codingllama
commented
1 week ago Re-phrased title, as technically U2F support still exists, it's the U2F "native" fallback code that we are deleting.
Closed rosstimothy closed 1 week ago
codingllama
commented
1 week ago Re-phrased title, as technically U2F support still exists, it's the U2F "native" fallback code that we are deleting.
public-teleport-github-review-bot[bot]
commented
1 week ago 
ravicious
commented
1 week ago This makes it so that tsh needs to be build with FIDO2 for Webauthn to work on macOS, otherwise you get some variant of "hardware device MFA not supported by your platform, please register an OTP device".
codingllama
commented
1 week ago This makes it so that tsh needs to be build with FIDO2 for Webauthn to work on macOS, otherwise you get some variant of "hardware device MFA not supported by your platform, please register an OTP device".
This is intended, although in hindsight we should have communicated better. Tim and I are talking about ways to improve our developer experience around this.
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on https://github.com/gravitational/teleport/issues/10375. This eliminates the last remaining inclusions of
github.com/flynn/u2fandgithub.com/flynn/hidfrom lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled.In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result.
Updates https://github.com/gravitational/teleport/issues/43112.