-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sunset U2F in favor of WebAuthn #10375
Comments
@codingllama Can we migrate users from U2F to webauthn automatically? Or would this mean during an upgrade users would have to re-register? |
The change should be seamless for end-users - no re-registration or other actions. We can tweak the details, but the current plan is: starting from v10 it's still possible to use "u2f" as a second_factor setting, but it emits a warning and seamlessly changes the backing implementation to WebAuthn (so no more "u2f" devices will be registered). We'll remove as much API surface as possible here. In v11 all "u2f" options and remaining APIs are removed; at this stage admins have to change from second_factor "u2f" to a supported setting ("on", "optional" and "webauthn" all work). |
Alias the "u2f" second factor mode to "webauthn", effectively sunsetting U2F in favor of WebAuthn. The change effectively disables "U2F mode" server-side, making Teleport use WebAuthn instead. This is in line with our compatibility promise, as Teleport 8.x clients are already WebAuthn-capable (and thus have no problems talking to the cluster). I have cleaned up a good chunk of U2F references in lib/web and lib/client, plus a few other places. Changes on lib/auth are just the necessary to get the tests back to good standing. There is more work to be done, but this seems enough for a single PR. #10375 * Remove "Disabled" field from types.Webauthn * Update generated protos * Treat second_factor "u2f" as "webauthn" * Remove references to Webauthn.Disabled * Remove U2F from lib/web/ * Remove U2F from lib/client/ * Remove U2F from lib/auth/ (partially) * Fix issues after rebase on master * Fix typo
Follows up on #10466 by removing remaining U2F references, including proto/gRPC surface and the lib/auth/u2f package itself. #10375 * Remove U2F from lib/auth/ (1) * Remove U2F from lib/auth/ (2) * Remove U2F from lib/auth/ (3) * Remove U2F from lib/services/ * Remove U2F from tsh mfa add suggestions * Remove U2F protos * Update generated protos * Cleanup a few stragglers * Remove lib/auth/u2f package * Fix references to auth.MFAAuthenticateChallenge * Revert needless lib/auth/password.go change * Update e/ to ad8fd4a (U2F cleanup) * Fix stragglers from latest master rebase * Fix lint and compile failures
This is now complete. In addition, I've done a rather comprehensive cleanup. For v11 all that's left is clearing out the user-visible bits (constants.SecondFactorU2F, lib/config and maybe a few other places). The more interesting decisions for v11 are:
The App ID has to remain, at least in some form, so legacy devices keep working. Migrating the U2F storage devices simplifies the code a bit, but it's not paramount. |
Remaining cleanup tasks
v11
|
U2F facets don't serve a purpose since Webauthn became the de-facto MFA mechanism. This should make it easier for users to write v10-style authentication configs. The remaining U2F fields are still relevant for when we derive Webauthn settings from U2F, so those are kept (and validated). Note that we still keep the fileconf field, since we don't want configs to needlessly break during version upgrades. #10375 * Remove references to U2F.Facets * Remove Facets from U2F proto * Reinstate proto Facets field U2F gets marshaled as JSON to storage, so we better keep the field to avoid issue with resource configs. * Add deprecation notice on comment * Update generated protos
Add a batch of public documentation changes that cover: * Passwordless (new guide and various links) * WebAuthn updates in regards to U2F * U2F documentation removal (superseded by WebAuthn) * Updated config reference (`teleport.yaml` and equivalents) * Updated `tsh` reference This should cover the bulk of the work under Passwordless (#9160) and U2F sunset (#10375). #9160 Co-authored-by: Paul Gottschling <[email protected]>
Add a batch of public documentation changes that cover: * Passwordless (new guide and various links) * WebAuthn updates in regards to U2F * U2F documentation removal (superseded by WebAuthn) * Updated config reference (`teleport.yaml` and equivalents) * Updated `tsh` reference This should cover the bulk of the work under Passwordless (#9160) and U2F sunset (#10375). Co-authored-by: Paul Gottschling <[email protected]>
…4163) Add/update docs for passwordless, WebAuthn and U2F (#13314) Add a batch of public documentation changes that cover: * Passwordless (new guide and various links) * WebAuthn updates in regards to U2F * U2F documentation removal (superseded by WebAuthn) * Updated config reference (`teleport.yaml` and equivalents) * Updated `tsh` reference This should cover the bulk of the work under Passwordless (#9160) and U2F sunset (#10375). Co-authored-by: Paul Gottschling <[email protected]>
Address TODOs, add deprecation warnings and remove as many U2F code references as possible. Existing behavior is kept unaltered: it's still possible to inform Teleport of old U2F AppIDs and U2F configurations are still silently converted to WebAuthn. There's no reason to break that, so we don't. Most server-side references to SecondFactorU2F are removed, but client-side references remain: this makes it possible to interop newer clients with old clusters (something else may break, but hopefully not this part). Closes #10375.
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
What
Teleport supports WebAuthn since 8.x and we are fast moving to a passwordless world. It's time to sunset U2F.
How
The WebAuthn RFD talks about the U2F phase out, which is split in two phases:
The original intent was to land 1. in Teleport 9, but time flies, so we are likely looking at releases 10 and 11, respectively.
The text was updated successfully, but these errors were encountered: