Jump to content

Adam

Members
  • Posts

    46
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by Adam

  1. @howdytom If you rename the WebAuthn modules folder it will disable it temporally and bypass the Tfa requirement. That is the simplest method and if you reinstall (simple as just clicking the refresh button under the modules menu) users that had WebAuthn enabled before will have it re-enabled (unless they change their profile settings) As for additional recovery options you can always buy a spare security key and keep it in a safe place if you loose you other keys. A superadmin can always disable it for users as well and also set it up for them via the users page so if your the developer of site and your client cant log in you can simply disable it for them etc. thats a core ProcessWire feature that works for any Tfa plugin The is no like OTP alternative as I think that should be a core feature of ProcessWire. Multiple TFA methods per user. As it stands you can only setup a single Tfa method Hope that helps
  2. @howdytom Glad it is working out well for you ? Webauthn is indeed faster than old U2F was as its more native to the browser/OS Not a problem I couldnt let one of the best forms of two-factor just die because of a change to how these security keys are done. Webauthn was only a year old when I made the first U2F module. It's far superior though as you can see so was worth it to redo it.
  3. Some of you might of used my previous U2F module for their two factor needs. Well I was recently informed that Chrome is dropping plain U2F support in favour of WebAuthn. So after a full day of debugging some cryptic errors I am proud to announce a WebAuthn module. This has some major improvements. For example you can now use on-device credentials like Windows Hello/Apple Touch ID. This means that even people without a Yubikey can benefit from modern two factor authentication. It also has much better cross platform support. For example NFC will now work on an iPhone. I do not recall the original U2F stuff working well on iPhones so yay? The is still the original issue that ProcessWire imposes with its Tfa class, That being it is a setup once and never edit again system so you can only add your on-device credentials for a single device because once saved you cant then edit your credentials on a second device. You also lack the options to revoke a single credential or add a new one. You have to wipe out the config and re-add your keys again. It sucks but realisticly if you need more than 3x credentials your almost defeating the point of Tfa I feel the need to also point out that this does not replace passwords. That is something WebAuthn can do a fully passwordless setup. But I think implementing that inside ProcessWire would be a huge challenge. It is frankly a form of magic that I was able to make WebAuthn work within the confides of ProcessWire's Tfa class. Github: https://github.com/adamxp12/TfaWebAuthn ProcessWire Modules: https://processwire.com/modules/tfa-web-authn/ I hope this module helps you guys out securing your ProcessWire websites If you have any issues just reply and I will do my best to help you out
  4. @Pete Yep you only have to a device once. Same thing applies to Yubikeys with NFC you can add them via NFC or USB and they will work either way as well. I dont have any bluetooth keys to test with but WebAuthn does support a bluetooth security key. I assume this would be like a phone/Smartwatch but seems like something google support well. Apple likely supports the Apple Watch/iPhone from a Mac?
  5. @Pete Glad it works for you. I must say in my testing I am loving the Windows Hello addition too. This is mostly a stopgap solution though as I think a proper native WebAuthn setup in the core that allows you to manage each credential after its setup would be better but for now this is a solid upgrade path for people who used my old U2F module and need it to work after Febuary and dont want to give up hardware keys
  6. @Pete Ah yes you need a HTTPS setup for it to work. so localhost/127.0.0.1 will not work unless you have SSL setup too.
  7. @Pete Which browser are you using? That error implies your browser lacks WebAuthn support?? I will have to add a cleaner error message for that instead of relying on console Working in Chrome 97 and Firefox ESR 91
  8. Okay guys I have worked all day on this https://github.com/adamxp12/ProcessWire-TfaWebAuthn A total rewrite essentially moving over to WebAuthn. I Invite anyone to test this out I will publish it to the modules site probably tomorrow as long as no one has any major bugs I have missed in my testing. @Pete You can add a physical security key in addition to Windows Hello. but you can only setup one instance of Windows Hello/Apple Touch ID at a time because of that ProcessWire Tfa limitation but NFC keys will work on iPhone now where they did not before so a YubiKey with NFC will work virtually everywhere. I would assume if you enrolled your Android phone via USB it will work on-device too in the browser but I do not have an Android device to test that.
  9. @Pete WebAuthn is the W3C standard whereas U2F was a google thing. When I made this module in 2019 WebAuthn was a fairly new thing The module does already support multiple keys the issue is once you save the users TFA settings they become locked so cant go in and remove a single key or add another you have to deactivate it and re-add all the keys. The might be a way around this. It does make sense from the POV of the TFA class being for one time codes as you would not edit it you would just deactivate it. The U2F was a great challenge with that constraint. With WebAuthn I might have to disable non cross platform methods like WIndows Hello because it would be impossible to setup multiple devices once you hit save on the first device. But at least it will work as it did before once U2F is removed from Chrome. I could keep that enabled but it would mean only the first device you setup will have that on device option. any other device would have to use a a physical security key. Granted I am far from a ProcessWire expert so maybe the solution is obvious?
  10. @Pete That is the library I am looking at indeed. Bit of a head scratcher right now but I am making a bit of progress in getting it working. Currently got it prompting for the keys/windows hello but not figured out the verification/login form side of things. I hope to have a new version of this module before they remove U2F in chrome. U2F will still be in Chrome until June but will be disabled so food for thought just in case I cant get this working by February Will be great once its working but its a lot more involved than plain U2F was and if you thought my U2F implementation was a huge stretch of the TFA class in ProcessWire, Well WebAuthn will push it to its limits.
  11. Chrome. The worlds worst browser as always. Making web developers lifes a pain lol Moving to Webauthn is a possibility. but the is few PHP libraries for it and one of them claims to be "simple" and the example is over 350 lines of code. So I might not get it done by Febuary ? its a big task and essentially makes this a full plugin rewrite
  12. @howdytom You can not revoke a single key I am afraid. The reason is in ProcessWire (at least when I coded this, might of changed since then) TFA modules was a setup then your locked from configuration changes. So under the user settings once you enable the TFA it will only let you remove it instead of edit it. Thats out of my control but might of changed since I made this. Will look into it as I know its not great design how it is. As for gaining access if something goes wrong I am pretty sure the best way to regain access would be through the database. As even if you remove the module ProcessWire will still see the user as having TFA enabled. I have not tested this myself I did some googling and found nothing about regaining access after TFA goes wrong bit strange to have no way to recover yourself. When I get time I will look at adding some sort of confirmation messages that show more clearly that a new key has been added. As for a summary/description that should be doable but behind the scenes all the data for all the keys is being saved in one huge text field which is already imposing a limit of keys to about 10 if I recall correctly? (janky I know but at the time the was zero documentation on making custom TFA modules I was the first developer besides Ryan to make a TFA module)
  13. @netcarver Just published 1.0.3 it has a simple version check which should allow it to work on all versions 3.0.109 and up now ? Have not tested it on a version below 3.0.165 however nor have I tested on a version below 3.0.130 which is when some changes to the getVersion function was made (but should not effect it how I have implemented it) Let me know if that works for you now
  14. @netcarver Thanks for the heads up. will work on an update. need to find out which version of Processwire they redid the Tfa stuff so I can do such a check. Really annoying change for me to be honest. No idea why the devs behind Processwire changed something in the Tfa to give it an init(). I guess older versions lacked an init() function and so my module cant call the parent function if it does not exist ? Seemed to work fine without it but I am sure the was a very logical reason behind the changes
  15. @netcarver @androbey Just pushed out 1.0.2 on Github. was a very simple fix actually but took a while for me to figure it out doh might take a while to show the new version on the modules site but will try and update that now too
  16. @androbey Just tested it on a fresh install. it is indeed broken ? I assume some update has changed how the admin stuff works? I will try and fix it over the weekend for you guys
  17. @androbey I think @netcarver is right you have to save then add your keys. This module could really do with an overhaul to be honest but it's a proof of concept that works well enough. as for localhost that will never work unless you have self signed SSL setup. U2F/FIDO require SSL to work. If you are still having issues just shoot another reply and I will spin up a new ProcessWire instance and test it. might have been broken with an update to ProcessWire
  18. @bee8bit the TFA class is kinda a secret outside of that API page XD I think I am the only 3rd party dev to use the TFA class also. Annoyingly the is a TFA category on the modules directory. but I cant add my module to said category. so the is a link somewhere in processwire that takes you to http://modules.processwire.com/categories/tfa/ where you only see Ryan's own modules. its a shame that the TFA module has so much potential but it feels kinda like something that was developed then hidden away from devs and users
  19. @bee8bit Surprised to see that the login function dont implement TFA. I am going on a whim and saying Ryan left it open to prevent breaking existing modules that are not built to support TFA. but does seem like a bit of a security issue if you can disable TFA by enabling a custom login form plugin. it should deny the login when it cant do TFA
  20. @bee8bit The are ways to call it from the API https://processwire.com/api/ref/tfa/ I have no idea how your custom login form works but I assume your going to need to do some modifications. it will need to check that TFA is active, build the form and process the TFA request. Or if its something another user has created maybe just pester them a lot to update their module to support the TFA class that has been out for like a year already
  21. @bee8bit Interesting. Any logs at all? if your getting nothing at all then that sounds to me like ProcessWire is not seeing that TFA is enabled. Does it say TFA is enabled under the users profile? What version of ProcessWire are you using too
  22. @netcarver day 2 of existence actually was just a late night idea I decided to go with. The is actually a message that says it was successful and also counts when you do more than 1 key. but I should make it clearer I will look into that. the managing/naming is not going to be possible though as the settings actually vanish once you save the page. This is just how the Tfa class works as far as I can tell. but maybe I am wrong. the is not much documentation on the Tfa class besides the API and the 2x examples from ryan the buttons got added for the initial tests. the Use button does have a purpose. if for some reason it don't automaticity prompt or you accidentally exit the prompt you can use that button to restart the security key process without logging back in again. the submit button is indeed useless though. Originally it was a click the use button then click the submit button but now the JS behind it is more sophisticated and starts the auth process and submits the form on success so I can remove the submit button. but I think the use button could be handy to keep.
  23. @netcarver Glad to here it works for you ? it is such a hacky module. I don't think the Tfa class was coded with security keys in mind ? but so far so good. let me know if you discover any bugs/issues using it. I know of at least one bug that you shouldn't come across too often (if you login to an account with Tfa but don't use the key and then try to login with a 2nd account it will fail as it will still have a different challenge set for the session. it self-fixes when you try a 2nd time, I cant think of an easy solution to this problem though as it was done that way on purpose to get around the buildAuthForm function being called twice and resulting in a bad challenge on every attempt)
  24. Right! Multiple Key support is now included. you can put about 19 in before you run out of space (20480 characters, each key uses about 1040) if someone has 19 keys I will be very surprised. I have bumped the version to 1.0.1 as a result. I ain't a big versioning guy but this is a minor change from the users perspective. you can just click the add button more than once now. Just be sure to only click the save button once you have added all yours keys. I have tried it with the 3x keys I have and it works fine. More than 3? not sure cant test that yet. if you click save before you add all your keys then you will only get the ones you added and have to disable/re-enable Tfa to add them all again. This is a limitation of the Tfa class sadly.
  25. @netcarver Edited my last reply. I figured it out. Was me being played by the strange design of forms on ProcessWire. It was being converted into a text field for the POST section and the default maxlength for a text field is 2048. doh Now working on multiple key support. fingers crossed with this
×
×
  • Create New...