U2F security key authentication deprecated in Chrome
When I attempt to login to CDEV (as jeremyfelt) using Chrome 101.0.4951.64 on Mac OS 12.3.1, I am asked to insert my security key, but no additional prompt appears in the browser when I do so.
The console shows an error of:
u2f-api.js?ver=0.2.1-1.19.9:532 Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('chrome-extension://kmendfapggjehodndflmmgagdbamhnfd') does not match the recipient window's origin ('null').
On production, I do not have security key authentication enabled, but when I attempt to enable it I see this same error.
When I use Firefox 99, everything works fine.
According to this GitHub issue in the two-factor plugin, the U2F API has been deprecated in Chrome as of February. There's a chance this plugin works as a stop-gap until the core two-factor plugin is updated.
#2 Updated by Raymond Hoh about 2 months ago
I added the new WebAuthn plugin to CDEV. Can you see if you are able to login now?
Also if you are able to login successfully on CDEV, can you test removing and adding the WebAuthn security key when on your profile's "My Settings > Security" page? I had to modify our BuddyPress frontend integration so the new WebAuthn fields will show up on that page, but I'm not sure if it is possible to register a new key or not.
If you encounter any problems, let me know.
#3 Updated by Jeremy Felt about 2 months ago
Hey Ray - It seems like there may be a PHP error when I try to login. I enter my username/password on wp-login.php, and then it reloads with only the CUNY header.
The last bit of the source HTML is this before it stops:
<form name="validate_2fa_form" id="loginform" action="https://commons.gc.cuny.edu/wp-login.php?action=validate_2fa" method="post" autocomplete="off"> <input type="hidden" name="provider" id="provider" value="TwoFactor_Provider_WebAuthn" /> <input type="hidden" name="wp-auth-id" id="wp-auth-id" value="8174" /> <input type="hidden" name="wp-auth-nonce" id="wp-auth-nonce" value="67d82ec9ad59330118fe2c56a579819816929b92492bb79cba328c1cf79369c2" /> <input type="hidden" name="redirect_to" value="https://commons.gc.cuny.edu/wp-admin/" /> <input type="hidden" name="rememberme" id="rememberme" value="0" />
#5 Updated by Jeremy Felt about 2 months ago
Everything seems to be working great, thanks Ray!
I authenticated with my yubi key, revoked the key in my settings, registered the key again, and was able to use it to authenticate in both Chrome and Firefox.
There was one spot that may be a little confusing now (screenshot attached). It's possible that WebAuthn has enough support that removing the general "Security keys" section may Just Work. A change like that might be worth figuring out how many people are using it though.
#6 Updated by Raymond Hoh about 2 months ago
Thanks for testing, Jeremy!
Yeah, I noticed the dual Security Keys sections and was surprised that the WebAuthn plugin did not attempt to disable the existing Fido U2F method from the 2FA options.
I added an issue to the author's Github repo over here: https://github.com/sjinks/wp-two-factor-provider-webauthn/issues/93
Jeremy, what do you think about disabling the FIDO U2F provider ourselves and also perhaps removing the existing FIDO U2F keys after the migration to WebAuthn is done as I mentioned in the Github issue?
Edit - Actually, let's keep the existing FIDO U2F keys. If the core Two Factor plugin includes their own WebAuthn plugin in the future, they will probably reference those keys. So only disabling the FIDO U2F provider should be okay.
#7 Updated by Raymond Hoh about 2 months ago
- Status changed from New to Staged for Production Release
A change like that might be worth figuring out how many people are using it though.
I just did a DB query to find out how many people are using FIDO U2F as their 2FA option and currently, only one member is using FIDO U2F on the Commons.
Anyway, I've added the
two-factor-provider-webauthn plugin here: https://github.com/cuny-academic-commons/cac/commit/18365eb6ee2606702192bd0002eaefd63b8bb380
And updated our
bp-two-factor plugin and also our custom login template so the WebAuthn plugin will work correctly: https://github.com/cuny-academic-commons/cac/compare/18365eb...c55cfc1
Boone, I've updated the
ACTION_REQUIRED document to note that the
two-factor-provider-webauthn plugin should be network activated.
I've also decided to disable the FIDO U2F 2FA provider for now: https://github.com/r-a-y/bp-two-factor/commit/1b8717dca4e5eef3d308440b81190b8539cfac11. The core
two-factor plugin is planning on removing FIDO U2F in an upcoming release: https://github.com/WordPress/two-factor/pull/439, so I'm just preempting them now :)
#8 Updated by Raymond Hoh about 1 month ago
I encountered a bug for the WebAuthn plugin with the DB tables being installed per-site instead of globally. I've opened a pull request here: https://github.com/sjinks/wp-two-factor-provider-webauthn/pull/106.
For now, I've temporarily applied the fix to the Commons: https://github.com/cuny-academic-commons/cac/commit/3228b0a663a8f84a2c1a2e3be1317dde488fd551
#9 Updated by Boone Gorges about 1 month ago
Ray, when I pushed this change to the production site, I had to deal with some uncommitted changes to wp-content/mu-plugins/cac-login-template.php. They appear to be connected to #15516 (?) and I manually merged them, but if you could take a moment to check, that'd be great.