Remove dependency on Yubico API, use PHP lib instead

[chillu]

We can't rely on a free third party service, since it doesn't guarantee us any uptime SLAs. It looks like we can do this ourselves in PHP, with an officially supported MIT-licensed lib: https://github.com/Yubico/php-u2flib-server

[Firesphere]

This dependency doesn't exist. It defaults to yubico, but allows for setting a custom endpoint.

[chillu]

Well, I don't want it to be a HTTP endpoint in the first place. My impression is that this PHP library above fulfils that purpose without the overhead of a HTTP endpoint?

[Firesphere]

The library mentioned is the U2F library. At the moment, although pretty easy to implement, this module relies on OTP validation (for which a local server can be set up as well). So the U2F library, at this moment, is not a replacement for the HTTP endpoint.

On top of that, supplying the option of an HTTP endpoint is something that is still needed, because Internet Explorer and Microsoft Edge do not support U2F. The only way around that and still use Yubikeys, is the usage of OTP, hence, an HTTP endpoint is required.

It is possible to run your own YubiVal and YubiStore, https://developers.yubico.com/Software_Projects/Yubico_OTP/YubiCloud_Validation_Servers/

[chillu]

As discussed with Simon, we'll need U2F support, either through this module or a separate one. Yubikey OTP is phishable. But regardless, we'll need to run our own server for OTP. So while the initial library linked here is the wrong one, the ticket is still valid :)

[brynwhyman]

The free OTP authentication endpoint in question is: https://www.yubico.com/products/services-software/yubicloud/ . We're moving away from the idea of running our own server for OTP based on the requirement that we'd need to create our own certificates and load them on to the physical hardware tokens. Implementing this as an open source feature would be a challenge to support.

We'll need some further questions answered before we can be satisfied with proceeding with this issue.