Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Adam last won the day on August 29 2019

Adam had the most liked content!

About Adam

  • Birthday 08/21/1999

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location

Recent Profile Visitors

4,216 profile views

Adam's Achievements

Full Member

Full Member (4/6)



  1. @howdytom If you rename the WebAuthn modules folder it will disable it temporally and bypass the Tfa requirement. That is the simplest method and if you reinstall (simple as just clicking the refresh button under the modules menu) users that had WebAuthn enabled before will have it re-enabled (unless they change their profile settings) As for additional recovery options you can always buy a spare security key and keep it in a safe place if you loose you other keys. A superadmin can always disable it for users as well and also set it up for them via the users page so if your the developer of site and your client cant log in you can simply disable it for them etc. thats a core ProcessWire feature that works for any Tfa plugin The is no like OTP alternative as I think that should be a core feature of ProcessWire. Multiple TFA methods per user. As it stands you can only setup a single Tfa method Hope that helps
  2. @howdytom Glad it is working out well for you ? Webauthn is indeed faster than old U2F was as its more native to the browser/OS Not a problem I couldnt let one of the best forms of two-factor just die because of a change to how these security keys are done. Webauthn was only a year old when I made the first U2F module. It's far superior though as you can see so was worth it to redo it.
  3. Some of you might of used my previous U2F module for their two factor needs. Well I was recently informed that Chrome is dropping plain U2F support in favour of WebAuthn. So after a full day of debugging some cryptic errors I am proud to announce a WebAuthn module. This has some major improvements. For example you can now use on-device credentials like Windows Hello/Apple Touch ID. This means that even people without a Yubikey can benefit from modern two factor authentication. It also has much better cross platform support. For example NFC will now work on an iPhone. I do not recall the original U2F stuff working well on iPhones so yay? The is still the original issue that ProcessWire imposes with its Tfa class, That being it is a setup once and never edit again system so you can only add your on-device credentials for a single device because once saved you cant then edit your credentials on a second device. You also lack the options to revoke a single credential or add a new one. You have to wipe out the config and re-add your keys again. It sucks but realisticly if you need more than 3x credentials your almost defeating the point of Tfa I feel the need to also point out that this does not replace passwords. That is something WebAuthn can do a fully passwordless setup. But I think implementing that inside ProcessWire would be a huge challenge. It is frankly a form of magic that I was able to make WebAuthn work within the confides of ProcessWire's Tfa class. Github: https://github.com/adamxp12/TfaWebAuthn ProcessWire Modules: https://processwire.com/modules/tfa-web-authn/ I hope this module helps you guys out securing your ProcessWire websites If you have any issues just reply and I will do my best to help you out
  4. @Pete Yep you only have to a device once. Same thing applies to Yubikeys with NFC you can add them via NFC or USB and they will work either way as well. I dont have any bluetooth keys to test with but WebAuthn does support a bluetooth security key. I assume this would be like a phone/Smartwatch but seems like something google support well. Apple likely supports the Apple Watch/iPhone from a Mac?
  5. @Pete Glad it works for you. I must say in my testing I am loving the Windows Hello addition too. This is mostly a stopgap solution though as I think a proper native WebAuthn setup in the core that allows you to manage each credential after its setup would be better but for now this is a solid upgrade path for people who used my old U2F module and need it to work after Febuary and dont want to give up hardware keys
  6. @Pete Ah yes you need a HTTPS setup for it to work. so localhost/ will not work unless you have SSL setup too.
  7. @Pete Which browser are you using? That error implies your browser lacks WebAuthn support?? I will have to add a cleaner error message for that instead of relying on console Working in Chrome 97 and Firefox ESR 91
  8. Okay guys I have worked all day on this https://github.com/adamxp12/ProcessWire-TfaWebAuthn A total rewrite essentially moving over to WebAuthn. I Invite anyone to test this out I will publish it to the modules site probably tomorrow as long as no one has any major bugs I have missed in my testing. @Pete You can add a physical security key in addition to Windows Hello. but you can only setup one instance of Windows Hello/Apple Touch ID at a time because of that ProcessWire Tfa limitation but NFC keys will work on iPhone now where they did not before so a YubiKey with NFC will work virtually everywhere. I would assume if you enrolled your Android phone via USB it will work on-device too in the browser but I do not have an Android device to test that.
  9. @Pete WebAuthn is the W3C standard whereas U2F was a google thing. When I made this module in 2019 WebAuthn was a fairly new thing The module does already support multiple keys the issue is once you save the users TFA settings they become locked so cant go in and remove a single key or add another you have to deactivate it and re-add all the keys. The might be a way around this. It does make sense from the POV of the TFA class being for one time codes as you would not edit it you would just deactivate it. The U2F was a great challenge with that constraint. With WebAuthn I might have to disable non cross platform methods like WIndows Hello because it would be impossible to setup multiple devices once you hit save on the first device. But at least it will work as it did before once U2F is removed from Chrome. I could keep that enabled but it would mean only the first device you setup will have that on device option. any other device would have to use a a physical security key. Granted I am far from a ProcessWire expert so maybe the solution is obvious?
  10. @Pete That is the library I am looking at indeed. Bit of a head scratcher right now but I am making a bit of progress in getting it working. Currently got it prompting for the keys/windows hello but not figured out the verification/login form side of things. I hope to have a new version of this module before they remove U2F in chrome. U2F will still be in Chrome until June but will be disabled so food for thought just in case I cant get this working by February Will be great once its working but its a lot more involved than plain U2F was and if you thought my U2F implementation was a huge stretch of the TFA class in ProcessWire, Well WebAuthn will push it to its limits.
  11. Chrome. The worlds worst browser as always. Making web developers lifes a pain lol Moving to Webauthn is a possibility. but the is few PHP libraries for it and one of them claims to be "simple" and the example is over 350 lines of code. So I might not get it done by Febuary ? its a big task and essentially makes this a full plugin rewrite
  12. @howdytom You can not revoke a single key I am afraid. The reason is in ProcessWire (at least when I coded this, might of changed since then) TFA modules was a setup then your locked from configuration changes. So under the user settings once you enable the TFA it will only let you remove it instead of edit it. Thats out of my control but might of changed since I made this. Will look into it as I know its not great design how it is. As for gaining access if something goes wrong I am pretty sure the best way to regain access would be through the database. As even if you remove the module ProcessWire will still see the user as having TFA enabled. I have not tested this myself I did some googling and found nothing about regaining access after TFA goes wrong bit strange to have no way to recover yourself. When I get time I will look at adding some sort of confirmation messages that show more clearly that a new key has been added. As for a summary/description that should be doable but behind the scenes all the data for all the keys is being saved in one huge text field which is already imposing a limit of keys to about 10 if I recall correctly? (janky I know but at the time the was zero documentation on making custom TFA modules I was the first developer besides Ryan to make a TFA module)
  13. @netcarver Just published 1.0.3 it has a simple version check which should allow it to work on all versions 3.0.109 and up now ? Have not tested it on a version below 3.0.165 however nor have I tested on a version below 3.0.130 which is when some changes to the getVersion function was made (but should not effect it how I have implemented it) Let me know if that works for you now
  14. @netcarver Thanks for the heads up. will work on an update. need to find out which version of Processwire they redid the Tfa stuff so I can do such a check. Really annoying change for me to be honest. No idea why the devs behind Processwire changed something in the Tfa to give it an init(). I guess older versions lacked an init() function and so my module cant call the parent function if it does not exist ? Seemed to work fine without it but I am sure the was a very logical reason behind the changes
  15. @netcarver @androbey Just pushed out 1.0.2 on Github. was a very simple fix actually but took a while for me to figure it out doh might take a while to show the new version on the modules site but will try and update that now too
  • Create New...