-
Posts
50 -
Joined
-
Last visited
-
Days Won
1
Adam last won the day on August 29 2019
Adam had the most liked content!
About Adam
- Birthday 08/21/1999
Contact Methods
-
Website URL
https://adam.lgbt
Profile Information
-
Gender
Male
-
Location
UK
Recent Profile Visitors
5,546 profile views
Adam's Achievements
Full Member (4/6)
85
Reputation
-
@howdytom Ok I none of my IOS devices have 17.4 exactly so that is probably why I could not replicate that. I had a quick go at updating the dependency but everything breaks when I do that. I have no idea what has changed in 2 years but its enough to cause challenge issues adding new keys and existing keys are no longer "familiar" on the login prompt. Simply put I do not have enough knowledge or time to dedicate to this besides quick bug fixes. A quick glance at the github changes between 1.1.3 and 2.0.0 really does not show why it falls apart after an update. As its failing even the registration part which is unrelated to the changes I am surprised no one has made a better webauthn for processwire. This was and still is a proof of concept. It works but very much could do with someone that is good at PHP The initial login bug also is not happening for me with a fresh copy of PW and module in Chrome 125. Sounds strange though. I would be happy to look into that but its hard to debug when the issue does not happen for me. Is this also on MacOS? do you get the system prompts as expected??
-
Okay https://denniskniep.github.io/posts/02-fragile-passkey-ecosystem-for-enterprises/#security-key-can-not-be-selected---due-to-transport-selection Found that link. suggests iOS 17.4 and whatever MacOS is now is just stupid in like 500 ways urgh. A temporary solution might be editing line 30~ of the module file to disable BLE security keys. that way we arent offering all types... Why that is a problem for apple I have no clue. I will be updating the library anyway but let me know if that works at all if so I will make that a full on change as I doubt BLE keys are used much in 2024
-
I dont have a Mac for testing I am afraid so this bug is limited for me. I imagine the issue will be in the JS file if there is a problem. and might take a bit of unwrapping as been a while since I made this.
-
Sorry fr the late reply on this one. I assumed for the first reply it was the U2F module which is no longer used. I have just setup a new PW install and was able to use my security key on my iPhone. I am using firefox though. I want to suggest its because of passkeys being a thing now but I have that option too? Can you confirm PW version, IOS version, Browser on IOS Have you tested on a blank install? Might need to disable and reenable the webauthn for users?
-
@howdytom If you rename the WebAuthn modules folder it will disable it temporally and bypass the Tfa requirement. That is the simplest method and if you reinstall (simple as just clicking the refresh button under the modules menu) users that had WebAuthn enabled before will have it re-enabled (unless they change their profile settings) As for additional recovery options you can always buy a spare security key and keep it in a safe place if you loose you other keys. A superadmin can always disable it for users as well and also set it up for them via the users page so if your the developer of site and your client cant log in you can simply disable it for them etc. thats a core ProcessWire feature that works for any Tfa plugin The is no like OTP alternative as I think that should be a core feature of ProcessWire. Multiple TFA methods per user. As it stands you can only setup a single Tfa method Hope that helps
-
@howdytom Glad it is working out well for you ? Webauthn is indeed faster than old U2F was as its more native to the browser/OS Not a problem I couldnt let one of the best forms of two-factor just die because of a change to how these security keys are done. Webauthn was only a year old when I made the first U2F module. It's far superior though as you can see so was worth it to redo it.
-
Adam started following WebAuthn Two Factor Authentication
-
Some of you might of used my previous U2F module for their two factor needs. Well I was recently informed that Chrome is dropping plain U2F support in favour of WebAuthn. So after a full day of debugging some cryptic errors I am proud to announce a WebAuthn module. This has some major improvements. For example you can now use on-device credentials like Windows Hello/Apple Touch ID. This means that even people without a Yubikey can benefit from modern two factor authentication. It also has much better cross platform support. For example NFC will now work on an iPhone. I do not recall the original U2F stuff working well on iPhones so yay? The is still the original issue that ProcessWire imposes with its Tfa class, That being it is a setup once and never edit again system so you can only add your on-device credentials for a single device because once saved you cant then edit your credentials on a second device. You also lack the options to revoke a single credential or add a new one. You have to wipe out the config and re-add your keys again. It sucks but realisticly if you need more than 3x credentials your almost defeating the point of Tfa I feel the need to also point out that this does not replace passwords. That is something WebAuthn can do a fully passwordless setup. But I think implementing that inside ProcessWire would be a huge challenge. It is frankly a form of magic that I was able to make WebAuthn work within the confides of ProcessWire's Tfa class. Github: https://github.com/adamxp12/TfaWebAuthn ProcessWire Modules: https://processwire.com/modules/tfa-web-authn/ I hope this module helps you guys out securing your ProcessWire websites If you have any issues just reply and I will do my best to help you out
-
@Pete Yep you only have to a device once. Same thing applies to Yubikeys with NFC you can add them via NFC or USB and they will work either way as well. I dont have any bluetooth keys to test with but WebAuthn does support a bluetooth security key. I assume this would be like a phone/Smartwatch but seems like something google support well. Apple likely supports the Apple Watch/iPhone from a Mac?
-
@Pete Glad it works for you. I must say in my testing I am loving the Windows Hello addition too. This is mostly a stopgap solution though as I think a proper native WebAuthn setup in the core that allows you to manage each credential after its setup would be better but for now this is a solid upgrade path for people who used my old U2F module and need it to work after Febuary and dont want to give up hardware keys
-
@Pete Ah yes you need a HTTPS setup for it to work. so localhost/127.0.0.1 will not work unless you have SSL setup too.
-
@Pete Which browser are you using? That error implies your browser lacks WebAuthn support?? I will have to add a cleaner error message for that instead of relying on console Working in Chrome 97 and Firefox ESR 91
-
Okay guys I have worked all day on this https://github.com/adamxp12/ProcessWire-TfaWebAuthn A total rewrite essentially moving over to WebAuthn. I Invite anyone to test this out I will publish it to the modules site probably tomorrow as long as no one has any major bugs I have missed in my testing. @Pete You can add a physical security key in addition to Windows Hello. but you can only setup one instance of Windows Hello/Apple Touch ID at a time because of that ProcessWire Tfa limitation but NFC keys will work on iPhone now where they did not before so a YubiKey with NFC will work virtually everywhere. I would assume if you enrolled your Android phone via USB it will work on-device too in the browser but I do not have an Android device to test that.
-
@Pete WebAuthn is the W3C standard whereas U2F was a google thing. When I made this module in 2019 WebAuthn was a fairly new thing The module does already support multiple keys the issue is once you save the users TFA settings they become locked so cant go in and remove a single key or add another you have to deactivate it and re-add all the keys. The might be a way around this. It does make sense from the POV of the TFA class being for one time codes as you would not edit it you would just deactivate it. The U2F was a great challenge with that constraint. With WebAuthn I might have to disable non cross platform methods like WIndows Hello because it would be impossible to setup multiple devices once you hit save on the first device. But at least it will work as it did before once U2F is removed from Chrome. I could keep that enabled but it would mean only the first device you setup will have that on device option. any other device would have to use a a physical security key. Granted I am far from a ProcessWire expert so maybe the solution is obvious?
-
@Pete That is the library I am looking at indeed. Bit of a head scratcher right now but I am making a bit of progress in getting it working. Currently got it prompting for the keys/windows hello but not figured out the verification/login form side of things. I hope to have a new version of this module before they remove U2F in chrome. U2F will still be in Chrome until June but will be disabled so food for thought just in case I cant get this working by February Will be great once its working but its a lot more involved than plain U2F was and if you thought my U2F implementation was a huge stretch of the TFA class in ProcessWire, Well WebAuthn will push it to its limits.
-
Chrome. The worlds worst browser as always. Making web developers lifes a pain lol Moving to Webauthn is a possibility. but the is few PHP libraries for it and one of them claims to be "simple" and the example is over 350 lines of code. So I might not get it done by Febuary ? its a big task and essentially makes this a full plugin rewrite