search

cevoaustralia / aws-google-auth

Provides AWS STS credentials based on Google Apps SAML SSO auth (what a jumble!)
MIT License
537 stars 181 forks source link

No attempt to use U2F Security Key #202

Open Nuru opened 3 years ago

Nuru commented 3 years ago

I have a YubiKey U2F security key as my default MFA. aws-google-auth used to immediately use it when I logged in, but now it does not use it and instead prompts me to use a different MFA method.

This appears to be caused by a change with Google's pages, but I do not fully understand how the U2F integration works. I can say when I look at the MFA challenge selector page given to aws-google-auth it says that the security key is "not supported on this device or browser".

Update 1

On further investigation, it looks like U2F integration is switching to a JavaScript implementation. It may not be possible to support U2F without running JavaScript.

chrisjaimon2012 commented 3 years ago

So no more U2F support in aws-google-auth? Or does #203 fix the issue with the U2F integration?

Nuru commented 3 years ago

@chrisjaimon2012 #203 restores operation of SMS and TOTP 2FA, but not U2F. I did not write the previous U2F integration and am not quite sure how it worked, so maybe someone else can fix it. As far as I can tell, Google is switching to a JavaScript UI that is going to require something like Selenium to make U2F integration work, but I could be wrong.

Personally I am leaning towards using aws-saml-capture-extension plus a shell script like this on the Mac:

#!/usr/bin/env bash

aws-google-auth -k -p $0 --saml-assertion $(pbpaste)

I would prefer someone fix aws-google-auth, but until then, this works better than the alternatives because, by using my real browser to log in, I have a reliable tool, I do not get asked for CAPTCHA or even 2FA that often, and since aws-google-auth both caches the SAML assertion (which is valid for 5 minutes) and modifies rather than overwrites ~/.aws/credentials, I can follow up the above with additional aws-google-auth commands to get credentials for other profiles and log into multiple accounts at once.

andreaso commented 3 years ago

Another fallback option is to do something based on the https://g.co/sc one-time security codes.

I have an initial support for that implemented in my https://github.com/andreaso/aws-google-auth/tree/wip/skotp-support branch, which builds on top of the https://github.com/cevoaustralia/aws-google-auth/pull/203 branch.

forsberg commented 3 years ago

Hmm.. I don't really think this one was closed by #203? @stevemac007?

stevemac007 commented 3 years ago

Looks like you are correct - this is back to the fact I don't have a device to test this with.

andreaso commented 3 years ago

@stevemac007: If you would like a Yubikey we can ship you one free of charge.

cmfcruz commented 3 years ago

Hi, any chance that volkangurel's PR can get merged soon? I can confirm that this works as a good alternative for Yubikey users.

The user is asked to visit https://g.co/sc which gives them a one-time security code after verifying their Yubikey.