U2F Keys broken with WordPress 6.2

Question

U2F Keys broken with WordPress 6.2

openaiken opened this issue a year ago · comments

Describe the bug

When I first installed this plugin, I was running 6.1 and the plugin version was 0.7.3. It worked perfectly then. Since then, my WordPress automatically updated to 6.2, and two-factor updated twice -- from 0.7.3 to 0.8.0, and then from 0.8.0 to 0.8.1.

When logging into an account that default's to U2F for the 2nd factor, the page loads directing the user to insert and press the key, but there is no longer a prompt for the key.

Alternate login methods still work if enabled for the user.

I bypassed the issue by logging into the backend, removing /public_html/wp-content/plugins/two-factor, logging in with just 1 factor, installing+activating the plugin again, and then editing both of my user accounts to have TOTP codes enabled as a backup. The behavior persists, but the backup option works so I'm good to go. Can't say the same for a user that posted ~3 days ago on the Wordpress.com forum.

Steps to Reproduce

WordPress 6.2
two-factor 0.8.1
enable U2F keys for a user
log out and test logging into that user

Screenshots, screen recording, code snippet

No response

Environment information

WP 6.2, using just the default Twenty Twenty-Three theme. I'm running WP in an Ubuntu sandbox via Virtualmin. I am running the most recent versions of Firefox and open-source Chromium on Manjaro (arch-based, stable branch) Linux, with Gnome.

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes

Hayden Aiken · Answer 1 · Tue Apr 18 2023 07:39:36 GMT+0800 (China Standard Time)

To clarify... I recognize that the plugin is not tested with 6.2. I am simply reporting that this particular feature seems to have been broken, as I did not see a similar report on the wp forum or on this project's issues.

The other plugins I have activated are just ActivityPub and NodeInfo, nothing else. Hope this helps!

Thank you so much for making this plugin to begin with.

Ian Dunn · Answer 2 · Tue Apr 18 2023 07:54:52 GMT+0800 (China Standard Time)

Are you using U2F on any other sites? IIRC all the major browsers have already disabled it, so it won't work anywhere. We're updating the plugin to migrate to WebAuthn in #423 / #427, but it's not ready yet.

You could install https://wordpress.org/plugins/two-factor-provider-webauthn/ in the meantime, and your existing keys should still work.

Let me know if that's not the problem, though.

Hayden Aiken · Answer 3 · Tue Apr 18 2023 07:58:40 GMT+0800 (China Standard Time)

@iandunn you know what, I used "U2F" flippantly because that's what it read in the User Settings, but your comment made me realize that we're talking about FIDO/U2F versus FIDO2/WebAuthn, and that might be the difference.

Thanks for showing me the issues where you are upgrading. I will happily wait until y'all feel that it is ready.

Ian Dunn · Answer 4 · Tue Apr 18 2023 23:51:16 GMT+0800 (China Standard Time)

Sounds good, thanks! 👍🏻

guyru · Answer 5 · Thu May 25 2023 22:21:28 GMT+0800 (China Standard Time)

If you're using firefox, you can still enable U2F by going to about:config and setting security.webauth.u2f to true

Hayden Aiken · Answer 6 · Tue May 30 2023 01:42:41 GMT+0800 (China Standard Time)

If you're using firefox, you can still enable U2F by going to about:config and setting security.webauth.u2f to true

thank you for this! I didn't know it was toggleable, this is a great workaround for now.

guyru · Answer 7 · Mon Jul 10 2023 02:58:59 GMT+0800 (China Standard Time)

The security.webauth.u2f workaround for Firefox seems to have stopped working :-(.

Hayden Aiken · Answer 8 · Mon Jul 10 2023 04:04:23 GMT+0800 (China Standard Time)

The security.webauth.u2f workaround for Firefox seems to have stopped working :-(.

Shot/chaser. Hate to see it :/ lol