Skip to content

Disable U2F Interface unless already configured.#571

Closed
dd32 wants to merge 6 commits into
WordPress:masterfrom
dd32:disable/fido-u2f-unless-configured
Closed

Disable U2F Interface unless already configured.#571
dd32 wants to merge 6 commits into
WordPress:masterfrom
dd32:disable/fido-u2f-unless-configured

Conversation

@dd32

@dd32 dd32 commented May 25, 2023

Copy link
Copy Markdown
Member

What?

This PR disables the U2F / Fido interface, unless keys are already configured for the user.

Fixes #511

Why?

U2F / FIDO no longer works in modern browsers, until #423 is resolved having this provider enabled only causes confusion to end users (See #511)

Ideally, we wouldn't need to do this, as we've been assuming that #423 would be resolved, but 6+ months later it's no closer to being merged. I'd like to merge this into a 0.8.2.

Alternatives

Alternatively, the Javascript could be updated to detect FIDO/U2F not being viable, and displaying an error message about the browser not supporting it too..

How?

This simply disables the UI by:

  • Removing it from the Providers array when disabling the table, if the provider says it's not available.
  • Returning early when displaying the Security keys table, if the provider says it's not available.
  • Returning early when enqueuing assets when no keys are registered.

If for some reason, it needs to be re-enabled a filter is included:

add_filter( 'two_factor_u2f_disabled', '__return_false' );

Testing Instructions

Screenshots or screencast

Before After
Screenshot 2023-05-25 at 6 12 46 pm Screenshot 2023-05-25 at 6 13 04 pm

Changelog Entry

Deprecated: The FIDO/U2F integration has been hidden unless already configured. This is because modern browsers no longer support the standard, and we've not yet finalised our WebAuthn implementation.

@dd32 dd32 requested a review from jeffpaul May 25, 2023 08:17
@dd32 dd32 added the FIDO U2F label May 25, 2023

@ravinderk ravinderk left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dd32 This pull request is working fine. I left a minor request.

Comment thread class-two-factor-core.php Outdated
@jeffpaul

jeffpaul commented Jun 9, 2023

Copy link
Copy Markdown
Member

@dd32 do you want to pull this into 0.8.2 or leave for 0.9.0?

@jeffpaul jeffpaul added this to the 0.10.0 milestone May 8, 2024
@jeffpaul

Copy link
Copy Markdown
Member

Besides the merge conflicts @georgestephanis @TimothyBJacobs does this look good to you?

@TimothyBJacobs

Copy link
Copy Markdown
Member

Yeah I think this makes sense to me.

@TimothyBJacobs TimothyBJacobs mentioned this pull request Sep 17, 2024
@kasparsd

kasparsd commented Dec 2, 2024

Copy link
Copy Markdown
Collaborator

This is pretty much a requirement to start removing U2F from the codebase.

@jeffpaul

jeffpaul commented Dec 3, 2024

Copy link
Copy Markdown
Member

@kasparsd seems like resolving merge commits and then this should be good to merge?

@kasparsd kasparsd left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I sometimes forget to click on "submit review" after adding the inline comments. Did these earlier in the morning today.

if (
! $security_keys &&
/** This filter is documented in class-two-factor-core.php */
apply_filters( 'two_factor_u2f_disabled', true )

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we pass the user object to the filter to match the original?

if (
! Two_Factor_FIDO_U2F::get_instance()->is_available_for_user( $user ) &&
/** This filter is documented in class-two-factor-core.php */
apply_filters( 'two_factor_u2f_disabled', true )

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here -- should we pass the $user as the second argument to the filter?

@jeffpaul jeffpaul modified the milestones: 0.14.0, 0.15.0 Jul 3, 2025
@jeffpaul jeffpaul modified the milestones: 0.14.2, 0.15.0 Dec 11, 2025
@jeffpaul jeffpaul linked an issue Feb 2, 2026 that may be closed by this pull request
@masteradhoc masteradhoc modified the milestones: 0.15.0, 0.16.0 Feb 18, 2026
@georgestephanis

Copy link
Copy Markdown
Collaborator

Closing as per #439

@jeffpaul jeffpaul removed this from the 0.16.0 milestone Mar 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

FIDO U2F Security Keys not being enabled U2F support in the future versions of Chrome

7 participants