Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2FA U2F FIDO - U2F API deprecating soon #17229

Closed
MordiSacks opened this issue Dec 7, 2021 · 11 comments
Closed

2FA U2F FIDO - U2F API deprecating soon #17229

MordiSacks opened this issue Dec 7, 2021 · 11 comments
Assignees
@williamdes
Labels
Bug A problem or regression with an existing feature
Projects
issues
Milestone
5.2.1

Comments

@MordiSacks
Copy link

MordiSacks commented Dec 7, 2021
edited
Loading

Describe the bug

U2F API will be deprecated by the end of February 2022 by chrome (and all chrome based browsers) ,
Currently when attempting to authenticate I get a message

“This site won’t be able to use the U2F API after February 2022. If you own this site, you should change it to use the Web Authentication API”.

To Reproduce

  1. Set up PMA
  2. Create PMA storage DB
  3. Setup FIDO U2F as 2FA (home > settings > Two-factor authentication > FIDO) (I use a yubikey)
  4. logout
  5. login

Screenshots

If applicable, add screenshots to help explain your problem.

Server configuration

  • Operating system: Debian 11
  • Web server: Nginx 1.18
  • Database version: 10.6.5-MariaDB-1:10.6.5
  • PHP version: 8.0.13
  • phpMyAdmin version: 5.1.1

Client configuration

  • Browser: Chrome 96.0.4664.45 x64
  • Operating system: Windows 10
@williamdes
Copy link
Member

Thank you so much for the report @MordiSacks !

@williamdes williamdes added the Bug A problem or regression with an existing feature label Dec 7, 2021
@williamdes williamdes added this to the 5.1.3 milestone Dec 7, 2021
@williamdes williamdes added this to Needs triage in issues via automation Dec 7, 2021
@williamdes williamdes moved this from Needs triage to High priority in issues Dec 7, 2021
@MordiSacks
Copy link
Author

Just updating that as of chrome 98.0.4758.80 2FA via U2F is broken :(
Thank you for taking this issue in high priority

@ibennetch ibennetch modified the milestones: 5.1.3, 5.1.4 Feb 11, 2022
@MordiSacks
Copy link
Author

If anyone is looking for an easy temporary solution, latest firefox still supports U2F.

@MauricioFauth
Copy link
Member

Chrome's legacy U2F API for interacting with security keys is deprecated and beginning a deprecation trial in Chrome 95 wherein the API remains enabled by default, but the trial token will disable the key for participating sites. U2F security keys themselves are not deprecated and will continue to work.

Affected sites should migrate to the Web Authentication API. Credentials that were originally registered via the U2F API can be challenged via web authentication. USB security keys that are supported by the U2F API are also supported by the Web Authentication API.

@ibennetch ibennetch modified the milestones: 5.1.4, 5.2.1 May 11, 2022
@williamdes williamdes added the affects/5.2 This issue or pull-request affects 5.2.x releases (and maybe further versions) label Oct 25, 2022
@williamdes williamdes removed this from the 5.2.1 milestone Oct 25, 2022
@williamdes williamdes added confirmed/5.2 This issue is confirmed to be reproduced on 5.2 at the time this label was set confirmed/6.0 This issue is confirmed to be reproduced on 6.0 at the time this label was set labels Oct 25, 2022
@williamdes williamdes added this to the 5.2.1 milestone Oct 26, 2022
@williamdes williamdes added the affects/6.0 This issue or pull-request affects 6.0.x releases (and maybe further versions) label Oct 31, 2022
@williamdes williamdes mentioned this issue Nov 14, 2022
Closed
@MauricioFauth
Copy link
Member

I'm working on adding support for WebAuthn.

@williamdes
Copy link
Member

I'm working on adding support for WebAuthn.

Awesome !
Do not hesitate to PR to https://github.com/code-lts/U2F-php-server any back end code

MauricioFauth added a commit to MauricioFauth/phpmyadmin that referenced this issue Dec 17, 2022
@MauricioFauth
Add support for Web Authentication API
fb62602 
Adds a two factor authentication plugin that supports FIDO2/WebAuthn
security keys.

- Fixes phpmyadmin#17229

Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
This was referenced Dec 17, 2022
Closed
Merged
@williamdes williamdes removed affects/5.2 This issue or pull-request affects 5.2.x releases (and maybe further versions) affects/6.0 This issue or pull-request affects 6.0.x releases (and maybe further versions) confirmed/5.2 This issue is confirmed to be reproduced on 5.2 at the time this label was set confirmed/6.0 This issue is confirmed to be reproduced on 6.0 at the time this label was set labels Jan 16, 2023
@williamdes williamdes moved this from High priority to Closed in issues Jan 16, 2023
@williamdes
Copy link
Member

#17989 implemented this, it's now deployed on the latest 5.2 version in development (phpMyAdmin 5.2+snapshot) and on the non official docker image.

I encourage all users to test it as soon as possible. But like I said (#17989 (comment)) for now you have to use Firefox to disable U2F and be able to use any browser to setup webauthn

@MordiSacks
Copy link
Author

@williamdes
Played around with it a little, seems to work great.
Thank you so much!

@williamdes
Copy link
Member

@williamdes Played around with it a little, seems to work great. Thank you so much!

Thank you for the feedback
It's all @MauricioFauth 's great work

@MordiSacks
Copy link
Author

@MauricioFauth
Thank you

@williamdes williamdes self-assigned this Jan 19, 2023
MauricioFauth added a commit that referenced this issue Jan 21, 2023
@MauricioFauth
Add an alert for the FIDO U2F API deprecation
3fc35e6 
Related to #17229.

Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
@williamdes williamdes mentioned this issue Jan 27, 2023
Closed
@ldet
Copy link

ldet commented May 5, 2023

Update on the Firefox "workaround":
Firefox no longer has u2f enabled by default. It can enabled by setting security.webauth.u2f to true in about:config.
However that will no longer work with Firefox 114+, see this Bugzilla entry.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@williamdes williamdes

Labels
Bug A problem or regression with an existing feature
Projects
issues
  
Closed
Milestone
5.2.1
Development

No branches or pull requests
5 participants
@MauricioFauth @ibennetch @williamdes @MordiSacks @ldet