Disable U2F Interface unless already configured.

dd32 commented 1 year ago

What?

This PR disables the U2F / Fido interface, unless keys are already configured for the user.

Fixes #511

Why?

U2F / FIDO no longer works in modern browsers, until #423 is resolved having this provider enabled only causes confusion to end users (See #511)

Ideally, we wouldn't need to do this, as we've been assuming that #423 would be resolved, but 6+ months later it's no closer to being merged. I'd like to merge this into a 0.8.2.

Alternatives

Alternatively, the Javascript could be updated to detect FIDO/U2F not being viable, and displaying an error message about the browser not supporting it too..

How?

This simply disables the UI by:

Removing it from the Providers array when disabling the table, if the provider says it's not available.
Returning early when displaying the Security keys table, if the provider says it's not available.
Returning early when enqueuing assets when no keys are registered.

If for some reason, it needs to be re-enabled a filter is included:

add_filter( 'two_factor_u2f_disabled', '__return_false' );

Testing Instructions

Screenshots or screencast

Before	After

Changelog Entry

Deprecated: The FIDO/U2F integration has been hidden unless already configured. This is because modern browsers no longer support the standard, and we've not yet finalised our WebAuthn implementation.

jeffpaul commented 1 year ago

@dd32 do you want to pull this into 0.8.2 or leave for 0.9.0?

jeffpaul commented 1 week ago

Besides the merge conflicts @georgestephanis @TimothyBJacobs does this look good to you?

TimothyBJacobs commented 1 week ago

Yeah I think this makes sense to me.

WordPress / two-factor