Page MenuHomePhabricator

Deprecation of U2F API in Chrome / Enable web auth in CAS
Open, Needs TriagePublic

Description

Latest Chrome/Chromium releases (and most likely current browsers built upon Blink) display a deprecation warning when accessing a U2F hardware key:

This site won't be able to use the U2F API after February 2022. If you own this site, you should change it to use the Web Authentication API.

Announcement by Google on this: https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A?pli=1

Current CAS releases already support the web auth API, but we need to test/deploy it out.

Event Timeline

FYI: I'm no longer able to log in to idp.wikimedia.org via Chrome. Are there any mitigation plans?

FYI: I'm no longer able to log in to idp.wikimedia.org via Chrome. Are there any mitigation plans?

Initial work has started to add support for webauthn, but we currently need our staging environment for ongoing project over the next two weeks, so until support for webauthn is available, we'll need to remove you from the 2FA enablement group (just ping me on IRC) or alternatively you can use Firefox, which continues to support the U2F API.

Mentioned in SAL (#wikimedia-operations) [2022-02-07T09:21:46Z] <godog> temp-disable mfa for 'filippo' - T296629

Change 803875 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] C:apereo_cas: Disable u2f by default

https://gerrit.wikimedia.org/r/803875

Change 803875 merged by Jbond:

[operations/puppet@production] C:apereo_cas: Disable u2f by default

https://gerrit.wikimedia.org/r/803875