Adam

@howdytom Ok I none of my IOS devices have 17.4 exactly so that is probably why I could not replicate that. I had a quick go at updating the dependency but everything breaks when I do that. I have no idea what has changed in 2 years but its enough to cause challenge issues adding new keys and existing keys are no longer "familiar" on the login prompt. Simply put I do not have enough knowledge or time to dedicate to this besides quick bug fixes. A quick glance at the github changes between 1.1.3 and 2.0.0 really does not show why it falls apart after an update. As its failing even the registration part which is unrelated to the changes I am surprised no one has made a better webauthn for processwire. This was and still is a proof of concept. It works but very much could do with someone that is good at PHP The initial login bug also is not happening for me with a fresh copy of PW and module in Chrome 125. Sounds strange though. I would be happy to look into that but its hard to debug when the issue does not happen for me. Is this also on MacOS? do you get the system prompts as expected??

Okay https://denniskniep.github.io/posts/02-fragile-passkey-ecosystem-for-enterprises/#security-key-can-not-be-selected---due-to-transport-selection Found that link. suggests iOS 17.4 and whatever MacOS is now is just stupid in like 500 ways urgh. A temporary solution might be editing line 30~ of the module file to disable BLE security keys. that way we arent offering all types... Why that is a problem for apple I have no clue. I will be updating the library anyway but let me know if that works at all if so I will make that a full on change as I doubt BLE keys are used much in 2024

I dont have a Mac for testing I am afraid so this bug is limited for me. I imagine the issue will be in the JS file if there is a problem. and might take a bit of unwrapping as been a while since I made this.

Sorry fr the late reply on this one. I assumed for the first reply it was the U2F module which is no longer used. I have just setup a new PW install and was able to use my security key on my iPhone. I am using firefox though. I want to suggest its because of passkeys being a thing now but I have that option too? Can you confirm PW version, IOS version, Browser on IOS Have you tested on a blank install? Might need to disable and reenable the webauthn for users?

@howdytom If you rename the WebAuthn modules folder it will disable it temporally and bypass the Tfa requirement. That is the simplest method and if you reinstall (simple as just clicking the refresh button under the modules menu) users that had WebAuthn enabled before will have it re-enabled (unless they change their profile settings) As for additional recovery options you can always buy a spare security key and keep it in a safe place if you loose you other keys. A superadmin can always disable it for users as well and also set it up for them via the users page so if your the developer of site and your client cant log in you can simply disable it for them etc. thats a core ProcessWire feature that works for any Tfa plugin The is no like OTP alternative as I think that should be a core feature of ProcessWire. Multiple TFA methods per user. As it stands you can only setup a single Tfa method Hope that helps

@howdytom Glad it is working out well for you ? Webauthn is indeed faster than old U2F was as its more native to the browser/OS Not a problem I couldnt let one of the best forms of two-factor just die because of a change to how these security keys are done. Webauthn was only a year old when I made the first U2F module. It's far superior though as you can see so was worth it to redo it.

Some of you might of used my previous U2F module for their two factor needs. Well I was recently informed that Chrome is dropping plain U2F support in favour of WebAuthn. So after a full day of debugging some cryptic errors I am proud to announce a WebAuthn module. This has some major improvements. For example you can now use on-device credentials like Windows Hello/Apple Touch ID. This means that even people without a Yubikey can benefit from modern two factor authentication. It also has much better cross platform support. For example NFC will now work on an iPhone. I do not recall the original U2F stuff working well on iPhones so yay? The is still the original issue that ProcessWire imposes with its Tfa class, That being it is a setup once and never edit again system so you can only add your on-device credentials for a single device because once saved you cant then edit your credentials on a second device. You also lack the options to revoke a single credential or add a new one. You have to wipe out the config and re-add your keys again. It sucks but realisticly if you need more than 3x credentials your almost defeating the point of Tfa I feel the need to also point out that this does not replace passwords. That is something WebAuthn can do a fully passwordless setup. But I think implementing that inside ProcessWire would be a huge challenge. It is frankly a form of magic that I was able to make WebAuthn work within the confides of ProcessWire's Tfa class. Github: https://github.com/adamxp12/TfaWebAuthn ProcessWire Modules: https://processwire.com/modules/tfa-web-authn/ I hope this module helps you guys out securing your ProcessWire websites If you have any issues just reply and I will do my best to help you out

@Pete Yep you only have to a device once. Same thing applies to Yubikeys with NFC you can add them via NFC or USB and they will work either way as well. I dont have any bluetooth keys to test with but WebAuthn does support a bluetooth security key. I assume this would be like a phone/Smartwatch but seems like something google support well. Apple likely supports the Apple Watch/iPhone from a Mac?

@Pete Glad it works for you. I must say in my testing I am loving the Windows Hello addition too. This is mostly a stopgap solution though as I think a proper native WebAuthn setup in the core that allows you to manage each credential after its setup would be better but for now this is a solid upgrade path for people who used my old U2F module and need it to work after Febuary and dont want to give up hardware keys

@Pete Ah yes you need a HTTPS setup for it to work. so localhost/127.0.0.1 will not work unless you have SSL setup too.

@Pete Which browser are you using? That error implies your browser lacks WebAuthn support?? I will have to add a cleaner error message for that instead of relying on console Working in Chrome 97 and Firefox ESR 91

Okay guys I have worked all day on this https://github.com/adamxp12/ProcessWire-TfaWebAuthn A total rewrite essentially moving over to WebAuthn. I Invite anyone to test this out I will publish it to the modules site probably tomorrow as long as no one has any major bugs I have missed in my testing. @Pete You can add a physical security key in addition to Windows Hello. but you can only setup one instance of Windows Hello/Apple Touch ID at a time because of that ProcessWire Tfa limitation but NFC keys will work on iPhone now where they did not before so a YubiKey with NFC will work virtually everywhere. I would assume if you enrolled your Android phone via USB it will work on-device too in the browser but I do not have an Android device to test that.

@Pete WebAuthn is the W3C standard whereas U2F was a google thing. When I made this module in 2019 WebAuthn was a fairly new thing The module does already support multiple keys the issue is once you save the users TFA settings they become locked so cant go in and remove a single key or add another you have to deactivate it and re-add all the keys. The might be a way around this. It does make sense from the POV of the TFA class being for one time codes as you would not edit it you would just deactivate it. The U2F was a great challenge with that constraint. With WebAuthn I might have to disable non cross platform methods like WIndows Hello because it would be impossible to setup multiple devices once you hit save on the first device. But at least it will work as it did before once U2F is removed from Chrome. I could keep that enabled but it would mean only the first device you setup will have that on device option. any other device would have to use a a physical security key. Granted I am far from a ProcessWire expert so maybe the solution is obvious?

@Pete That is the library I am looking at indeed. Bit of a head scratcher right now but I am making a bit of progress in getting it working. Currently got it prompting for the keys/windows hello but not figured out the verification/login form side of things. I hope to have a new version of this module before they remove U2F in chrome. U2F will still be in Chrome until June but will be disabled so food for thought just in case I cant get this working by February Will be great once its working but its a lot more involved than plain U2F was and if you thought my U2F implementation was a huge stretch of the TFA class in ProcessWire, Well WebAuthn will push it to its limits.

Chrome. The worlds worst browser as always. Making web developers lifes a pain lol Moving to Webauthn is a possibility. but the is few PHP libraries for it and one of them claims to be "simple" and the example is over 350 lines of code. So I might not get it done by Febuary ? its a big task and essentially makes this a full plugin rewrite

@howdytom You can not revoke a single key I am afraid. The reason is in ProcessWire (at least when I coded this, might of changed since then) TFA modules was a setup then your locked from configuration changes. So under the user settings once you enable the TFA it will only let you remove it instead of edit it. Thats out of my control but might of changed since I made this. Will look into it as I know its not great design how it is. As for gaining access if something goes wrong I am pretty sure the best way to regain access would be through the database. As even if you remove the module ProcessWire will still see the user as having TFA enabled. I have not tested this myself I did some googling and found nothing about regaining access after TFA goes wrong bit strange to have no way to recover yourself. When I get time I will look at adding some sort of confirmation messages that show more clearly that a new key has been added. As for a summary/description that should be doable but behind the scenes all the data for all the keys is being saved in one huge text field which is already imposing a limit of keys to about 10 if I recall correctly? (janky I know but at the time the was zero documentation on making custom TFA modules I was the first developer besides Ryan to make a TFA module)

@netcarver Just published 1.0.3 it has a simple version check which should allow it to work on all versions 3.0.109 and up now ? Have not tested it on a version below 3.0.165 however nor have I tested on a version below 3.0.130 which is when some changes to the getVersion function was made (but should not effect it how I have implemented it) Let me know if that works for you now

@netcarver Thanks for the heads up. will work on an update. need to find out which version of Processwire they redid the Tfa stuff so I can do such a check. Really annoying change for me to be honest. No idea why the devs behind Processwire changed something in the Tfa to give it an init(). I guess older versions lacked an init() function and so my module cant call the parent function if it does not exist ? Seemed to work fine without it but I am sure the was a very logical reason behind the changes

@netcarver @androbey Just pushed out 1.0.2 on Github. was a very simple fix actually but took a while for me to figure it out doh might take a while to show the new version on the modules site but will try and update that now too

@androbey Just tested it on a fresh install. it is indeed broken ? I assume some update has changed how the admin stuff works? I will try and fix it over the weekend for you guys

@androbey I think @netcarver is right you have to save then add your keys. This module could really do with an overhaul to be honest but it's a proof of concept that works well enough. as for localhost that will never work unless you have self signed SSL setup. U2F/FIDO require SSL to work. If you are still having issues just shoot another reply and I will spin up a new ProcessWire instance and test it. might have been broken with an update to ProcessWire

@bee8bit the TFA class is kinda a secret outside of that API page XD I think I am the only 3rd party dev to use the TFA class also. Annoyingly the is a TFA category on the modules directory. but I cant add my module to said category. so the is a link somewhere in processwire that takes you to http://modules.processwire.com/categories/tfa/ where you only see Ryan's own modules. its a shame that the TFA module has so much potential but it feels kinda like something that was developed then hidden away from devs and users

@bee8bit Surprised to see that the login function dont implement TFA. I am going on a whim and saying Ryan left it open to prevent breaking existing modules that are not built to support TFA. but does seem like a bit of a security issue if you can disable TFA by enabling a custom login form plugin. it should deny the login when it cant do TFA

@bee8bit The are ways to call it from the API https://processwire.com/api/ref/tfa/ I have no idea how your custom login form works but I assume your going to need to do some modifications. it will need to check that TFA is active, build the form and process the TFA request. Or if its something another user has created maybe just pester them a lot to update their module to support the TFA class that has been out for like a year already

@bee8bit Interesting. Any logs at all? if your getting nothing at all then that sounds to me like ProcessWire is not seeing that TFA is enabled. Does it say TFA is enabled under the users profile? What version of ProcessWire are you using too