issues after rebase on master
* Fix typo
codingllama added a commit that referenced this issue Feb 24, 2022
Follows up on #10466 by removing remaining U2F references, including proto/gRPC
surface and the lib/auth/u2f package itself.

#10375

* Remove U2F from lib/auth/ (1)
* Remove U2F from lib/auth/ (2)
* Remove U2F from lib/auth/ (3)
* Remove U2F from lib/services/
* Remove U2F from tsh mfa add suggestions
* Remove U2F protos
* Update generated protos
* Cleanup a few stragglers
* Remove lib/auth/u2f package
* Fix references to auth.MFAAuthenticateChallenge
* Revert needless lib/auth/password.go change
* Update e/ to ad8fd4a (U2F cleanup)
* Fix stragglers from latest master rebase
* Fix lint and compile failures
@codingllama
Copy link
Contributor Author

"u2f" mode is aliased to "webauthn" (U2F implementation effectively removed)

This is now complete. In addition, I've done a rather comprehensive cleanup. For v11 all that's left is clearing out the user-visible bits (constants.SecondFactorU2F, lib/config and maybe a few other places).

The more interesting decisions for v11 are:

  • What to do with the U2F App ID
  • What to do with legacy U2F devices in storage

The App ID has to remain, at least in some form, so legacy devices keep working. Migrating the U2F storage devices simplifies the code a bit, but it's not paramount.

@codingllama
Copy link
Contributor Author

codingllama commented Feb 24, 2022

Remaining cleanup tasks

  • Update public documentation ("u2f" deprecated and aliased to "webauthn")

v11

  • Cleanup public-facing U2F configurations
  • Update public documentation ("u2f" not allowed)
  • Decide the fate of the U2F App ID (keep "u2f" stanza, alternative)
  • Decide the fate of storage U2F Devices (keep or migrate to WebauthnDevice)

codingllama added a commit that referenced this issue May 31, 2022
U2F facets don't serve a purpose since Webauthn became the de-facto MFA
mechanism. This should make it easier for users to write v10-style
authentication configs.

The remaining U2F fields are still relevant for when we derive Webauthn settings
from U2F, so those are kept (and validated).

Note that we still keep the fileconf field, since we don't want configs to
needlessly break during version upgrades.

#10375

* Remove references to U2F.Facets
* Remove Facets from U2F proto
* Reinstate proto Facets field

U2F gets marshaled as JSON to storage, so we better keep the field to
avoid issue with resource configs.

* Add deprecation notice on comment
* Update generated protos
codingllama added a commit that referenced this issue Jul 6, 2022
Add a batch of public documentation changes that cover:

* Passwordless (new guide and various links)
* WebAuthn updates in regards to U2F
* U2F documentation removal (superseded by WebAuthn)
* Updated config reference (`teleport.yaml` and equivalents)
* Updated `tsh` reference

This should cover the bulk of the work under Passwordless (#9160) and U2F sunset (#10375).

#9160

Co-authored-by: Paul Gottschling <[email protected]>
codingllama added a commit that referenced this issue Jul 6, 2022
Add a batch of public documentation changes that cover:

* Passwordless (new guide and various links)
* WebAuthn updates in regards to U2F
* U2F documentation removal (superseded by WebAuthn)
* Updated config reference (`teleport.yaml` and equivalents)
* Updated `tsh` reference

This should cover the bulk of the work under Passwordless (#9160) and
U2F sunset (#10375).

Co-authored-by: Paul Gottschling <[email protected]>
codingllama added a commit that referenced this issue Jul 6, 2022
…4163)

Add/update docs for passwordless, WebAuthn and U2F (#13314)

Add a batch of public documentation changes that cover:

* Passwordless (new guide and various links)
* WebAuthn updates in regards to U2F
* U2F documentation removal (superseded by WebAuthn)
* Updated config reference (`teleport.yaml` and equivalents)
* Updated `tsh` reference

This should cover the bulk of the work under Passwordless (#9160) and
U2F sunset (#10375).

Co-authored-by: Paul Gottschling <[email protected]>
codingllama added a commit that referenced this issue Oct 5, 2022
Address TODOs, add deprecation warnings and remove as many U2F code references
as possible.

Existing behavior is kept unaltered: it's still possible to inform Teleport of
old U2F AppIDs and U2F configurations are still silently converted to WebAuthn.
There's no reason to break that, so we don't.

Most server-side references to SecondFactorU2F are removed, but client-side
references remain: this makes it possible to interop newer clients with old
clusters (something else may break, but hopefully not this part).

Closes #10375.
rosstimothy added a commit that referenced this issue Jun 17, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however,
not all references were removed when working on
#10375. This eliminates
the last remaining inclusions of github.com/flynn/u2f and
github.com/flynn/hid from lib/client and drops all support of
falling back to U2F if client tools are not built with FIDO2
enabled.

In practice, this should only cause problems for people building
tsh/tctl locally without setting the correct build flags. All
release artifacts published should already be built with the
appropriate flags and not cause any issues as a result.

Updates #43112.
github-merge-queue bot pushed a commit that referenced this issue Jun 17, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however,
not all references were removed when working on
#10375. This eliminates
the last remaining inclusions of github.com/flynn/u2f and
github.com/flynn/hid from lib/client and drops all support of
falling back to U2F if client tools are not built with FIDO2
enabled.

In practice, this should only cause problems for people building
tsh/tctl locally without setting the correct build flags. All
release artifacts published should already be built with the
appropriate flags and not cause any issues as a result.

Updates #43112.
github-actions bot pushed a commit that referenced this issue Jun 17, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however,
not all references were removed when working on
#10375. This eliminates
the last remaining inclusions of github.com/flynn/u2f and
github.com/flynn/hid from lib/client and drops all support of
falling back to U2F if client tools are not built with FIDO2
enabled.

In practice, this should only cause problems for people building
tsh/tctl locally without setting the correct build flags. All
release artifacts published should already be built with the
appropriate flags and not cause any issues as a result.

Updates #43112.
rosstimothy added a commit that referenced this issue Jun 20, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however,
not all references were removed when working on
#10375. This eliminates
the last remaining inclusions of github.com/flynn/u2f and
github.com/flynn/hid from lib/client and drops all support of
falling back to U2F if client tools are not built with FIDO2
enabled.

In practice, this should only cause problems for people building
tsh/tctl locally without setting the correct build flags. All
release artifacts published should already be built with the
appropriate flags and not cause any issues as a result.

Updates #43112.
rosstimothy added a commit that referenced this issue Jun 20, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however,
not all references were removed when working on
#10375. This eliminates
the last remaining inclusions of github.com/flynn/u2f and
github.com/flynn/hid from lib/client and drops all support of
falling back to U2F if client tools are not built with FIDO2
enabled.

In practice, this should only cause problems for people building
tsh/tctl locally without setting the correct build flags. All
release artifacts published should already be built with the
appropriate flags and not cause any issues as a result.

Updates #43112.
rosstimothy added a commit that referenced this issue Jun 20, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however,
not all references were removed when working on
#10375. This eliminates
the last remaining inclusions of github.com/flynn/u2f and
github.com/flynn/hid from lib/client and drops all support of
falling back to U2F if client tools are not built with FIDO2
enabled.

In practice, this should only cause problems for people building
tsh/tctl locally without setting the correct build flags. All
release artifacts published should already be built with the
appropriate flags and not cause any issues as a result.

Updates #43112.
github-merge-queue bot pushed a commit that referenced this issue Jun 24, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however,
not all references were removed when working on
#10375. This eliminates
the last remaining inclusions of github.com/flynn/u2f and
github.com/flynn/hid from lib/client and drops all support of
falling back to U2F if client tools are not built with FIDO2
enabled.

In practice, this should only cause problems for people building
tsh/tctl locally without setting the correct build flags. All
release artifacts published should already be built with the
appropriate flags and not cause any issues as a result.

Updates #43112.
github-merge-queue bot pushed a commit that referenced this issue Jun 24, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however,
not all references were removed when working on
#10375. This eliminates
the last remaining inclusions of github.com/flynn/u2f and
github.com/flynn/hid from lib/client and drops all support of
falling back to U2F if client tools are not built with FIDO2
enabled.

In practice, this should only cause problems for people building
tsh/tctl locally without setting the correct build flags. All
release artifacts published should already be built with the
appropriate flags and not cause any issues as a result.

Updates #43112.
github-merge-queue bot pushed a commit that referenced this issue Jun 24, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however,
not all references were removed when working on
#10375. This eliminates
the last remaining inclusions of github.com/flynn/u2f and
github.com/flynn/hid from lib/client and drops all support of
falling back to U2F if client tools are not built with FIDO2
enabled.

In practice, this should only cause problems for people building
tsh/tctl locally without setting the correct build flags. All
release artifacts published should already be built with the
appropriate flags and not cause any issues as a result.

Updates #43112.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements platform-security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants