U2F support in the future versions of Chrome

[dziudek]

Hi,

Today I have seen in my JS console the following warning while I was logging in using my Yubikey:

The U2F Security Key API is deprecated and will be removed soon. If you own this website, please migrate to the Web Authentication API. For more information see https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A/m/yg20tsVFBAAJ

It means that in the next year security keys won't work at all with your plugin?

[innertruth]

I don't get this message in the JS Console, I get a dialog for this message with the same text asking to block or give access. But issue 232 is I think a solution for this, maybe the maintainer can merge the code and 'bake' a new release.

[BackSeat]

I'm seeing this as a popup rather than in the JS console.

Is this likely to be resolved before 1 February?

Thanks.

[dziudek]

@BackSeat - I can confirm - after latest Chrome update (v.96) I also get the notice about February 2022

[westonruter]

I just got it as well:

[blogtutor]

Is anyone on the plugin development team aware of this issue yet? Looks like it's going to be a big mess come February, if the plugin isn't changed over to the Web Authentication API by then.

[bemyhre]

This is an issue for me, as well. It sounds like this plugin will become useless for me in Feb. Even now, I cannot register my key on new things.

[timarney]

Noting a few folks have posted here here as well: https://wordpress.org/support/topic/u2f-api-deprecation-message/

[pjv]

Google documentation for the deprecation: https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A

This will break logging in to wordpress for anyone using this plugin with a U2F security key in a chromium-based browser after February.

[supawiz6991]

Any update on this? We are currently 3 weeks from February...not knowing when the update will be hitting that will remove the U2F API means we could be in a real mess sooner than later.

[kasparsd]

I personally haven't had time to work on this, unfortunately.

The tricky thing is that the the two-factor plugin is currently available on both WP.org and Packagist.org which mirrors this source repo, however, adding webauthn will probably need some helper JS libraries to be added via npm (along with build tooling) so we'll need to either keep tracking the built assets as part of the repo or create a dedicated release repo which contains the built assets and map it to the Packagist source.

Happy to support with reviewing a pull request if anyone is up for creating one.

Relating this to #232.

[kasparsd]

Here is some existing art from @mcguffin https://github.com/mcguffin/two-factor-webauthn

Looks like we'll need to pull in both external JS and PHP dependencies (and potentially even PHP extensions) for this to work.

[mcguffin]

@kasparsd I'd be happy to craft a PR.

I just managed to get rid of one of the large dependencies in mcguffin/two-factor-webauthn. The other ones are aesy to refactor. The PR should introduce about 2k new lines of PHP and 500 lines of JS.

Minimum PHP would increase to 7.2 (according to phpcompatinfo), but luckily there are no other php extensions necessary as the ones WP requires anway.

[norbusan]

Just FYI, since I am using Edge Beta I am already hit by the deprecation. I have added Wp-WebAuthn plugin and that allowed me to log in via direct webauthn authentication via my yubikey, while this plugin is still active. This might be an alternative route.

[jeffpaul]

@mcguffin would gladly welcome a PR to help out here! 🙏🏼

[sjinks]

👋🏽 I have developed yet another WebAuthn provider for Two Factor. Its main advantage is that it seamlessly integrates with the U2F FIDO provider without having the user register their keys again (there is a video in the README.md file).

Please feel free to get some ideas from my implementation (in addition to U2F, it supports user verification (this is configurable), authenticator attachment requirement (also configurable), and properly validates the signature counter). I have successfully tested it in both normal and WP VIP environments.

I am not going to compete with @mcguffin and create another PR; my implementation differs in spirit from the rest of Two Factor and I don't have time to rewrite it anyway :-)

[pjv]

👋🏽 I have developed yet another WebAuthn provider for Two Factor. Its main advantage is that it seamlessly integrates with the U2F FIDO provider without having the user register their keys again (there is a video in the README.md file).

Tested. Works great.

@sjinks do you have any plans to upload your implementation to the WordPress plugin archive for updating (subscribed to notifications on releases in your repo in the mean time)?

[kasparsd]

Its main advantage is that it seamlessly integrates with the U2F FIDO provider without having the user register their keys again (there is a video in the README.md file).

That's a nice feature! It would be great if we could provide a 100% seamless upgrade path to all users, maybe even default to the WebAuthn authenticator as the plugin update is released.

[mcguffin]

@kasparsd @sjinks I like the migration of legacy keys too and would be ready to adapt #427 accordingly this week. I think from a usability perspective it could make sense to build WebAuthn support directly into the U2F FIDO provider and drop the extra WebAuthn provider entirely. Maybe some more opinions on this?

[sjinks]

It would be great if we could provide a 100% seamless upgrade path to all users

@kasparsd the only issue is that there are only a couple of WebAuthn implementations supporting U2F.

webauthn-server supports it and probably webauthn-lib (in the Hard Way, but it was too hard for me as it required much more time than I could invest). The other implementations I tested (webauthn by Lucas Buchs and webauthn by David Earl) don't because they don't support the AppID extension properly (they fail upon the RpID signature check).

[sjinks]

@pjv yes; I am planning to get a couple of peer reviews/code reviews this week and address the found issues. After that, I will upload the plugin to WP.org. In the meantime, you can grab the plugin zip file from the Releases page.

[sjinks]

@pjv https://wordpress.org/plugins/two-factor-provider-webauthn/

[BackSeat]

The plugin has stopped working for me now.

[dziudek]

@BackSeat - it stopped working for everyone who is using Chrome 98 or browsers on the same engine. For me Firefox works as a fallback at this moment.

[westonruter]

OTP codes still work fine.

[dziudek]

@westonruter - right, I have also added OTP as an alternative just in case, but if somebody used only physical keys, then he cannot log in on Chrome and Chromium-based browsers anymore.

[sjinks]

@dziudek you can use this addon to Two Factor until #427 gets merged.

[dziudek]

@kasparsd - any plans for releasing 0.8.0 with webauthn support?

[kasparsd]

Sorry for the delay everyone! I haven't been able to find time for this mentally and practically due to the recent world events and recently the Putin's war in Ukraine.

If anyone is able to review the recent revisions of #427 and test them locally (especially how it works with the existing U2F keys), feel free to merge it in and tag a new release. Pushing it to WP.org is as simple as npm run deploy which will ask you for WP.org credentials that have commit access to the repo https://wordpress.org/plugins/two-factor/advanced/

I've added @jeffpaul as a committer to the repo (in addition to @georgestephanis) so he can now add other people.

[corbolais]

Hi there, thanks for all the time that went into two-factor. I'd prefer to stay with this plugin instead of (temporarily) switching to another plugin.

Any update so far?

cheers

[jeffpaul]

Noting from yesterday's bug scrub that @georgestephanis is going to attempt a separate PR that deprecates and removes the U2F legacy code, from there we can continue to determine the best path forward.

[jimmiedave]

This is affecting me now in Chrome. My Yubikey won't work in Chrome on macOS, and since it won't work in Chrome on ChromeOS, I can't get into my Wordpress sites on my Chromebook without using my fallback auth.

Yubikey on Chrome/ChromeOS works fine with other sites that have moved to FIDO2 (forgive me if I have the wrong standard here, I'm not deep on the background of the Yubikey).

Yubikey works fine to log into Chromebook with 2FA. Just not this WP plugin.

Using:

macOS:    Google Chrome: Version 106.0.5249.119 (Official Build) (x86_64)
ChromeOS: Google Chrome: Version 107.0.5304.51 (Official Build) beta (64-bit)

N.B. - this Yubikey still works fine on Firefox (which I'm using nearly all the time) with the released two-factor plugin. Please don't remove U2F from releases until you have a replacement that works!

[iandunn]

WebAuthn/FIDO2 is being added in #427 , and the existing FIDO1 keys may be migrated (see #439). Those are both scheduled for the 0.8.0 release.

[Frederick888]

I'm using Firefox 111.0b4, and U2F fails with

u2f.sign() is deprecated and will be removed at a future date. Use navigator.credentials.get() instead. fido-u2f-login.js:8:5 Registration Failed 1 fido-u2f-login.js:10:19

I'm not sure why this happens. There is [1] but my security.webauth.u2f is still true.

But anyway, I won't be surprised if Firefox also drops U2F completely soon.

[1] https://hg.mozilla.org/mozilla-central/rev/c2c5479b5bf0

Edit: It's working again in 111.0b8.

[nursoda]

I don't get it. What's holding anyone back from merging https://github.com/WordPress/two-factor/pull/491? Wouldn't that fix it?

[iandunn]

No, we need to merge #427 (or an alternative) to make keys work (regardless of whether they were registered in the past with U2F, or today with WebAuthn). #491 is just to migrate existing U2F keys to WebAuthn keys.

If you read through #427 you'll see some of the complexity involved. In the meantime, https://wordpress.org/plugins/two-factor-provider-webauthn/ is a good workaround.

[dziudek]

Unfortunately recently released Firefox 114 as a last popular browser fully removed support for legacy U2F support, so it would be nice to implement WebAuthn :(

[jimmiedave]

1. Wow this is awful. Can't get into the site with my Yubikey.
2. The "two-factor-provider-webauthn" broke my site when I tried to install it a couple weeks ago. It's a pretty-close-to-vanilla WP site with minimal plugins and a venerable theme. It's no workaround if it doesn't work.
3. With great respect for the fact I got awesome software for zero dollars, and that you guys do this out of generosity and interest only, would you please merge something that unbreaks this?

[sjinks]

@jimmiedave

The "two-factor-provider-webauthn" broke my site when I tried to install it a couple weeks ago. It's a pretty-close-to-vanilla WP site with minimal plugins and a venerable theme. It's no workaround if it doesn't work.

Could you please share your configuration? You can email me at volodymyr.kolesnykov@automattic.com if there's something you don't want to share publicly.

[jimmiedave]

Apache2.4.56, WP 6.2.2, PHP 7.4.33 en-us language/locale Two Factor 0.8.1

I disabled every plugin but Two Factor 0.8.1, and installed webauthn provider for two factor Logged in, password, got the "trouble with site" screen.

apache2 error log had: [Thu Jun 15 21:34:13.793879 2023] [php7:error] [pid 3870468] [client 1.2.3.4:56068] PHP Fatal error: Uncaught Error: Call to undefined function mb_strtolower() in /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/vendor/madwizard/webauthn/src/Web/Origin.php:93\nStack trace:\n#0 /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/vendor/madwizard/webauthn/src/Web/Origin.php(41): WildWolf\\WordPress\\TwoFactorWebAuthn\\Vendor\\MadWizard\\WebAuthn\\Web\\Origin::parseElements()\n#1 /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/vendor/madwizard/webauthn/src/Config/RelyingParty.php(34): WildWolf\\WordPress\\TwoFactorWebAuthn\\Vendor\\MadWizard\\WebAuthn\\Web\\Origin::parse()\n#2 /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/inc/class-utils.php(34): WildWolf\\WordPress\\TwoFactorWebAuthn\\Vendor\\MadWizard\\WebAuthn\\Config\\RelyingParty->__construct()\n#3 /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/inc/class-webauthn-provider.php(80): WildWolf\\WordPress\\TwoFact in /{path_to_site}/public_html/wp-content/plugins/two-factor-provider-webauthn/vendor/madwizard/webauthn/src/Web/Origin.php on line 93, referer: https://{web site}/wp-login.php?loggedout=true&wp_lang=en_US

(In case it's not clear {path_to_site} and {web site} as well as 1.2.3.4 for the IP address are my personal data obfuscations.)

I deleted {webauthn...} directory from wp-content/plugins, reloaded page and was asked for my key. I clicked to enter my backup auth method, entered it and got in.

Renabled my plugins to where they were, changed my theme from themify Simfo (very old - maybe 2011, but continuously maintained and updated on my site) to the Wordpress 2023 default theme. Reinstalled {webauthn...} plugin, logged out, logged back in.

Result: Same error message on screen, identical log line (except for date/time/port).

Deleted {webauthn...} plugin directory from folder and got my site back up again in the same manner, and put the theme back on.

HTH.

[adlerweb]

Call to undefined function mb_strtolower()

Looks like you're missing mbstring (php7.4-mbstring), which seems to be required to run this plugin. You might want to check the list of "highly recommended" Extensions to be sure your server can handle Wordpress and plugins properly.

[jimmiedave]

Thanks for that info. I installed the recommended extension and the "interim step" is working.

Sorry for my misfire.