Project

General

Profile

Bug #16088

U2F security key authentication deprecated in Chrome

Added by Jeremy Felt about 2 months ago. Updated about 1 month ago.

Status:
Resolved
Priority name:
Normal
Assignee:
Category name:
WordPress Plugins
Target version:
Start date:
2022-05-11
Due date:
% Done:

0%

Estimated time:

Description

When I attempt to login to CDEV (as jeremyfelt) using Chrome 101.0.4951.64 on Mac OS 12.3.1, I am asked to insert my security key, but no additional prompt appears in the browser when I do so.

The console shows an error of:

u2f-api.js?ver=0.2.1-1.19.9:532 Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('chrome-extension://kmendfapggjehodndflmmgagdbamhnfd') does not match the recipient window's origin ('null').

On production, I do not have security key authentication enabled, but when I attempt to enable it I see this same error.

When I use Firefox 99, everything works fine.

According to this GitHub issue in the two-factor plugin, the U2F API has been deprecated in Chrome as of February. There's a chance this plugin works as a stop-gap until the core two-factor plugin is updated.

Related: https://redmine.gc.cuny.edu/issues/12900

History

#1 Updated by Raymond Hoh about 2 months ago

  • Category name set to WordPress Plugins
  • Assignee set to Raymond Hoh
  • Target version set to 1.19.10

Good catch, Jeremy!

I will add the referenced plugin later in the day on CDEV and will let you know when you can help with testing.

#2 Updated by Raymond Hoh about 2 months ago

Hi Jeremy,

I added the new WebAuthn plugin to CDEV. Can you see if you are able to login now?

Also if you are able to login successfully on CDEV, can you test removing and adding the WebAuthn security key when on your profile's "My Settings > Security" page? I had to modify our BuddyPress frontend integration so the new WebAuthn fields will show up on that page, but I'm not sure if it is possible to register a new key or not.

If you encounter any problems, let me know.

#3 Updated by Jeremy Felt about 2 months ago

Hey Ray - It seems like there may be a PHP error when I try to login. I enter my username/password on wp-login.php, and then it reloads with only the CUNY header.

The last bit of the source HTML is this before it stops:

<form name="validate_2fa_form" id="loginform" action="https://commons.gc.cuny.edu/wp-login.php?action=validate_2fa" method="post" autocomplete="off">
    <input type="hidden" name="provider"      id="provider"      value="TwoFactor_Provider_WebAuthn" />
    <input type="hidden" name="wp-auth-id"    id="wp-auth-id"    value="8174" />
    <input type="hidden" name="wp-auth-nonce" id="wp-auth-nonce" value="67d82ec9ad59330118fe2c56a579819816929b92492bb79cba328c1cf79369c2" />
    <input type="hidden" name="redirect_to" value="https://commons.gc.cuny.edu/wp-admin/" />
    <input type="hidden" name="rememberme"    id="rememberme"    value="0" />

#4 Updated by Raymond Hoh about 2 months ago

Thanks Jeremy. Can you test again? I think there was an issue with installing the WebAuthn DB tables.

If that doesn't work, let me know.

#5 Updated by Jeremy Felt about 2 months ago

Everything seems to be working great, thanks Ray!

I authenticated with my yubi key, revoked the key in my settings, registered the key again, and was able to use it to authenticate in both Chrome and Firefox.

There was one spot that may be a little confusing now (screenshot attached). It's possible that WebAuthn has enough support that removing the general "Security keys" section may Just Work. A change like that might be worth figuring out how many people are using it though.

#6 Updated by Raymond Hoh about 2 months ago

Thanks for testing, Jeremy!

Yeah, I noticed the dual Security Keys sections and was surprised that the WebAuthn plugin did not attempt to disable the existing Fido U2F method from the 2FA options.

I added an issue to the author's Github repo over here: https://github.com/sjinks/wp-two-factor-provider-webauthn/issues/93

Jeremy, what do you think about disabling the FIDO U2F provider ourselves and also perhaps removing the existing FIDO U2F keys after the migration to WebAuthn is done as I mentioned in the Github issue?

Edit - Actually, let's keep the existing FIDO U2F keys. If the core Two Factor plugin includes their own WebAuthn plugin in the future, they will probably reference those keys. So only disabling the FIDO U2F provider should be okay.

#7 Updated by Raymond Hoh about 2 months ago

  • Status changed from New to Staged for Production Release

A change like that might be worth figuring out how many people are using it though.

I just did a DB query to find out how many people are using FIDO U2F as their 2FA option and currently, only one member is using FIDO U2F on the Commons.

Anyway, I've added the two-factor-provider-webauthn plugin here: https://github.com/cuny-academic-commons/cac/commit/18365eb6ee2606702192bd0002eaefd63b8bb380

And updated our bp-two-factor plugin and also our custom login template so the WebAuthn plugin will work correctly: https://github.com/cuny-academic-commons/cac/compare/18365eb...c55cfc1

Boone, I've updated the ACTION_REQUIRED document to note that the two-factor-provider-webauthn plugin should be network activated.

I've also decided to disable the FIDO U2F 2FA provider for now: https://github.com/r-a-y/bp-two-factor/commit/1b8717dca4e5eef3d308440b81190b8539cfac11. The core two-factor plugin is planning on removing FIDO U2F in an upcoming release: https://github.com/WordPress/two-factor/pull/439, so I'm just preempting them now :)

#8 Updated by Raymond Hoh about 1 month ago

I encountered a bug for the WebAuthn plugin with the DB tables being installed per-site instead of globally. I've opened a pull request here: https://github.com/sjinks/wp-two-factor-provider-webauthn/pull/106.

For now, I've temporarily applied the fix to the Commons: https://github.com/cuny-academic-commons/cac/commit/3228b0a663a8f84a2c1a2e3be1317dde488fd551

#9 Updated by Boone Gorges about 1 month ago

Ray, when I pushed this change to the production site, I had to deal with some uncommitted changes to wp-content/mu-plugins/cac-login-template.php. They appear to be connected to #15516 (?) and I manually merged them, but if you could take a moment to check, that'd be great.

#10 Updated by Boone Gorges about 1 month ago

  • Status changed from Staged for Production Release to Resolved

#11 Updated by Raymond Hoh about 1 month ago

They appear to be connected to #15516 (?) and I manually merged them, but if you could take a moment to check, that'd be great.

Yeah, that was from an attempt to debug #15516 (I still need to return to that!). I've removed those changes for now.

Also available in: Atom PDF