FIDO/U2F Two Factor Authentication

[howdytom]

Does anyone use a Yubikey with Safari or NFC on iOS?

Something must have been changed with the latest Safari 17.4 or iOS Update. When I try to log-in using macOS Safari or NFC on iOS Safari/iOS Chrome, there is no longer an option to select Security keys. Whereas the Security key option still shows up on Google Sign or GitHub.

Security key shows up on GitHub:

Security key option is missing on a PW site using the WebAuthn two-factor authentication module.

[howdytom]

Anyone?

I am no longer able to login via iOS using a Yubikey.

[Adam]

On 5/19/2024 at 4:29 PM, howdytom said:

Anyone?

I am no longer able to login via iOS using a Yubikey.

Sorry fr the late reply on this one. I assumed for the first reply it was the U2F module which is no longer used.

I have just setup a new PW install and was able to use my security key on my iPhone.  I am using firefox though. I want to suggest its because of passkeys being a thing now but I have that option too?

Can you confirm PW version, IOS version, Browser on IOS
Have you tested on a blank install? Might need to disable and reenable the webauthn for users?

[Adam]

I dont have a Mac for testing I am afraid so this bug is limited for me. I imagine the issue will be in the JS file if there is a problem. and might take a bit of unwrapping as been a while since I made this.

[Adam]

Okay https://denniskniep.github.io/posts/02-fragile-passkey-ecosystem-for-enterprises/#security-key-can-not-be-selected---due-to-transport-selection

Found that link. suggests iOS 17.4 and whatever MacOS is now is just stupid in like 500 ways urgh.

A temporary solution might be editing line 30~ of the module file to disable BLE security keys. that way we arent offering all types... Why that is a problem for apple I have no clue.

I will be updating the library anyway but let me know if that works at all if so I will make that a full on change as I doubt BLE keys are used much in 2024

[howdytom]

@Adam Thanks for getting back. This issue seems to be related to iOS 17.4 and macOS Safari 17.4.1. The issue occurred with iOS Safari, iOS Chrome, iOS Firefox running iOS 17.4 and with macOS Safari 17.4.1

Solution: 
In the meantime I have updated to iOS 17.5, which resolves the login issue and the Security key option is visible again. I did not disable or reenable the Webauthn. I have tested it with 5 ProcessWire 3.0.229 sites. I am glad it is working again. This has been a serious bug.

Thanks for keeping the module alive.

[Adam]

@howdytom Ok I none of my IOS devices have 17.4 exactly so that is probably why I could not replicate that.

I had a quick go at updating the dependency but everything breaks when I do that. I have no idea what has changed in 2 years but its enough to cause challenge issues adding new keys and existing keys are no longer "familiar" on the login prompt. Simply put I do not have enough knowledge or time to dedicate to this besides quick bug fixes.

A quick glance at the github changes between 1.1.3 and 2.0.0 really does not show why it falls apart after an update. As its failing even the registration part which is unrelated to the changes

I am surprised no one has made a better webauthn for processwire. This was and still is a proof of concept. It works but very much could do with someone that is good at PHP

The initial login bug also is not happening for me with a fresh copy of PW and module in Chrome 125. Sounds strange though. I would be happy to look into that but its hard to debug when the issue does not happen for me. Is this also on MacOS? do you get the system prompts as expected??

[howdytom]

@AdamYeah, it explains why Webauthn and Yubikeys remain a niche product. It is a pity. I really appreciate taking the time for checking. My second question regarding initial login bug can be ignored. It is a minor browser specific bug.