Jump to content

FIDO/U2F Two Factor Authentication


Adam
 Share

Recommended Posts

@Adam For the last few months, using this module shows this warning in Chrome:

image.png

Is it a big task to change the module to use that? It seems to suggest the module will simply not work after February ? 

Link to comment
Share on other sites

Chrome. The worlds worst browser as always. Making web developers lifes a pain lol

Moving to Webauthn is a possibility. but the is few PHP libraries for it and one of them claims to be "simple" and the example is over 350 lines of code.

So I might not get it done by Febuary ? its a big task and essentially makes this a full plugin rewrite

  • Like 2
Link to comment
Share on other sites

Ah nuts, well Chrome is here to stay and Edge is based on it too, so for business environments where this is more likely to be used I'll most likely be one of those two browsers.

It's not a big issue for me - I can switch to one of the other auth options for now so whenever you get time. Hopefully now this new standard is out it won't change again for a long time after that.

Link to comment
Share on other sites

@Adam this looks like a good potential option - it's one I'd noticed a while back: https://github.com/lbuchs/WebAuthn?ref=https://githubhelp.com but it may also be the one you're referring to with the long example code ?

There's a good demo - I was impressed. On my laptop it allowed facial recognition via Windows, PIN via Windows and I had my Google phone plugged in so that was a third option using the fingerprint scanner!

It says it supports the physical keys like Yubikeys too and is a PHP/JS library that's been updated reasonably recently. I may look into it myself at some point but like you I wouldn't be able to soon.

Link to comment
Share on other sites

@Pete That is the library I am looking at indeed. Bit of a head scratcher right now but I am making a bit of progress in getting it working. Currently got it prompting for the keys/windows hello but not figured out the verification/login form side of things. I hope to have a new version of this module before they remove U2F in chrome.

U2F will still be in Chrome until June but will be disabled so food for thought just in case I cant get this working by February

Will be great once its working but its a lot more involved than plain U2F was and if you thought my U2F implementation was a huge stretch of the TFA class in ProcessWire, Well WebAuthn will push it to its limits.

  • Thanks 1
Link to comment
Share on other sites

Thanks for looking at this Adam.

I just got a colleague who uses Apple for everything to test and it allowed tapping her Apple watch to login and Face ID. She's got another device to try later with fingerprint but it does sound like it does all devices which is nice, and gives plenty of options, so seems like where things are going in the future.

If there are changes required to the base TFA class to help in any way let me know and I can ask Ryan ? Sometimes things won't be hookable that it would be helpful to be hookable etc. I think with WebAuthn It would be more useful if the base class allowed for more keys to be stored per module right, so then per-website I could set it to allow login via facial recognition and fingerprint on the same app - that sort of thing - rather than just allowing one key per module which I think is how it works now?

Also happy to help/test in any way I can on this one.

As I say for me it's not a huge thing the current module stopping working as I have alternatives, but WebAuthn has me a little excited as it seems like a more natural way to allow people to login.

  • Like 2
Link to comment
Share on other sites

@Pete

WebAuthn is the W3C standard whereas U2F was a google thing. When I made this module in 2019 WebAuthn was a fairly new thing

The module does already support multiple keys the issue is once you save the users TFA settings they become locked so cant go in and remove a single key or add another you have to deactivate it and re-add all the keys. The might be a way around this. It does make sense from the POV of the TFA class being for one time codes as you would not edit it you would just deactivate it. The U2F was a great challenge with that constraint.

With WebAuthn I might have to disable non cross platform methods like WIndows Hello because it would be impossible to setup multiple devices once you hit save on the first device. But at least it will work as it did before once U2F is removed from Chrome. I could keep that enabled but it would mean only the first device you setup will have that on device option. any other device would have to use a a physical security key.

Granted I am far from a ProcessWire expert so maybe the solution is obvious?

  • Like 3
Link to comment
Share on other sites

I'll admit to not having looked at the PW auth modules in terms of code at all. I might ping Ryan and see what he thinks. Can't hurt to have more brains on the case and his is bigger than mine ?

I think for all my logins, since I use a laptop, I would use Windows Hello... though actually then if I want to check something on my mobile without grabbing my laptop I can't can I? ? I see the problem now. Perhaps multiple instances of the same module somehow and it lets you choose on the login page? Otherwise as you say it just uses the one you set it up with by default.

  • Like 1
Link to comment
Share on other sites

Okay guys I have worked all day on this

https://github.com/adamxp12/ProcessWire-TfaWebAuthn

A total rewrite essentially moving over to WebAuthn. I Invite anyone to test this out I will publish it to the modules site probably tomorrow as long as no one has any major bugs I have missed in my testing.

@Pete You can add a physical security key in addition to Windows Hello. but you can only setup one instance of Windows Hello/Apple Touch ID at a time because of that ProcessWire Tfa limitation but NFC keys will work on iPhone now where they did not before so a YubiKey with NFC will work virtually everywhere.

I would assume if you enrolled your Android phone via USB it will work on-device too in the browser but I do not have an Android device to test that.

2022-01-21_20-31-15.jpg

  • Like 3
  • Thanks 1
Link to comment
Share on other sites

Perfect - works on live. This is so good ?

I had my phone plugged into my computer, so added Windows Hello (face recognition/pin) then added my Pixel phone and I can login with my fingerprint on that and face on my laptop.

Absolutely awesome - love it!

I'll point it out to Ryan but so far it works great!

  • Like 1
Link to comment
Share on other sites

@Pete Glad it works for you. I must say in my testing I am loving the Windows Hello addition too.

This is mostly a stopgap solution though as I think a proper native WebAuthn setup in the core that allows you to manage each credential after its setup would be better but for now this is a solid upgrade path for people who used my old U2F module and need it to work after Febuary and dont want to give up hardware keys

  • Like 1
Link to comment
Share on other sites

It's worth noting, on Windows where I have Windows Hello set up, it was setup with my face to login, but also allows the other connected options such as my Windows pin and hardware key though I've only had to set it up with my face - so any linked login methods under the same umbrella become available which is great if I'm wearing a balaclava during the usual cold British weather ?

image.png

Link to comment
Share on other sites

@Pete Yep you only have to a device once. Same thing applies to Yubikeys with NFC you can add them via NFC or USB and they will work either way as well.

I dont have any bluetooth keys to test with but WebAuthn does support a bluetooth security key. I assume this would be like a phone/Smartwatch but seems like something google support well. Apple likely supports the Apple Watch/iPhone from a Mac?

Link to comment
Share on other sites

Yes my colleague tested the demo site and Apple watch worked as did iPhone ?

I may get rid of my Yubikey in future as fingerprint auth on phone is as good in my opinion, and I'll have my phone closer than my keys usually. My face is also usually nearby when I'm on my laptop ?

Link to comment
Share on other sites

On 1/21/2022 at 9:33 PM, Adam said:

Okay guys I have worked all day on this

https://github.com/adamxp12/ProcessWire-TfaWebAuthn

A total rewrite essentially moving over to WebAuthn. I Invite anyone to test this out I will publish it to the modules site probably tomorrow as long as no one has any major bugs I have missed in my testing.

@Adam, That is fantastic! I gave TfaWebAuthn 1.0.0 a try. I am using your module on 3 ProcessWire sites. This was such an easy and seamless transition! I have successfully added two Yubikeys. It took less than 1 minute to setup. What I noticed is that the authentication process is much faster using Yubikey. 

Excellent piece of work! Thank you so much for providing a solution before February.

  • Like 1
Link to comment
Share on other sites

@howdytom Glad it is working out well for you ? Webauthn is indeed faster than old U2F was as its more native to the browser/OS

Not a problem I couldnt let one of the best forms of two-factor just die because of a change to how these security keys are done. Webauthn was only a year old when I made the first U2F module. It's far superior though as you can see so was worth it to redo it.

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

@Adam Webauthn is way more responsive. I like the native browser support!

There is one feature request I have asked before. How do I disable TfaWebAuthn through the database? How can I gain access in case something goes wrong e.g. PHP incompatibility or PW version issues? A quick tutorial would be useful. Does Webauthn provide additional recover options?

Link to comment
Share on other sites

@howdytom If you rename the WebAuthn modules folder it will disable it temporally and bypass the Tfa requirement. That is the simplest method and if you reinstall (simple as just clicking the refresh button under the modules menu) users that had WebAuthn enabled before will have it re-enabled (unless they change their profile settings)

As for additional recovery options you can always buy a spare security key and keep it in a safe place if you loose you other keys. A superadmin can always disable it for users as well and also set it up for them via the users page so if your the developer of site and your client cant log in you can simply disable it for them etc. thats a core ProcessWire feature that works for any Tfa plugin

The is no like OTP alternative as I think that should be a core feature of ProcessWire. Multiple TFA methods per user. As it stands you can only setup a single Tfa method

Hope that helps

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...